[cabfpub] Questions about [70] EV Code Signing Identifier

Jeremy Rowley jeremy.rowley at digicert.com
Mon Jun 11 16:39:46 UTC 2012


Revised is better.  The original intent of that language was to prevent a
FQDN from appearing in an EV Code Signing Certificate.  Instead of
eliminating the Subject Alt Name Extension, we should specify that the
Subject Alt Name Extension MUST not contain a Domain Name..

 

Jeremy

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rick Andrews
Sent: Friday, June 08, 2012 2:35 PM
To: public at cabforum.org
Subject: Re: [cabfpub] Questions about [70] EV Code Signing Identifier

 

One more thing: The guidelines currently contain this:

 


9.2.2        Subject Alternative Name Extension


This field should not be included in the EV Code Signing Objects.

Which I presume should be removed or revised.

 

-Rick

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rick Andrews
Sent: Friday, June 08, 2012 11:36 AM
To: public at cabforum.org
Subject: [cabfpub] Questions about [70] EV Code Signing Identifier

 

I have a few questions about this ballot. I apologize for not bringing this
up during the review period, but you often don't see things until you're
trying to implement...

 

First of all, I haven't been able to find a concise list on the wiki of what
is the current status of each ballot. I assume someone maintains that list,
but it would be nice to see it on one page.

 

Secondly, a few questions have come up about the construction of the
permanentIdentifier. Here's the current text:

"(B) the Certificate MUST include a SubjectAltName:permanentIdentifier which
MUST contain the following: 

"(1) The ISO 3166-2 country code in uppercase characters corresponding to
the Subject's Jurisdiction of Incorporation or Registration (CC), as
specified in the subject:jurisdictionOfIncorporationCountryName field; 

"(2) If applicable, the state, province, or locality of the Subject's
Jurisdiction of Incorporation in uppercase characters as specified in the
subjectjurisdictionOfIncorporationLocalityName or
subject:jurisdictionofIncorporationStateorProvinceName field, expressed in
an unabbreviated format (STATE); and 

"(3) The first one of the following that applies: a. The Registration Number
as included in the Subject:serialNumber field (REG), b. A date of
Incorporation or Registration in YYYY-MM-DD format (DATE) and the Subject's
Organization Name as included in the organizationName field (ORG), c. A
verifiable date of creation in YYYY-MM-DD format (DATE) and the Subject's
Organization Name as included in the organizationName field (ORG), or d. The
Subject's Organization Name as included in the organizationName field (ORG).


"The CA SHALL format data in the SubjectAltName:permanentIdentifier
extension using Unicode as follows: CC-STATE (if applicable)- REG or DATE
(if available)-ORG (if REG is not present). Characters representing the
organization name MUST be uppercase Unicode. Any included "-" characters
MUST be Unicode 002D and any included spaces in REG, STATE, or ORG MUST be
Unicode 0020. A CA MAY truncate or abbreviate an organization name included
in this field to ensure that the combination does not exceed 64 characters
provided that the CA checks this field in accordance with section 10.11.1
and a Relying Party will not be misled into thinking that they are dealing
with a different organization. If this is not possible, the CA MUST NOT
issue the EV Code Signing Certificate.

a.	Since the STATE part is "if applicable", what happens if the STATE
is not applicable? Is the permanentIdentifier "CC--REG or DATE"?
b.	Can a State or Province include a hyphen? If so, I would expect it
would need to be escaped somehow so as not to be interpreted as a delimiter.
c.	Same question about Org, except that I know that Orgs can contain
hyphens (e.g., "Hewlett-Packard").
d.	We don't understand the need to allow the CA to truncate so the
combination doesn't exceed 64 characters. That's the max length of DN
components, but this is an extension. If the intent is to insure that any CA
would come up with the same combination for a given organization, this seems
to allow for variability that will cause incompatibilities.

 

-Rick

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120611/a8977bd7/attachment-0004.html>


More information about the Public mailing list