[cabfpub] [EXT] Re: Ballot 199 - Require commonName in Root and Intermediate Certificates

Geoff Keating geoffk at apple.com
Thu May 4 20:33:10 UTC 2017


In this particular case, because issued certificates contain the subject name from the issuer, you could argue that issuance from a CA without a subject name is no longer allowed—7.1.4.1 says that the issuer name must match the subject name of the issuer (of course!), and that brings the issuer's name into scope at the time of issuance.  This is different from other properties of the issuer’s certificate, like the algorithm it is signed with or its expiry date, because those don’t propagate to the issued certificate.

Or not.  You can make arguments either way.

> On 4 May 2017, at 1:06 pm, Ryan Sleevi <sleevi at google.com> wrote:
> 
> How so? The Ballot only applies to the profile of the issuance of roots/sub-CAs, not from.
> 
> If it applied to from, the existing BRs would already rule out a number of members' roots and intermediates :)
> 
> 
> On Thu, May 4, 2017 at 4:04 PM, Geoff Keating <geoffk at apple.com <mailto:geoffk at apple.com>> wrote:
> 
>> On 4 May 2017, at 12:30 pm, Ryan Sleevi via Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>> 
>> Kirk raised that, but it does not seem to be a founded concern.
>> 
>> 1) That requirement applies to all certificates issued against the current BRs
>> 2) The BRs do not retroactively invalidate - or, especially in the case of Ballot 197 - approve - certificate issuance.
>> 
>> A CA has always and only been obligated to state compliance with the in-force BRs with respect to issuance and its activities.
> 
> In this context, saying the BRs apply to ‘all certificates issued’ might mean that you could no longer issue a certificate against a root without a common name, and so cannot renew any sub-CAs.
> 
>> On Thu, May 4, 2017 at 3:27 PM, Steve Medin via Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>> Gerv, could we also request explicit forward-looking language? Kirk raised the concern about whether this applies to existing roots and intermediates. We have a root issued in 1997 that does not have a common name. Some interpretations have been discussed, but we would strongly prefer that this be written into this change for clear future interpretations.
>> 
>>  
>> 
>> If I may:
>> 
>>  
>> 
>> 7.1.4.3. Subject Information – Root Certificates and Subordinate CA Certificates
>> 
>> When issuing a Root Certificate or Subordinate CA Certificate, the CA represents that it followed the procedure set forth in its Certificate Policy and/or Certification Practice Statement to verify that, as of the Certificate’s issuance date, all of the Subject Information was accurate and included the content required by this section.
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170504/5775cbbc/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170504/5775cbbc/attachment-0001.p7s>


More information about the Public mailing list