[cabfpub] [EXTERNAL]Re: Ballot 199 - Require commonName in Root and Intermediate Certificates
Ryan Sleevi
sleevi at google.com
Wed Apr 26 11:20:29 MST 2017
On Wed, Apr 26, 2017 at 2:17 PM, Bruce Morton <
Bruce.Morton at entrustdatacard.com> wrote:
> Our software does not support change the identity of a CA when you issue
> it a new certificate. I assume that this is similar issuing passports. When
> an individual gets a passport they put their identity in the passport, when
> they renew their passport, they use the same identity.
>
>
>
Right, apologies I wasn't clearer - what's the use case for 'renewing' an
intermediate? What functionality are you achieving versus, say, naming it
as a new intermediate?
> We do use CNs for subordinate CAs and the CNs are unique per CA. We do not
> use unique CNs per CA certificate.
>
>
>
> Please also note that the unique CN is also for a unique private key.
>
Right, that's the bit of unnecessary complexity that I think is harmful
(and can think of a variety of situations where it's caused a Bad Result
for Security).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170426/a537df42/attachment-0001.html>
More information about the Public
mailing list