[Cscwg-public] Subject name stability

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Fri May 26 09:45:59 UTC 2023

On 26/5/2023 12:23 μ.μ., Mike Hearn wrote:
> Hi Dimitris,
> I don't recall ever being given a choice over the format of the 
> subjectDN when buying a code signing certificate, by any CA. The 
> contents of any CSR submitted are ignored and when purchasing in an 
> HSM there's no CSR to begin with. So in practice the experience of 
> subscribers is that SNs can change when they switch CA.

The CSR is only served as a way to convey a public key to the CA. The 
rest of the "identity" information must be validated independently by 
the CA and the Applicant may identify which subject fields should be 
included in the final certificate.

> Additionally, they can change in these cases:
>   * Company name change. Same entity legally, new SN.
True, and this is important to be highlighted in the subjectDN because 
the subjectDN conveys the name of the legal entity. If the name changes, 
the subjectDN must change.

>   * Company HQ is relocated.
This should not result in a new certificate, as long as the address is 
not part of the subjectDN.

>   * Change in CSWG policies (e.g. postalCode being removed?)

The impact to the ecosystem is usually being considered when policies 
like this (deprecation of fields) is being discussed.

>   * Cases where CSWG policies turn out to be ambiguous.

I am not following this example. Can you expand a bit more?

>   * Change in CA default policy where flexibility exists.

There is always the option to move to other CAs if the CA's policies do 
not meet the Subscriber's needs. All CAs must adhere to the "Baseline 
Requirements" at a minimum but may not support all the options allowed 
in the BRs.

> These things can happen. Attempting to pin things down so names never 
> change is probably impossible. That's why it would be good if there 
> were ways to systematically handle the above cases, by allowing people 
> to re-use previously issued names if they came from a 
> compliant-at-the-time CA.

Certificate pinning is generally a practice that should be avoided, and 
this has been discussed several times in the past. However, this is not 
something that the CSCWG or the CA/B Forum can include in a Guideline 
because it is out of scope of its Charter.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20230526/7bd3be8c/attachment.html>

More information about the Cscwg-public mailing list