[cabfpub] [EXTERNAL]Re: Ballot 199 - Require commonName in Root and Intermediate Certificates

Bruce Morton Bruce.Morton at entrustdatacard.com
Wed Apr 26 17:25:51 UTC 2017

Hi Gerv,

I'm also confused with the proposal, so wanted to discuss our methodology.

From our point of view, we create a subordinate certification authority and give this CA a distinguished name. We use the CN to give the CA a unique identifier, so that the common name will not be mixed up with any other subordinate CAs.

Then we need to give the subordinate CA trust, so we issue it a subordinate CA certificate from a root CA. The subordinate CA certificate will have the same distinguished name.

If for some reason we need to issue the subordinate CA another CA certificate (e.g., the original certificate expires), then the new certificate will have the identical subject name as the original.

I am hoping that this is acceptable and meets your requirements.

Thanks, Bruce.

-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham via Public
Sent: Wednesday, April 26, 2017 12:57 PM
To: Peter Bowen <pzb at amzn.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Gervase Markham <gerv at mozilla.org>
Subject: [EXTERNAL]Re: [cabfpub] Ballot 199 - Require commonName in Root and Intermediate Certificates

On 25/04/17 18:15, Peter Bowen wrote:
> What does "such that the certificate's Name is unique across all 
> certificates issued by the issuing certificate” mean?  How is this a 
> requirement on commonName, if this means the full subject Name?

In the previous discussion, you wrote:

"What is the rationale of requiring a unique commonName attribute per issuer rather than a unique Name per issuer?  Amazon purposefully chose to use the same commonName (but different Names) for issuers that follow the same policy and only vary by cryptographic parameters (e.g. public key algorithm, key size and signature hash algorithm)."

And I said:

"If everyone else is fine with this, I am. (By Name, do you mean DN?)"

No-one else commented, so I just used your words in the ballot - "unique Name per issuer".

Public mailing list
Public at cabforum.org

More information about the Public mailing list