[cabfpub] Path forward for DV cert subjects
Geoff Keating
geoffk at apple.com
Fri Nov 3 15:16:47 MST 2017
> On 3 Nov 2017, at 2:37 pm, Peter Bowen via Public <public at cabforum.org> wrote:
…
> From the discussion on the list, I propose that we explicitly exclude countryName from Subject Identity Information. As Geoff pointed out, historically some DV certs have included countryName and there is a process in the BRs for validation of countryName when it is the only item in the subject.
>
> What do others think? Is it reasonable to allow DV certificates with countryName in the subject?
I guess it should also be mentioned that if you use the process in the BRs, you’re not really validating that the countryName is the country of the subscriber; in this case the countryName is the country of a domain name or IP address. It’ll be a country associated with the subscriber but not necessarily the subscriber's home. So I think it would be reasonable to exclude it from Subject Identity Information.
If we were up for some editing, I think it should be ‘Subscriber Identity Information’, though, not ‘Subject’. The BRs are a bit confused about what a Subject might be:
> Subject: The natural person, device, system, unit, or Legal Entity identified in a Certificate as the Subject. The Subject is either the Subscriber or a device under the control and operation of the Subscriber.
… so, in a certificate with CN=www.example.com/O=Example <http://www.example.com/O=example> Inc./C=US, is the Subject ‘Example Inc.’, or ‘www.example.com’, and if the second, why is ‘www.example.com’ not Subject Identity Information, and if the first, then what is the Subject for ‘CN=www.example.com’?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20171103/1e6a839f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20171103/1e6a839f/attachment.p7s>
More information about the Public
mailing list