[cabfpub] Possible error in EV Code Signing document
Jeremy Rowley
jeremy.rowley at digicert.com
Fri Jul 26 09:38:56 MST 2013
Hi Rick,
I'd endorse such an amendment. The original intent of the language was to
prohibit DNS Names in the certificate. However, even if we remove 9.2.2,
domain names are still prohibited under Section 11.6.
Jeremy
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rick Andrews
Sent: Friday, July 26, 2013 10:32 AM
To: public at cabforum.org
Subject: [cabfpub] Possible error in EV Code Signing document
While looking over the EV Code Signing Guidelines
(https://cabforum.org/EV_Code_Signing_Guidelines_v1_1.pdf), I came across
what I think is a typo.
"9.2.2 Subject Alternative Name Extension
This field should not be included in the EV Code Signing Objects."
Section 9.2 is all about Subject DN fields, so it seems a bit odd that 9.2.2
should be about an extension. But as Section 9.7 says "the Certificate
MUST include a SubjectAltName:permanentIdentifier".
I think 9.2.2 is there because it was copied from the EV SSL Guidelines. In
that document, we explicitly call out subjectAltName in the Subject DN
section to call attention to the fact that we're deprecating the Common Name
field, and want the subject's name instead put in the subjectAltName
extension.
I think the way to correct this is to remove Section 9.2.2 (it just consists
of the one sentence shown above).
Anyone disagree? Should I create a ballot for this?
-Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130726/b91f1394/attachment.html
More information about the Public
mailing list