[cabfpub] [EXT] Re: Ballot 199 - Require commonName in Root and Intermediate Certificates

Geoff Keating geoffk at apple.com
Thu May 4 20:04:18 UTC 2017


> On 4 May 2017, at 12:30 pm, Ryan Sleevi via Public <public at cabforum.org> wrote:
> 
> Kirk raised that, but it does not seem to be a founded concern.
> 
> 1) That requirement applies to all certificates issued against the current BRs
> 2) The BRs do not retroactively invalidate - or, especially in the case of Ballot 197 - approve - certificate issuance.
> 
> A CA has always and only been obligated to state compliance with the in-force BRs with respect to issuance and its activities.

In this context, saying the BRs apply to ‘all certificates issued’ might mean that you could no longer issue a certificate against a root without a common name, and so cannot renew any sub-CAs.

> On Thu, May 4, 2017 at 3:27 PM, Steve Medin via Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
> Gerv, could we also request explicit forward-looking language? Kirk raised the concern about whether this applies to existing roots and intermediates. We have a root issued in 1997 that does not have a common name. Some interpretations have been discussed, but we would strongly prefer that this be written into this change for clear future interpretations.
> 
>  
> 
> If I may:
> 
>  
> 
> 7.1.4.3. Subject Information – Root Certificates and Subordinate CA Certificates
> 
> When issuing a Root Certificate or Subordinate CA Certificate, the CA represents that it followed the procedure set forth in its Certificate Policy and/or Certification Practice Statement to verify that, as of the Certificate’s issuance date, all of the Subject Information was accurate and included the content required by this section.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170504/fa0eac28/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170504/fa0eac28/attachment-0001.p7s>


More information about the Public mailing list