[Cscwg-public] Subject name stability

Mike Hearn mike at hydraulic.software
Fri May 26 10:03:23 UTC 2023


It would be good if the CSWG could issue some recommendations or guidance
to CAs on letting users select their own subjectDN, as people have
experienced in the past that e.g. postalCode would disappear and when they
requested it to be put back their CA refused and said it wasn't possible.
So there seems to be a gap here between what's theoretically allowed by the
rules and how the rules are being interpreted.


>    - Company HQ is relocated.
>
> This should not result in a new certificate, as long as the address is not
> part of the subjectDN.
>

The EV cert for my company has a subjectDN of:

CN=Hydraulic Software AG, O=Hydraulic Software AG, L=Zürich, S=Zürich,
C=CH, SERIALNUMBER=CHE-312.597.948, OID.1.3.6.1.4.1.311.60.2.1.2=Zürich,
OID.1.3.6.1.4.1.311.60.2.1.3=CH, OID.2.5.4.15=Private Organization

I'm not sure why there are so many redundant fields, but that's what I got.
This is from DigiCert, I believe.

Zürich is a small Swiss canton (administrative district). If we moved down
the road - a common thing for companies to do here - it seems clear that
several subjectDN fields would change, and in turn that would break
everything that uses the subjectDN to identify my company even though it's
the same legal entity. The serial number is more stable.


> Certificate pinning is generally a practice that should be avoided, and
> this has been discussed several times in the past. However, this is not
> something that the CSCWG or the CA/B Forum can include in a Guideline
> because it is out of scope of its Charter.
>

May I ask what exactly is the purpose of the subjectDN field, if linking
data to it is considered a bad practice? Is it only intended to be consumed
by humans and if so, who?

It would appear that using the subjectDN as a database key isn't the same
thing as certificate pinning. The goal here is not to prevent moving
between CAs, but rather to ensure that when you do so everything connected
to that identity comes with you. The web PKI has a form of stable identity
(the domain name) and every CA will reach agreement on what the domain name
is. For code signing that's not currently the case.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20230526/48542c80/attachment.html>


More information about the Cscwg-public mailing list