[cabfpub] Subject attribute proposal

Peter Bowen pzb at amzn.com
Sun Mar 19 23:28:07 UTC 2017


I would like to allow CAs to add a dnQualifier attribute to certificate subjects without it being considered “Subject Identity Information”.

This would require modifying the definition of SII:

Current: Subject Identity Information: Information that identifies the Certificate Subject. Subject Identity
Information does not include a domain name listed in the subjectAltName extension or the Subject
commonName field.

Proposed: Subject Identity Information: Information that identifies the Certificate Subject. Subject Identity
Information does not include a domain name listed in the subjectAltName extension or the Subject
commonName field and does not include any dnQualifier attributes in the Subject.

I would suggest adding a new entry to 7.1.4.2.2:

Certificate Field: subject:qnQualifier (OID: 2.5.4.46) )
Optional.
Contents: This field is intended to be used when several certificates with the same subject can be partitioned into sets of related certificates.  Each related certificate set ough to have the same dnQualifier.  The CA may include a dnQualifier attribute with a zero length value to explicitly indicate that the CA makes no assertion about relationship with other certificates with the same subject.  The CA MAY wish to set the dnQualifer value to the base64 encoding of the SHA1 hash of the subjectAlternativeName extnValue if it wishes to indicate grouping of certificates by alternative name set.

Thoughts/opinions?

Thanks,
Peter


More information about the Public mailing list