[cabfpub] Ballot 199 - Require commonName in Root and Intermediate Certificates

Gervase Markham gerv at mozilla.org
Mon May 8 11:11:13 UTC 2017

On 08/05/17 10:37, Mads Egil Henriksveen wrote:
> I support that CN is required in all certificates, but I don’t support
> that we should require a unique CN across all CA certificates issued by
> the issuing CA.

We don't. That MUST was changed to a SHOULD.

> As long as we issue a new certificate for the same CA entity (i.e. with
> the same CA key and same validity), it is not obvious that we should
> have to “change the name” of this entity. CN is a part of the Subject
> field and thus a part of the name of the CA.

See the discussion between Bruce and Ryan. :-)


More information about the Public mailing list