[cabfpub] [EXTERNAL]Re: Ballot 199 - Require commonName in Root and Intermediate Certificates

Ryan Sleevi sleevi at google.com
Wed Apr 26 18:20:29 UTC 2017

On Wed, Apr 26, 2017 at 2:17 PM, Bruce Morton <
Bruce.Morton at entrustdatacard.com> wrote:

> Our software does not support change the identity of a CA when you issue
> it a new certificate. I assume that this is similar issuing passports. When
> an individual gets a passport they put their identity in the passport, when
> they renew their passport, they use the same identity.

Right, apologies I wasn't clearer - what's the use case for 'renewing' an
intermediate? What functionality are you achieving versus, say, naming it
as a new intermediate?

> We do use CNs for subordinate CAs and the CNs are unique per CA. We do not
> use unique CNs per CA certificate.
> Please also note that the unique CN is also for a unique private key.

Right, that's the bit of unnecessary complexity that I think is harmful
(and can think of a variety of situations where it's caused a Bad Result
for Security).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170426/a537df42/attachment-0003.html>

More information about the Public mailing list