[cabfpub] Section 9.2.3 modification
geoffk at apple.com
Wed May 22 23:44:25 MST 2013
On 22/05/2013, at 4:32 PM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> 9.2.3 Subject Domain Component Field
> Certificate Field: subject:domainComponent (OID 0.9.2342.19200300.100.1.25)
> Required/Optional: Optional.
> Contents: If present, this field MUST contain components of a Domain Name verified under Section 11.1.1 in ordered sequence, with the most significant component, closest to the root of the namespace, written last. The CA SHALL implement and follow a process that prevents a Domain Component field from including information if the CA is unaware of the logical association between the Domain Component field information and the Certificate’s Subject.
The reference to 11.1.1 seems out-of-place since the uses of this don't have the domain name owned by the applicant; and the phrase 'logical association' could mean just about anything.
How about this wording:
> Contents: If present, this field MUST contain a label from a Domain Name. The domainComponent fields for each Domain Name MUST be in a single ordered sequence containing all labels from the Domain name. The labels MUST be encoded in the reverse order to the on-wire representation of domain names in the DNS protocol, so that the label closest to the root is encoded first. The CA MUST ensure that the certificate is issued with the consent of, and according to procedures established by, the owner of each Domain Name.
The idea is that the DC fields describe a namespace, and the owner of the domain gets to decide what's in the namespace. However, the other BR rules still apply, so systems that are unaware of the namespace can just skip over it and process the certificate using the O and subjectAltName fields as usual.
I didn't want to specify detailed procedures for verifying the 'consent' and 'procedures', because I expect that normally it'll be really obvious, as in the case of DigiCert issuing certs with a DC for a domain they own.
I also changed the language to address Ryan's comments about SETs vs SEQUENCEs and ordering. This is the bit of my wording I'm least happy about but at least I think it's clear.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4316 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20130522/bc1abaae/attachment.bin
More information about the Public