[cabfpub] Draft Ballot - Subject Common and Alternative Names

Ryan Sleevi sleevi at google.com
Fri Apr 15 06:22:19 UTC 2016

On Thu, Apr 14, 2016 at 10:28 PM, Peter Bowen <pzb at amzn.com> wrote:

> I know at least some platforms had issues with empty subject names.

That's a good point. For example, OS X has this limitation: a leaf
certificate with an empty distinguished name, but has
subjectAlternativeNames as a non-critical extension will be rejected.
Similarly, a leaf certificate that asserts the CA bit with an empty subject
will also be rejected, unless it's flagged as accepted that the leaf can be
a CA (mostly, this arises with self-signed certs).

In an ideal world where we valued security over legacy, we would REQUIRE
that subscriber certificates assert subjectAlternativeName as critical, to
ensure (as best possible) that clients properly implemented sAN as the bare
minimum for security, but I can understand that some people aren't ready to
move off their insecure systems (c.f. SHA-1)

> Right now only Common Name is carved out from “Subject Identity
> Information”, so another attribute type will probably need to be added to
> the carve out to allow CAs to issue a "Certificate complies with these
> Requirements but lacks Subject Identity Information” and works with common
> clients.  I think there also needs to be a clear definition of what goes in
> that attribute when there is no subject identity asserted.

I can get behind that argument.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160414/d0d9c7ed/attachment-0003.html>

More information about the Public mailing list