[cabfpub] Ballot 148 - Issuer Field Correction (rev 1)

Fri Apr 3 16:17:23 UTC 2015

I’m sorry, this vote was received after the ballot closed and will not be counted.

Dean

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Thursday, April 02, 2015 7:53 PM
To: Doug Beattie
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 148 - Issuer Field Correction (rev 1)

With the ballot issues corrected below (which I think is correct from intent, but not wording), Google votes YES

On Thu, Apr 2, 2015 at 9:14 AM, Doug Beattie <doug.beattie at globalsign.com> wrote:

1) Replace Section 9.1 with the following: 

"9.1 Issuer Information 

The content of the Certificate Issuer Distinguished Name field MUST match the Subject DN of the Issuing CA to support Name chaining as specified in RFC 5280, section 4.1.2.4." 

2) Move Section 9.2.2 to 9.2.2(a) and renumber the subsequent sections as b-i.

This should read 9.2.4(a). Though you renumber 9.2.4 as 9.2.2 in Step 4 (below), it's not clear at the time you execute *this* step that you're moving "9.2.2 Subject Common Name Field" to be "9.2.4 Subject Distinguished Name Fields (a) Certificate Field: subject:commonName" before renumbering 9.2.4 as 9.2.2 below.

3) Delete Section 9.2.3. 

4) Renumber 9.2.4 as 9.2.2. 

5) In section 9.2, edit section reference “9.2.2” to “9.2.2 (a)”

6) Update section references 9.2.4 (f) to 9.2.2.(g) and 9.2.4 to 9.2.2 throughout document.

7) In Appendix B (Certificate Content and Extensions), Item (1) Root CA Certificates, add 

F. Subject Information

The Certificate Subject MUST contain the following

- countryName (OID 2.5.4.6).  This field MUST contain the two-letter ISO 3166-1 country code for the country in which the CA’s place of business is located.  

- organizationName (OID 2.5.4.10). This field MUST contain the name (or abbreviation thereof), trademark, or other meaningful identifier for the CA, provided that they accurately identify the CA.  The field MUST NOT contain exclusively a generic designation such as “Root 1”.

Should this be E. Subject Information?

As far as I can tell from https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf , D is the last subitem here.

8) In Appendix B (Certificate Content and Extensions), Item (2) Subordinate CA Certificate, add 

H. The Certificate Subject MUST contain the following

- countryName (OID 2.5.4.6).  This field MUST contain the two-letter ISO 3166-1 country code for the country in which the CA’s place of business is located.  

- organizationName (OID 2.5.4.10). This field MUST contain the name (or abbreviation thereof), trademark, or other meaningful identifier for the CA, provided that they accurately identify the CA.  The field MUST NOT contain exclusively a generic designation such as “CA1”.

As ballots go, I think it's weird to split the normative requirements for subject names between Appendix B and Section 9.2, but I'm willing to live with it to correct the obvious issues.

It seems like you could have structured countryName / organizationName as

Required if the basicConstraints extension is present and has a value for cA is True [Alternatively, Required if the Certificate is a Root or Subordinate CA Certificate]

Optional if the basicConstraints extension is absent or if the value for cA is the default value, False [Alternatively, Optional if the Certificate is neither a Root nor Subordinate CA Certificate]

Along with their normative content

But that's neither here nor there

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150403/c17919ff/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6130 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150403/c17919ff/attachment-0001.p7s>