[cabfpub] Section 9.2.3 modification
sleevi at google.com
Thu May 23 10:38:21 MST 2013
On Wed, May 22, 2013 at 11:44 PM, Geoff Keating <geoffk at apple.com> wrote:
> On 22/05/2013, at 4:32 PM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
>> 9.2.3 Subject Domain Component Field
>> Certificate Field: subject:domainComponent (OID 0.9.2342.19200300.100.1.25)
>> Required/Optional: Optional.
>> Contents: If present, this field MUST contain components of a Domain Name verified under Section 11.1.1 in ordered sequence, with the most significant component, closest to the root of the namespace, written last. The CA SHALL implement and follow a process that prevents a Domain Component field from including information if the CA is unaware of the logical association between the Domain Component field information and the Certificate’s Subject.
> The reference to 11.1.1 seems out-of-place since the uses of this don't have the domain name owned by the applicant; and the phrase 'logical association' could mean just about anything.
> How about this wording:
>> Contents: If present, this field MUST contain a label from a Domain Name. The domainComponent fields for each Domain Name MUST be in a single ordered sequence containing all labels from the Domain name. The labels MUST be encoded in the reverse order to the on-wire representation of domain names in the DNS protocol, so that the label closest to the root is encoded first. The CA MUST ensure that the certificate is issued with the consent of, and according to procedures established by, the owner of each Domain Name.
+1 for the language clarification - which is much nicer than mine, so
No comments on the merits of the proposal itself :)
> The idea is that the DC fields describe a namespace, and the owner of the domain gets to decide what's in the namespace. However, the other BR rules still apply, so systems that are unaware of the namespace can just skip over it and process the certificate using the O and subjectAltName fields as usual.
> I didn't want to specify detailed procedures for verifying the 'consent' and 'procedures', because I expect that normally it'll be really obvious, as in the case of DigiCert issuing certs with a DC for a domain they own.
> I also changed the language to address Ryan's comments about SETs vs SEQUENCEs and ordering. This is the bit of my wording I'm least happy about but at least I think it's clear.
> Public mailing list
> Public at cabforum.org
More information about the Public