[cabfpub] [EXT] Re: Ballot 199 - Require commonName in Root and Intermediate Certificates

Gervase Markham gerv at mozilla.org
Fri May 5 13:22:26 UTC 2017


On 04/05/17 21:33, Geoff Keating via Public wrote:
> In this particular case, because issued certificates contain the subject
> name from the issuer, you could argue that issuance from a CA without a
> subject name is no longer allowed—7.1.4.1 says that the issuer name must
> match the subject name of the issuer (of course!), and that brings the
> issuer's name into scope at the time of issuance.  This is different
> from other properties of the issuer’s certificate, like the algorithm it
> is signed with or its expiry date, because those don’t propagate to the
> issued certificate.

Interesting. I do see the difference. But I'd say that because the
issuer name is not under the control of the certificate issuer (that is
to say, it's not like you can just pick a new value, because then the
cert won't work) then it's not reasonable to bring flaws in it into
scope for the issuance.

Anyhow, this is moot, as we are in the voting period.

Gerv




More information about the Public mailing list