[Cscwg-public] Subject name stability

Mike Hearn mike at hydraulic.software
Fri May 26 09:23:19 UTC 2023

Hi Dimitris,

I don't recall ever being given a choice over the format of the subjectDN
when buying a code signing certificate, by any CA. The contents of any CSR
submitted are ignored and when purchasing in an HSM there's no CSR to begin
with. So in practice the experience of subscribers is that SNs can change
when they switch CA.

Additionally, they can change in these cases:

   - Company name change. Same entity legally, new SN.
   - Company HQ is relocated.
   - Change in CSWG policies (e.g. postalCode being removed?)
   - Cases where CSWG policies turn out to be ambiguous.
   - Change in CA default policy where flexibility exists.

These things can happen. Attempting to pin things down so names never
change is probably impossible. That's why it would be good if there were
ways to systematically handle the above cases, by allowing people to
re-use previously issued names if they came from a compliant-at-the-time CA.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20230526/89d1fd7a/attachment.html>

More information about the Cscwg-public mailing list