[cabfpub] Ballot 208 - dnQualifiers

Geoff Keating geoffk at apple.com
Sun Oct 22 21:35:30 UTC 2017



> On 22 Oct 2017, at 1:24 pm, Peter Bowen <pzb at amzn.com> wrote:
> 
>> Another workaround for individual cases is to identify the subscriber!  If you just supply the countryName field, that will do.  It can be determined and verified automatically in most cases.
> 
> If it would be agreeable to exclude countryName-only certificates from the definition of certificates which "contain Subject Identity Information”, then this seems like a reasonable workaround.  Otherwise section 7.1.6.1 directs that these be designated OV certificates.

I don’t think it does… it says

> {joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) certificate‐policies(1) baseline‐requirements(2) domain‐validated(1)} (2.23.140.1.2.1), if the Certificate complies with these Requirements but lacks Subject Identity Information that is verified in accordance with Section 3.2.2.1 or Section 3.2.3.
> 
> If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include organizationName, givenName, surname, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field 

countryName is not in the list of things you can’t include, and it says 3.2.2.1 not 3.2.2.3, so although countryName is ‘Subject Identity Information’ it is allowed in DV certificates if verified using 3.2.2.3(a)-3.2.2.3(c).  This makes sense because in the other cases you’re determining the countryName from the domain name or IP address.

In olden times some CAs would put countryName in all their DV certificates.  I suspect that was working around some other bug!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171022/4a784cf7/attachment-0003.p7s>


More information about the Public mailing list