[cabfpub] Require commonName in Root and Intermediate Certificates ballot draft (2)

Ryan Sleevi sleevi at google.com
Thu Apr 20 16:29:33 UTC 2017

On Thu, Apr 20, 2017 at 12:24 PM, Gervase Markham <gerv at mozilla.org> wrote:

> Sure. That's what my rules say too. But how does this apply to actions
> which are not part of certificate issuance? This is why I felt a
> generalisation of the rule was needed.

Data gathering and verification are very much parts of certificate
issuance. So is operation of an OCSP responder or issuance of CRLs, or the
maintenance of audit logs.

The default is that, at any point in time, everything the CA does must be
consistent with the current and complete text. If the text says information
can be reused, then it can only be reused if and only if it's consistent
with the text. If the text explicitly defines ways in which can be reused -
for example, using 'until' or 'prior' - then it's consistent with the text.
In the absence of that, the resolution of any ambiguity must be "Can
everything involved in the production of this certificate, all information
attested in it, and all operations performed by the CA, be demonstrated as
consistent with the current language."

This isn't the first time the Forum has had this discussion. If you recall,
there was quite a similar debate about whether "rekey" constitutes
issuance, with the conclusion being that of course the production of a new
certificate, regardless of the key material being attested, constitutes a
new certificate, and thereby must be compliant with the rules and profiles
of new certificates. Were that not the case, we'd still be seeing SHA-1
certificates signed, as they would be "rekey" operations, not the act of
signing new certificates.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170420/16989179/attachment-0003.html>

More information about the Public mailing list