[cabfpub] [CABFORUM] Re: Ballot 148 - Issuer Field Correction

Doug Beattie doug.beattie at globalsign.com
Thu Mar 19 16:03:44 UTC 2015 

Peter,

Would putting this in Appendix B (Root and Sub CA subsections) be a good location?

I could not find a reference to the max validity period for roots and sub CAs, is that only in the Root agreements?

Doug

> -----Original Message-----
> From: Peter Bowen [mailto:pzbowen at gmail.com]
> Sent: Thursday, March 19, 2015 11:42 AM
> To: Doug Beattie; Ryan Sleevi
> Cc: public at cabforum.org
> Subject: [CABFORUM] Re: [cabfpub] Ballot 148 - Issuer Field Correction
> 
> Doug,
> 
> I have seen comment elsewhere that all CAs should have to include at least
> Country Name (ISO 3166-1 alpha-2 code) and Organization Name (without
> prejudice to the content other that not being empty) in their Issuer Distinguished
> Name, and that this ballot would effectively remove such requirement.
> 
> This was in response to my suggestion that a root could be called "/CN=Eggman
> Root CA 1" with a subordinate named "/O=Eggman/OU=Internet Authority 1B".
> 
> I think it is worth noting that "/C=QQ/O=Eggman/OU=Root CA 1" is 52 bytes in
> DER while "/CN=Eggman Root CA " is only 29 bytes.  33 bytes is not huge, but
> every byte counts when you multiple it by the millions of times those bytes are
> sent.
> 
> If there is going to be any requirement on the attribute types that must be
> present in a CA's DN, then I would hope that such is reflected in the ballot.
> 
> Thanks,
> Peter
> 
> 
> On Thu, Mar 19, 2015 at 8:19 AM, Doug Beattie
> <doug.beattie at globalsign.com> wrote:
> > Hi Peter,
> >
> >
> >
> > I agree, section 9.2 of the EV guidelines needs to be updated as well,
> > it’s confusing and inaccurate and will lead to other audit findings
> > which can be avoided.
> >
> >
> >
> > Doug
> >
> >
> >
> > From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> > On Behalf Of Ryan Sleevi
> > Sent: Tuesday, March 17, 2015 6:58 PM
> > Cc: public at cabforum.org
> > Subject: Re: [cabfpub] Ballot 148 - Issuer Field Correction
> >
> >
> >
> > Forwarding for Peter
> >
> >
> >
> > On Tue, Mar 17, 2015 at 2:56 PM, Peter Bowen <pzbowen at gmail.com>
> wrote:
> >
> > On Wed, Mar 11, 2015 at 4:28 PM, Doug Beattie
> > <doug.beattie at globalsign.com> wrote:
> >> Ballot 148 - Issuer Field Correction
> >>
> >> The issuer field language in Section 9.1 of the Baseline Requirements
> >> confuses two issues:
> >>
> >> 1) the contents of the issuer field in an end entity cert and
> >>
> >> 2) how to name root and intermediate CA certificates.
> >
> > Maybe worth an independent discussion, but the EV Guidelines also
> > claim to cover subordinate CA naming in section 9.2:
> >
> > "Subject to the requirements of these Guidelines, [...] certificates
> > issued to Subordinate CAs that are not controlled by the same entity
> > as the CA MUST include the following information about the Subject
> > organization in the fields listed"
> >
> > The Subordinate CA definition is "A Certification Authority whose
> > Certificate is signed by the Root CA, or another Subordinate CA."
> >
> > Looking at the Pilot CT log, there are zero CAs who have a
> > businessCategory attribute in their name, yet businessCategory is a
> > required attribute in section 9.2.
> >
> > Was 9.2 really intended to apply to Subordinate CAs?  Is this just
> > another thing waiting for an auditor to call out and start issuing
> > qualifications?
> >
> > Thanks,
> > Peter
> >
> >

More information about the Public mailing list