[cabfpub] Subject field of Subordinate CAs

Peter Bowen pzb at amzn.com
Sat Jan 16 00:02:55 UTC 2016


> On Jan 15, 2016, at 3:38 PM, Rick Andrews <rick_andrews at symantec.com> wrote:
> 
> We think that the language in BR Section 7.1.2.2 h, which applies to the Subject field of Subordinate CA certificates, is vague and potentially misleading. It currently says:
> 
> The Certificate Subject MUST contain the following:
> -          countryName (OID 2.5.4.6). This field MUST contain the two-letter ISO 3166‐1 country code for the country in which the CA’s place of business is located.
> -          organizationName (OID 2.5.4.10). This field MUST contain the name (or abbreviation thereof), trademark, or other meaningful identifier for the CA, provided that they accurately identify the CA.
> The field MUST NOT contain exclusively a generic designation such as “CA1”.
> 
> The words “meaningful”, “accurately identify” and “generic” are subjective, and we think that allowing the use of a trademark further leads to confusion.
> 
> We were recently approached by a customer who wanted a Subordinate CA certificate that contained one of their trademarks. Even though we were able to verify that they owned the trademark in their country, we felt it was generic and violated the spirit of 7.1.2.2.
> 
> To clarify this section, we’re thinking of proposing a ballot to remove the word “trademark”, and require that the organizationName be vetted in accordance with Section 3.2.2.

I think this is reasonable as long as the name can be that of a Parent Company, Subsidiary Company, or Affiliate in addition to the direct customer (e.g, same as 3.2.2.4).

> However, we see that 3.2.2.2 allows a DBA or Tradename to be used. We may also want to consider removing that from the BRs.

DBA and Tradename are very different from trademarks.  I think it would be a huge disservice to remove these as it would mean many common shops would not be able to use their name, both companies big and small.  If owner runs it as a sole proprietorship, they should be able to use their commonly known store name (registered with the state) rather than their personal name.

> By way of example, suppose a company gets a trademark for the term “Certification Authority” in their country, is that permissible to put in the Subject Organizational Name of an end-entity or Subordinate CA certificate?

Today they would not be allowed to put that in an end-entity certificate unless it was also registered as a tradename or DBA with their secretary of corporations or equivalent.  I agree subjective rules are non-desirable, but I don’t have a strong preference on whether a CA-certificate should be allowed to have O=Certification Authority in the case you mention.

Thanks,
Peter


More information about the Public mailing list