[cabfpub] Ballot 148 - Issuer Field Correction (rev 1)

Ryan Sleevi sleevi at google.com
Thu Apr 2 23:53:23 UTC 2015 

With the ballot issues corrected below (which I think is correct from
intent, but not wording), Google votes YES


On Thu, Apr 2, 2015 at 9:14 AM, Doug Beattie <doug.beattie at globalsign.com>
wrote:

>
> 1) Replace Section 9.1 with the following:
>
> "9.1 Issuer Information
>
> The content of the Certificate Issuer Distinguished Name field MUST match
> the Subject DN of the Issuing CA to support Name chaining as specified in
> RFC 5280, section 4.1.2.4."
>
>
>
> 2) Move Section 9.2.2 to 9.2.2(a) and renumber the subsequent sections as
> b-i.
>

This should read 9.2.4(a). Though you renumber 9.2.4 as 9.2.2 in Step 4
(below), it's not clear at the time you execute *this* step that you're
moving "9.2.2 Subject Common Name Field" to be "9.2.4 Subject Distinguished
Name Fields (a) Certificate Field: subject:commonName" before renumbering
9.2.4 as 9.2.2 below.


>
>
> 3) Delete Section 9.2.3.
>
>
>
> 4) Renumber 9.2.4 as 9.2.2.
>
>
>
> 5) In section 9.2, edit section reference “9.2.2” to “9.2.2 (a)”
>
>
>
> 6) Update section references 9.2.4 (f) to 9.2.2.(g) and 9.2.4 to 9.2.2
> throughout document.
>
>
>
> 7) In Appendix B (Certificate Content and Extensions), Item (1) Root CA
> Certificates, add
>
> F. Subject Information
>
> The Certificate Subject MUST contain the following
>
> - countryName (OID 2.5.4.6).  This field MUST contain the two-letter ISO
> 3166-1 country code for the country in which the CA’s place of business is
> located.
>
> - organizationName (OID 2.5.4.10). This field MUST contain the name (or
> abbreviation thereof), trademark, or other meaningful identifier for the
> CA, provided that they accurately identify the CA.  The field MUST NOT
> contain exclusively a generic designation such as “Root 1”.
>

Should this be E. Subject Information?

As far as I can tell from
https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf , D is the last
subitem here.


>
>
> 8) In Appendix B (Certificate Content and Extensions), Item (2)
> Subordinate CA Certificate, add
>
> H. The Certificate Subject MUST contain the following
>
> - countryName (OID 2.5.4.6).  This field MUST contain the two-letter ISO
> 3166-1 country code for the country in which the CA’s place of business is
> located.
>
> - organizationName (OID 2.5.4.10). This field MUST contain the name (or
> abbreviation thereof), trademark, or other meaningful identifier for the
> CA, provided that they accurately identify the CA.  The field MUST NOT
> contain exclusively a generic designation such as “CA1”.
>
>
>


As ballots go, I think it's weird to split the normative requirements for
subject names between Appendix B and Section 9.2, but I'm willing to live
with it to correct the obvious issues.

It seems like you could have structured countryName / organizationName as
Required if the basicConstraints extension is present and has a value for
cA is True [Alternatively, Required if the Certificate is a Root or
Subordinate CA Certificate]
Optional if the basicConstraints extension is absent or if the value for cA
is the default value, False [Alternatively, Optional if the Certificate is
neither a Root nor Subordinate CA Certificate]

Along with their normative content

But that's neither here nor there
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150402/1788c26e/attachment-0003.html>

More information about the Public mailing list