[cabfpub] [EXT] Re: Ballot 199 - Require commonName in Root and Intermediate Certificates

Thu May 4 12:30:21 MST 2017

Kirk raised that, but it does not seem to be a founded concern.

1) That requirement applies to all certificates issued against the current
BRs
2) The BRs do not retroactively invalidate - or, especially in the case of
Ballot 197 - approve - certificate issuance.

A CA has always and only been obligated to state compliance with the
in-force BRs with respect to issuance and its activities.

On Thu, May 4, 2017 at 3:27 PM, Steve Medin via Public <public at cabforum.org>
wrote:

> Gerv, could we also request explicit forward-looking language? Kirk raised
> the concern about whether this applies to existing roots and intermediates.
> We have a root issued in 1997 that does not have a common name. Some
> interpretations have been discussed, but we would strongly prefer that this
> be written into this change for clear future interpretations.
>
>
>
> If I may:
>
>
>
> 7.1.4.3. Subject Information – Root Certificates and Subordinate CA
> Certificates
>
> When issuing a Root Certificate or Subordinate CA Certificate, the CA
> represents that it followed the procedure set forth in its Certificate
> Policy and/or Certification Practice Statement to verify that, as of the
> Certificate’s issuance date, all of the Subject Information was accurate
> and included the content required by this section.
>
>
>
>
>
>
>
> *From:* Public [mailto:public-bounces at cabforum.org] *On Behalf Of *Ben
> Wilson via Public
> *Sent:* Thursday, May 04, 2017 11:21 AM
> *To:* CA/Browser Forum Public Discussion List <public at cabforum.org>
> *Cc:* Ben Wilson <ben.wilson at digicert.com>
> *Subject:* [EXT] Re: [cabfpub] Ballot 199 - Require commonName in Root
> and Intermediate Certificates
>
>
>
> Two questions, Gerv.
>
>
>
> 1 - Does this ballot rule out “vanity CAs” – CAs with customer names in
> the subject field, even though the key is held by the root CA?  (I can
> provide further clarification, and/or examples, if necessary.
>
> 2-  What is the full current wording of Ballot 199?
>
>
>
> Thanks,
>
>
>
> Ben
>
>
>
> *From:* Public [mailto:public-bounces at cabforum.org
> <public-bounces at cabforum.org>] *On Behalf Of *Gervase Markham via Public
> *Sent:* Tuesday, April 25, 2017 9:03 AM
> *To:* CABFPub <public at cabforum.org>
> *Cc:* Gervase Markham <gerv at mozilla.org>
> *Subject:* [cabfpub] Ballot 199 - Require commonName in Root and
> Intermediate Certificates
>
>
>
> *Ballot 199 - Require commonName in Root and Intermediate Certificates*
>
> *Purpose of Ballot: *Section 7.1.4.3 of the BRs, which deals with Subject
> Information for Subordinate CA Certificates, currently requires only that
> all information in a Subordinate CA Certificate is accurate; it does not
> say what information is required. Some of the necessary information is
> required elsewhere in the BRs, but it is not complete - commonName is
> missing. If commonName is omitted, DN clashes can more easily occur. So
> this motion centralises that information in the obvious place, and adds a
> commonName requirement.
>
> The following motion has been proposed by Gervase Markham of Mozilla and
> endorsed by Patrick Tronnier of OATI and Ryan Sleevi of Google:
>
> -- MOTION BEGINS --
>
>
> Make the following changes to the Baseline Requirements:
>
> * Delete 7.1.2.1 (e), which currently defines the Subject Information required in a Root CA Certificate.
>
>
>
> * Delete 7.1.2.2 (h), which currently defines the Subject Information required in a Subordinate CA Certificate.
>
>
>
> * Rename section 7.1.4.2, currently titled "Subject Information", to "Subject Information - Subscriber Certificates".
>
>
>
> * Rename section 7.1.4.3, currently titled "Subject Information - Subordinate CA Certificates" to "Subject Information - Root Certificates and Subordinate CA Certificates".
>
>
>
> * Based on the style used in 7.1.4.2.2 and the content from the now-deleted 7.1.2.1 (e) and 7.1.2.2 (h), add the following section 7.1.4.3.1:
>
>
>
> 7.1.4.3.1 Subject Distinguished Name Fields
>
>
>
> Certificate Field: subject:commonName (OID 2.5.4.3)
>
> Required/Optional: Required
>
> Contents: This field MUST be present and the contents MUST be an identifier
>
> for the certificate such that the certificate's Name is unique across all
>
> certificates issued by the issuing certificate.
>
>
>
> b. Certificate Field: subject:organizationName (OID 2.5.4.10)
>
> Required/Optional: Required
>
> Contents: This field MUST be present and the contents MUST contain
>
> either the Subject CA’s name or DBA as verified under Section 3.2.2.2.
>
> The CA may include information in this field that differs slightly from
>
> the verified name, such as common variations or abbreviations,  provided
>
> that the CA documents the difference and any abbreviations used are
>
> locally accepted abbreviations; e.g., if the official record shows
>
> “Company Name Incorporated”, the CA MAY use “Company Name Inc.” or
>
> “Company Name”.
>
>
>
> c. Certificate Field: subject:countryName (OID: 2.5.4.6)
>
> Required/Optional: Required
>
> Contents: This field MUST contain the two‐letter ISO 3166‐1 country code
>
> for the country in which the CA’s place of business is located.
>
> -- MOTION ENDS --
>
>
>
> The procedure for approval of this Final Maintenance Guideline ballot is
> as follows (exact start and end times may be adjusted to comply with
> applicable Bylaws and IPR Agreement):
>
>
>
> BALLOT 199
>
> Status: Final Maintenance Guideline
>
> Start time (23:00 UTC)
>
> End time (23:00 UTC)
>
> Discussion (7 to 14 days)
>
> 25 Apr
>
> 2 May
>
> Vote for approval (7 days)
>
> 2 May
>
> 9 May
>
> If vote approves ballot: Review Period (Chair to send Review Notice) (30
> days).
>
> If Exclusion Notice(s) filed, ballot approval is rescinded and PAG to be
> created.
>
> If no Exclusion Notices filed, ballot becomes effective at end of Review
> Period.
>
> Upon filing of Review Notice by Chair
>
> 30 days after filing of Review Notice by Chair
>
>
>
> From Bylaw 2.3: If the Draft Guideline Ballot is proposing a Final
> Maintenance Guideline, such ballot will include a redline or comparison
> showing the set of changes from the Final Guideline section(s) intended to
> become a Final Maintenance Guideline, and need not include a copy of the
> full set of guidelines.  Such redline or comparison shall be made against
> the Final Guideline section(s) as they exist at the time a ballot is
> proposed, and need not take into consideration other ballots that may be
> proposed subsequently, except as provided in Bylaw Section 2.3(j).
>
>
>
> Votes must be cast by posting an on-list reply to this thread on the
> Public list.  A vote in favor of the motion must indicate a clear 'yes' in
> the response. A vote against must indicate a clear 'no' in the response. A
> vote to abstain must indicate a clear 'abstain' in the response. Unclear
> responses will not be counted. The latest vote received from any
> representative of a voting member before the close of the voting period
> will be counted. Voting members are listed here:
> https://cabforum.org/members/
> <https://clicktime.symantec.com/a/1/dKw74yUwwywtI6okeOVTVyaSAdMUZJBEMrL-dX630M4=?d=-xYkVuOcpeB_7i2NHF_oz1dFP1F57rquP5MlEXbp3GAPRRLI8RFsMpMb4j_OJJ-RhMHiFx-HCMTDVx-_tIxF-u3mqU9z-q7WptvvBEhuTJigaZhyr8fNG9v9pZN8hkWYXGIWuun6ZaZDA2pf_n3O5lqWRzHPf0pc1rCBDdG-MaZLvvdPnYkScNNn1RWfz9pZpCRhd3L_W88IjXZcUhD8_vLyThFXUHQI-8xCZIFYksXcrpnP856XGKgQ_SIZTHuH15nHrq0VxDBwOLxkCzDLSXP98bO0q3RP-cX5eJWuMhZjoL5DONy7zwJoxckvuoRr1BR-xz8TYsohwqBn_Yvn20114gJxqyTjsLBmtVqWdyE82b6EgOvoJLEBGJk_KF8ETUprHWrAmH7GHVy1KFizSb95q-2EuaaflY3X2McB8rVW78WJTFZhc9H1MrkV_M5EuoRxPgvw9wE%3D&u=https%3A%2F%2Fcabforum.org%2Fmembers%2F>
>
> In order for the motion to be adopted, two thirds or more of the votes
> cast by members in the CA category and greater than 50% of the votes cast
> by members in the browser category must be in favor.  Quorum is shown on
> CA/Browser Forum wiki.  Under Bylaw 2.2(g), at least the required quorum
> number must participate in the ballot for the ballot to be valid, either by
> voting in favor, voting against, or abstaining.
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170504/3272b7e8/attachment.html>