[cabfpub] Ballot 148 - Issuer Field Correction (rev 1)

Thu Apr 2 16:28:22 UTC 2015

OpenTrust votes YES.

Rémi.

From: Doug Beattie
Sent: Thursday, March 19, 2015 1:40 PM
To: public at cabforum.org <mailto:public at cabforum.org>
Subject: Ballot 148 - Issuer Field Correction (rev 1)

I’m reposting Ballot 148 with new review and voting periods to address
recent comments.

Ballot 148 - Issuer Field Correction (Rev 1)

________________________________________

Reason

________________________________________

The issuer field language in Section 9.1 of the Baseline Requirements
confuses two issues:

1) the contents of the issuer field in an end entity cert and

2) how to name root and intermediate CA certificates.

To clarify the issue and ensure proper name chaining, this ballot fixes
the issuer field requirements and, to clarify that commonName field is
part of the distinguished name, moves all of the Subject Distinguished
Name Field requirements under the proper section. The ballot also removes
requirements around the domainComponent field as the field is not used by
current TLS clients. A subsequent ballot will address naming of roots and
intermediates under current Section 9.2.5.

Doug Beattie of GlobalSign made the following motion, which was endorsed
by Jeremy Rowley of DigiCert and Richard Wang of WoSign.

________________________________________

Motion begins

________________________________________

1) Replace Section 9.1 with the following:

"9.1 Issuer Information

The content of the Certificate Issuer Distinguished Name field MUST match
the Subject DN of the Issuing CA to support Name chaining as specified in
RFC 5280, section 4.1.2.4."

2) Move Section 9.2.2 to 9.2.2(a) and renumber the subsequent sections as
b-i.

3) Delete Section 9.2.3.

4) Renumber 9.2.4 as 9.2.2.

5) In section 9.2, edit section reference “9.2.2” to “9.2.2 (a)”

6) Update section references 9.2.4 (f) to 9.2.2.(g) and 9.2.4 to 9.2.2
throughout document.

7) In Appendix B (Certificate Content and Extensions), Item (1) Root CA
Certificates, add

F. Subject Information

The Certificate Subject MUST contain the following

- countryName (OID 2.5.4.6).  This field MUST contain the two-letter ISO
3166-1 country code for the country in which the CA’s place of business is
located.

- organizationName (OID 2.5.4.10). This field MUST contain the name (or
abbreviation thereof), trademark, or other meaningful identifier for the
CA, provided that they accurately identify the CA.  The field MUST NOT
contain exclusively a generic designation such as “Root 1”.

8) In Appendix B (Certificate Content and Extensions), Item (2)
Subordinate CA Certificate, add

H. The Certificate Subject MUST contain the following

- countryName (OID 2.5.4.6).  This field MUST contain the two-letter ISO
3166-1 country code for the country in which the CA’s place of business is
located.

- organizationName (OID 2.5.4.10). This field MUST contain the name (or
abbreviation thereof), trademark, or other meaningful identifier for the
CA, provided that they accurately identify the CA.  The field MUST NOT
contain exclusively a generic designation such as “CA1”.

________________________________________

Motion Ends

________________________________________

The review period for this ballot shall commence at 2200 UTC on 19 Mar
2015, and will close at 2200 UTC on 26 Mar 2015. Unless the motion is
withdrawn during the review period, the voting period will start
immediately thereafter and will close at 2200 UTC on 2 Apr 2015. Votes
must be cast by posting an on-list reply to this thread.

A vote in favor of the motion must indicate a clear 'yes' in the response.
A vote against must indicate a clear 'no' in the response. A vote to
abstain must indicate a clear 'abstain' in the response. Unclear responses
will not be counted. The latest vote received from any representative of a
voting member before the close of the voting period will be counted.
Voting members are listed here:

https://cabforum.org/members/

In order for the motion to be adopted, two thirds or more of the votes
cast by members in the CA category and greater than 50% of the votes cast
by members in the browser category must be in favor. Quorum is currently
nine (9) members– at least nine members must participate in the ballot,
either by voting in favor, voting against, or abstaining.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150402/55d832ea/attachment-0003.html>