[cabfpub] EV Code Signing fixes

Jeremy Rowley jeremy.rowley at digicert.com
Wed Feb 19 07:53:18 UTC 2014

There are two issues with the EV code signing guidelines that need


1.  Section 9.2.2 of the EV code signing guidelines recommends that CAs not
include the SAN extension in an EV certificate.  However, section 9.7
requires that an EV certificate include subjectAltName:permanentIdentifier.
Because the main concern is a CA including a domain names in the SAN
extension, we should specify that this practice is not allowed and recognize
that other information may be present. 


2.  Section 9.2.3 of the EV code signing guidelines deprecates the CN field.
The code signing working group received a report that this field is still
required by code signing applications. We should still include the CN in
code signing certificates even if the field is deprecated for SSL


I am looking for endorsers for (or suggestions on) the following proposal:


a.       Replace section 9.2.2 with the following: 

"9.2.2    Subject Alternative Name Extension

This field MUST be present and MUST contain the permanentIdentifier
specified in Section 9.7. This field MUST NOT contain a Domain Name or IP


b.      Amend section 9.2.3 as follows:

"9.2.2    Subject Common Name Field

Certificate field: subject:commonName (OID

Required/Optional: Required

Contents: This field MUST contain the Subject's legal name as verified under
Section 11.2. "





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140219/28f0a127/attachment-0002.html>

More information about the Public mailing list