[cabfpub] Draft Ballot - Subject Common and Alternative Names

Ryan Sleevi sleevi at google.com
Mon Apr 18 00:23:17 MST 2016


On Sat, Apr 16, 2016 at 1:10 PM, Peter Bowen <pzb at amzn.com> wrote:

>
> 4.1.2.6 also says:
>
>
>    If subject
>    naming information is present only in the subjectAltName extension
>    (e.g., a key bound only to an email address or URI), then the subject
>    name MUST be an empty sequence and the subjectAltName extension MUST
>    be critical.
>
>
> This implies that those of us creating a CN-only subject for server auth certs are not following RFC 5280.
>
>
I'm not sure why you reach that conclusion. Subject naming information is
present in the subject, for those systems not following RFC 2818 - that is,
the CN contains subject naming information.


> So including other info not only ensures the subject will not be empty without CN but also ensures that other subject naming information is present.  Looking at the list of attribute types that are listed as MUST be supported by software using certs, distinguished name qualifier (dnQualifier) seems like the best candidate for an attribute to add to the SII exclusion list.  X.520 says:
>
>
> "The DN Qualifier attribute type specifies disambiguating information to add to the relative distinguished name of an
> entry. It is intended to be used for entries held in multiple DSAs which would otherwise have the same name, and that its
> value be the same in a given DSA for all entries to which this information has been added.”
>
>
> This seems ideal — each CA define a dnQualifier, either per CA or one shared by a group of CAs all sharing a single DSA/DIT.  It is a printableString, so easily supports inclusion of a space to ensure that the dnQualifier is not confused with a valid hostname.
>
>
> Does adding dnQualifier to the list of things not considered subject identity information make sense?
>
>
That sounds reasonable.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160418/7fb44aae/attachment.html 


More information about the Public mailing list