[cabfpub] Require commonName in Root and Intermediate Certificates ballot draft (2)

Ryan Sleevi sleevi at google.com
Mon Apr 17 15:24:14 UTC 2017

On Mon, Apr 17, 2017 at 11:16 AM, Dimitris Zacharopoulos via Public <
public at cabforum.org> wrote:
> When a CA is being audited for a period-in-time (say June 2016 - June
> 2017), they are usually audited against an audit criteria (Webtrust or
> ETSI) that incorporate a certain version of the BRs, usually not the
> latest. If they are audited with the latest version of the BRs that don't
> take into consideration a transition phase for some cases like the
> timestamping issuance or the Intermediate CA Certificate without a CN, it
> might lead to problems.
> For example, if a CA issued an Intermediate CA Certificate in August 2016
> without a CN, and the BRs were updated in May 2017, when the auditor comes
> in at the end of the audit period in June 2017 and checks everything
> against the latest BRs, they will consider the Intermediate CA issued in
> August 2016 as being mis-issued. Of course the CA can explain to the
> auditors that the BRs changed in May 2017 and enter a discussion with them
> but why shouldn't we try to avoid this?

The Scottsdale F2F identified this is not the case for WebTrust audits. Do
you believe it to be the case for ETSI?

In both cases, the governing section is Section 2.2 of the BRs. I'm unaware
of any auditor who has done what you have said, and we've explicitly heard
statements that contradict your summary, so it would be useful if you can
share any data, either with the Forum or to the Browser members. In the
absence of that evidence, I don't believe you've summarized correctly.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170417/dac487a9/attachment-0003.html>

More information about the Public mailing list