[cabfpub] [CABFORUM] Re: Intermediate certificate names
jeremy.rowley at digicert.com
Wed Mar 11 08:50:57 MST 2015
I don't think this revision solves the issue described by Richard. The language "the Common Name field MUST include a name that accurately identifies the Issuing CA"is leading to different requirements from different auditors.
From: Peter Bowen [mailto:pzbowen at gmail.com]
Sent: Wednesday, March 11, 2015 9:44 AM
To: Doug Beattie
Cc: Ryan Sleevi; Jeremy Rowley; Geoff Keating; public at cabforum.org
Subject: [CABFORUM] Re: [cabfpub] Intermediate certificate names
On Wed, Mar 11, 2015 at 7:38 AM, Doug Beattie <doug.beattie at globalsign.com> wrote:
> I don’t think we've removed the requirements for what goes into CA certificates. Attempting to describe what goes into the issuer field is not relevant, it MUST be the same as the Subject DN of the issuing CA, there are no other options. Given this, a good description of what can go into the subject DN of certificates (CAs and SSL) is a good idea. But, do we need to go further than what is documented today (CAs must follow their CPS when issuing subordinate CAs)? This task was primarily driven by a recent audit finding for one CA which the other CAs do not believe is a finding, so clarifying the misleading section seems like the best immediate solution. I think the auditor will reverse his findings based on this update (which is the goal of this proposed ballot).
Assuming the audit finding was related to the content of the Issuer field of certificates, I think simply moving the CA naming requirements to the Subject field should resolve the issue. I don't think it is unreasonable to require that any new certificates issued with CA:TRUE have to contain certain fields in their subject. With this ballot, I think I could write a CPS that says "each Subordinate CA certificate must contain a x500UniqueIdentifier in the Subject DN"
and have a CA that simply has
/x500UniqueIdentifier=#19173ac02791420b8388339374ad6188 as its name.
I've attached an alternative marked up version that has fewer changes but probably also would resolve the audit finding.
More information about the Public