[cabfpub] Urgent: BR Exceptions for Subordinate CA Certificates
kwilson at mozilla.com
Thu Oct 31 23:19:39 UTC 2013
On 10/31/13 1:59 PM, Eddy Nigg (StartCom Ltd.) wrote:
> On 10/31/2013 09:35 PM, From Kathleen Wilson:
>> These are the issues in play:
>> * BR 9.1.3 says that the Issuer Organization Name (O) field must not
>> contain a generic designation. The BIT legacy roots have the DN
>> "o=admin,c=CH". However, Swiss law apparently reserves this particular
>> string as a 'brand' to BIT. And, of course, this root was created long
>> before the BRs were thought of.
> Kathleen, if you recall at the time of the (initial) root inclusion
> request regarding this root at Mozilla we had exactly the very same
> issue and with an eye on exactly those types of names the BR does NOT
> allow such names. This was also discussed at that time and I would
> object (on our part should this come up for vote) to an exception for
> these kinds of names. Exactly for this the BR was created to get rid
> of such practices.
My personal opinion is that we should not over-ride that decision.
BIT is working towards a new CA Hierarchy, with the new root having the
following Issuer field:
CN = Swiss Government Root CA II
OU = Certification Authorities
OU = Services
O = The Federal Authorities of the Swiss Confederation
C = CH
I am definitely in favor of this new Issuer field.
I am asking the CAB Forum to consider the options for the interim, so
the Swiss government websites will continue to work while BIT is
migrating to their new CA hierarchy. As proposed, one option is to allow
the name constraints in this case to contain a DirectoryName constraint
To see that Swiss legislation reserves this particular string as a
'brand' for BIT, go to
and enter "admin" into the bottom text entry field.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public