<div dir="ltr">Right. To recap that thought:<div><br></div><div>From RFC 5280's perspective, it's legal to have an empty subject in a leaf cert IF the subjectAltName is marked critical.</div><div><br></div><div>This comes from the following excerpts in <a href="http://4.1.2.6">4.1.2.6</a>:</div><div>" If the subject is a CA (e.g., the basic constraints extension, as</div><div> discussed in Section 4.2.1.9, is present and the value of cA is</div><div> TRUE), then the subject field MUST be populated with a non-empty</div><div> distinguished name matching the contents of the issuer field (Section</div><div> 4.1.2.4) in all certificates issued by the subject CA. "</div><div><br></div><div>(TL;DR: If the subject is a CA, the subject field MUST be non-empty)</div><div><br></div><div>"If the</div><div> subject is a CRL issuer (e.g., the key usage extension, as discussed</div><div> in Section 4.2.1.3, is present and the value of cRLSign is TRUE),</div><div><div> then the subject field MUST be populated with a non-empty</div><div> distinguished name matching the contents of the issuer field (Section</div><div> 5.1.2.3) in all CRLs issued by the subject CRL issuer."</div></div><div><br></div><div>(TL;DR: If the subject issues CRLs, the subject field must be non-empty)</div><div><br></div><div><div>"If subject</div><div> naming information is present only in the subjectAltName extension</div><div> (e.g., a key bound only to an email address or URI), then the subject</div><div> name MUST be an empty sequence and the subjectAltName extension MUST</div><div> be critical."</div></div><div><br></div><div>(TL;DR: If neither of the above two conditions are met, meaning it's a subscriber cert, then the subject CAN be empty, but only if the subjectAltName is marked critical)</div><div><br></div><div>As Peter mentioned, several popular clients either do not support or recently regressed support for this part of 5280, so you should not rely on it for the time being if expecting interoperability with those clients.</div><div><br></div><div>Notably missing from this, for the eagled eyed readers, is any remarks about delegated OCSP responder certificates. Since in the absence of clarification you should assume forbidden, rather than permitted, and indeed, because implementations defaulted to that, don't have an empty subject for your responder certs either, even though they are not cA:True certificates :) That is, an implied constraint similarly exists for OCSP as the explicit constraint for CRLs.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 10, 2017 at 9:13 AM, Peter Bowen via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div>Doug,</div><div><br></div><div>As we discussed at the Raleigh F2F, the CN is optional but having an empty subject sequence will break some very popular clients. For DV, this means you effectively have to include CN until we modify the BRs to allow something other than CN in a pure-DV certificate.</div><div><br></div><div>Thanks,</div><div>Peter</div><div><div class="h5"><br><div><blockquote type="cite"><div>On May 10, 2017, at 5:45 AM, Doug Beattie via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:</div><br class="m_-758680979452208296Apple-interchange-newline"><div><div class="m_-758680979452208296WordSection1" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)"><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="color:rgb(31,73,125)">Thanks, I knew it had to be there somewhere.<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><a name="m_-758680979452208296__MailEndCompose"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></a></div><div style="border-style:none none none solid;border-left-width:1.5pt;border-left-color:blue;padding:0in 0in 0in 4pt"><div><div style="border-style:solid none none;border-top-width:1pt;border-top-color:rgb(225,225,225);padding:3pt 0in 0in"><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><b><span style="color:windowtext">From:</span></b><span style="color:windowtext"><span class="m_-758680979452208296Apple-converted-space"> </span>Public [<a href="mailto:public-bounces@cabforum.org" style="color:rgb(149,79,114);text-decoration:underline" target="_blank">mailto:public-bounces@<wbr>cabforum.org</a>]<span class="m_-758680979452208296Apple-converted-space"> </span><b>On Behalf Of<span class="m_-758680979452208296Apple-converted-space"> </span></b>Adriano Santoni via Public<br><b>Sent:</b><span class="m_-758680979452208296Apple-converted-space"> </span>Wednesday, May 10, 2017 8:43 AM<br><b>To:</b><span class="m_-758680979452208296Apple-converted-space"> </span><a href="mailto:public@cabforum.org" style="color:rgb(149,79,114);text-decoration:underline" target="_blank">public@cabforum.org</a><br><b>Cc:</b><span class="m_-758680979452208296Apple-converted-space"> </span>Adriano Santoni <<a href="mailto:adriano.santoni@staff.aruba.it" style="color:rgb(149,79,114);text-decoration:underline" target="_blank">adriano.santoni@staff.aruba.<wbr>it</a>><br><b>Subject:</b><span class="m_-758680979452208296Apple-converted-space"> </span>Re: [cabfpub] Is CN value required in the SAN?<u></u><u></u></span></div></div></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><p style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-family:Calibri,sans-serif">Excerpt from the BRs:</span><u></u><u></u></p><p style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-family:Calibri,sans-serif">7.1.4.2.2. Subject Distinguished Name Fields<br>a. Certificate Field: subject:commonName (OID 2.5.4.3)<br>Required/Optional: Deprecated (Discouraged, but not prohibited)<br>Contents: If present, this field MUST contain a single IP address or Fully‐Qualified Domain<br>Name that is one of the values contained in the Certificate’s subjectAltName extension (see<br>Section 7.1.4.2.1).</span><u></u><u></u></p><p style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></p><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Il 10/05/2017 14:36, Doug Beattie via Public ha scritto:<u></u><u></u></div></div><blockquote style="margin-top:5pt;margin-bottom:5pt"><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> <u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">In reading the BRs, I see the requirement that the SAN must contain at least one value (7.1.4.2.1), but I can’t find a reference that the value in the CN needs to be in the SAN. Am I missing that link somewhere, or can the value in the CN be omitted from the SAN? With Chrome depreciating use of CN, CAs will certainly want to include the value in the SAN, but is there a BR requirement that the CN value must be in the SAN?<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:12pt;font-family:'Times New Roman',serif"><br><br><br><u></u><u></u></span></div><pre style="margin:0in 0in 0.0001pt;font-size:10pt;font-family:'Courier New'">______________________________<wbr>_________________<u></u><u></u></pre><pre style="margin:0in 0in 0.0001pt;font-size:10pt;font-family:'Courier New'">Public mailing list<u></u><u></u></pre><pre style="margin:0in 0in 0.0001pt;font-size:10pt;font-family:'Courier New'"><a href="mailto:Public@cabforum.org" style="color:rgb(149,79,114);text-decoration:underline" target="_blank">Public@cabforum.org</a><u></u><u></u></pre><pre style="margin:0in 0in 0.0001pt;font-size:10pt;font-family:'Courier New'"><a href="https://cabforum.org/mailman/listinfo/public" style="color:rgb(149,79,114);text-decoration:underline" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><u></u><u></u></pre></blockquote><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></span></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:12pt;font-family:'Times New Roman',serif">--<u></u><u></u></span></div><p style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:'Times New Roman',serif">Cordiali saluti,<br><br>Adriano Santoni<br>ACTALIS S.p.A.<br>(Aruba Group)<u></u><u></u></p></div></div></div><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline!important">______________________________<wbr>_________________</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline!important">Public mailing list</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)"><a href="mailto:Public@cabforum.org" style="color:rgb(149,79,114);text-decoration:underline;font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)" target="_blank">Public@cabforum.org</a><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)"><a href="https://cabforum.org/mailman/listinfo/public" style="color:rgb(149,79,114);text-decoration:underline;font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)"></div></blockquote></div><br></div></div></div><br>______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
<br></blockquote></div><br></div>