[cabfpub] [EXT] Re: Ballot 199 - Require commonName in Root and Intermediate Certificates

Ryan Sleevi sleevi at google.com
Thu May 4 13:06:48 MST 2017


How so? The Ballot only applies to the profile of the issuance of
roots/sub-CAs, not from.

If it applied to from, the existing BRs would already rule out a number of
members' roots and intermediates :)


On Thu, May 4, 2017 at 4:04 PM, Geoff Keating <geoffk at apple.com> wrote:

>
> On 4 May 2017, at 12:30 pm, Ryan Sleevi via Public <public at cabforum.org>
> wrote:
>
> Kirk raised that, but it does not seem to be a founded concern.
>
> 1) That requirement applies to all certificates issued against the current
> BRs
> 2) The BRs do not retroactively invalidate - or, especially in the case of
> Ballot 197 - approve - certificate issuance.
>
> A CA has always and only been obligated to state compliance with the
> in-force BRs with respect to issuance and its activities.
>
>
> In this context, saying the BRs apply to ‘all certificates issued’ might
> mean that you could no longer issue a certificate against a root without a
> common name, and so cannot renew any sub-CAs.
>
> On Thu, May 4, 2017 at 3:27 PM, Steve Medin via Public <
> public at cabforum.org> wrote:
>
>> Gerv, could we also request explicit forward-looking language? Kirk
>> raised the concern about whether this applies to existing roots and
>> intermediates. We have a root issued in 1997 that does not have a common
>> name. Some interpretations have been discussed, but we would strongly
>> prefer that this be written into this change for clear future
>> interpretations.
>>
>>
>>
>> If I may:
>>
>>
>>
>> 7.1.4.3. Subject Information – Root Certificates and Subordinate CA
>> Certificates
>>
>> When issuing a Root Certificate or Subordinate CA Certificate, the CA
>> represents that it followed the procedure set forth in its Certificate
>> Policy and/or Certification Practice Statement to verify that, as of the
>> Certificate’s issuance date, all of the Subject Information was accurate
>> and included the content required by this section.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170504/876b4834/attachment.html>


More information about the Public mailing list