[cabfpub] Ballot 208 - dnQualifiers

Jacob Hoffman-Andrews jsha at letsencrypt.org
Sat Oct 21 11:41:06 MST 2017

Let's Encrypt votes YES to ballot 208.

On Fri, Oct 20, 2017 at 3:17 PM, Peter Bowen via Public <public at cabforum.org
> wrote:

> > We could move to serialNumber or assign new object identifier which can
> be used for this purpose, but is would have no more meaning than
> dnQualifier for all known implementations.  I did not find any place where
> dnQualifier had any semantics in applications when I looked.

Let's Encrypt has considered serial number for this purpose, but concluded
that even though nothing really uses it, it's a slight misuse of the
intended semantics of serial number in the Subject. My understanding is
that it is more typically intended to represent the serial number of a
piece of computing equipment, rather than, e.g., a certificate or a
grouping of names. I think dnQualifier is well suited for this purpose.

This ballot does solve a real and present problem for us, as described
above: issuing certificates for domain names longer than 64 characters. It
also allows CAs to start issuing certificates with no CommonName attribute
that are broadly usable. This is nice because domain names in CommonName
have been deprecated for a very long time now, but there hasn't been any
practical progress towards eliminating them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20171021/bfed7a46/attachment.html>

More information about the Public mailing list