<div dir="ltr"><div>At some point we should look at the next line, "commonName", and consider prohibiting CNs that are too generic, if that's possible. <br></div><div><br></div><div>For me, the following CNs are too generic: Issuing CA, Server CA, EV CA, Government CA, Citizen CA, Corporate CA, Class 1 CA, etc.<br></div><div><br></div><div>Right now, that line says, "<span class="gmail-blob-code-inner gmail-blob-code-marker gmail-js-code-nav-pass">The contents SHOULD be an identifier for the certificate such that the certificate's Name is unique across all certificates issued by the issuing certificate." <br></span></div><div><span class="gmail-blob-code-inner gmail-blob-code-marker gmail-js-code-nav-pass"><br></span></div><div><span class="gmail-blob-code-inner gmail-blob-code-marker gmail-js-code-nav-pass">It might say,
<span class="gmail-blob-code-inner gmail-blob-code-marker gmail-js-code-nav-pass">"The
contents MAY include a company name or brand and SHOULD be an identifier for the CA that is unique and provides sufficient information to distinguish the CA from other CAs having the same issuer or <span class="gmail-blob-code-inner gmail-blob-code-marker gmail-js-code-nav-pass">organizationName</span></span>."</span></div><div><span class="gmail-blob-code-inner gmail-blob-code-marker gmail-js-code-nav-pass"><br></span></div><div><span class="gmail-blob-code-inner gmail-blob-code-marker gmail-js-code-nav-pass">Ben<br></span></div><div><span class="gmail-blob-code-inner gmail-blob-code-marker gmail-js-code-nav-pass"><br></span></div><div><span class="gmail-blob-code-inner gmail-blob-code-marker gmail-js-code-nav-pass"><br></span></div>
</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Oct 21, 2022 at 1:39 AM Dimitris Zacharopoulos (HARICA) via Validation <<a href="mailto:validation@cabforum.org">validation@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<br>
<div>On 14/10/2022 11:22 π.μ., Dimitris
Zacharopoulos (HARICA) via Validation wrote:<br>
</div>
<blockquote type="cite">
The breakdown makes it clearer, thanks Doug. We just need to see
how this will appear in the table via markdown.<br>
<br>
Dimitris.<br>
<br>
<div>On 13/10/2022 11:05 μ.μ., Doug
Beattie wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal">Hi Dimitris,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I’d lean towards you option #2:<u></u><u></u></p>
<ol type="1" start="2">
<li style="margin-left:0.25in">Update 7.1.2.10.2, add the Attribute Type OU,
and in the Presence column state "MUST NOT," except for
Non-TLS Subordinate CA Certificates that meet the
Certificate Profile described in section 7.1.2.3".<u></u><u></u></li>
</ol>
<p class="MsoNormal">Just a suggestion:<u></u><u></u></p>
<ol type="1" start="2">
<li style="margin-left:0.25in">Update 7.1.2.10.2, add the Attribute Type OU,
and in the Presence column state:<u></u><u></u></li>
<ul type="disc">
<li style="margin-left:0.25in">MUST NOT for TLS Subordinate CA
Certificates defined in section 7.1.2.3, <u></u><u></u></li>
<li style="margin-left:0.25in">SHOULD NOT for all other CAs"<u></u><u></u></li>
</ul>
</ol>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</blockquote>
</blockquote>
<br>
Seeing no objections, I created
<a href="https://github.com/cabforum/servercert/pull/398/files" target="_blank">https://github.com/cabforum/servercert/pull/398/files</a> with the
proposed language. Let me know if the formatting (single line) works
for everyone.<br>
<br>
Thanks,<br>
Dimitris.<br>
</div>
_______________________________________________<br>
Validation mailing list<br>
<a href="mailto:Validation@cabforum.org" target="_blank">Validation@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/validation" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/validation</a><br>
</blockquote></div>