[cabfpub] Ballot 199 - Require commonName in Root and Intermediate Certificates
Ben Wilson
ben.wilson at digicert.com
Fri May 5 11:22:11 MST 2017
I think this ties into the discussions we've been having in the Certificate Policy WG about "CA" vs. "CA Operator".
-----Original Message-----
From: Peter Bowen [mailto:pzb at amzn.com]
Sent: Friday, May 5, 2017 12:00 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Gervase Markham <gerv at mozilla.org>; Ben Wilson <ben.wilson at digicert.com>
Subject: Re: [cabfpub] Ballot 199 - Require commonName in Root and Intermediate Certificates
Ben,
That language is already in the BRs. It is unchanged in this ballot.
Thanks,
Peter
> On May 5, 2017, at 10:57 AM, Ben Wilson via Public <public at cabforum.org> wrote:
>
> Gerv,
>
> I think this still presents problems for vanity CAs. I can agree with the need to validate the entity in the O field (i.e. that the root CA has permission to create a CA with the sub CA's tradename), but I would want to preserve some flexibility. Right now, the language I'm concerned about says, "This field MUST be present and the contents MUST contain either the Subject CA’s name or DBA as verified under Section 3.2.2.2." How strict will this be interpreted / applied?
> Also, I assume an internally operated CA with a vanity CA name would still be included in the root CA's audits but what BR-related obligations might be unintentionally incurred by the entity listed in the O field.
>
> Ben
>
> -----Original Message-----
> From: Gervase Markham [mailto:gerv at mozilla.org]
> Sent: Friday, May 5, 2017 7:23 AM
> To: Ben Wilson <ben.wilson at digicert.com>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> Subject: Re: [cabfpub] Ballot 199 - Require commonName in Root and
> Intermediate Certificates
>
> On 04/05/17 16:20, Ben Wilson wrote:
>> 1 - Does this ballot rule out “vanity CAs” – CAs with customer names
>> in the subject field, even though the key is held by the root CA? (I
>> can provide further clarification, and/or examples, if necessary.
>
> I don't think so. It doesn't mandate the contents of the CN field other than a SHOULD-based uniqueness constraint.
>
>> 2- What is the full current wording of Ballot 199?
>
> It is as posted on 25th April, but with a MUST changed to a SHOULD. I will send out a full copy.
>
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4974 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170505/33996f92/attachment.bin>
More information about the Public
mailing list