[cabfpub] EV Code Signing fixes
Jeremy Rowley
jeremy.rowley at digicert.com
Wed Feb 19 07:53:18 UTC 2014
There are two issues with the EV code signing guidelines that need
correction:
1. Section 9.2.2 of the EV code signing guidelines recommends that CAs not
include the SAN extension in an EV certificate. However, section 9.7
requires that an EV certificate include subjectAltName:permanentIdentifier.
Because the main concern is a CA including a domain names in the SAN
extension, we should specify that this practice is not allowed and recognize
that other information may be present.
2. Section 9.2.3 of the EV code signing guidelines deprecates the CN field.
The code signing working group received a report that this field is still
required by code signing applications. We should still include the CN in
code signing certificates even if the field is deprecated for SSL
certificates.
I am looking for endorsers for (or suggestions on) the following proposal:
a. Replace section 9.2.2 with the following:
"9.2.2 Subject Alternative Name Extension
This field MUST be present and MUST contain the permanentIdentifier
specified in Section 9.7. This field MUST NOT contain a Domain Name or IP
Address."
b. Amend section 9.2.3 as follows:
"9.2.2 Subject Common Name Field
Certificate field: subject:commonName (OID 2.5.4.3)
Required/Optional: Required
Contents: This field MUST contain the Subject's legal name as verified under
Section 11.2. "
Thanks!
Jeremy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140219/28f0a127/attachment-0002.html>
More information about the Public
mailing list