[cabfpub] [cabfquest] [Ext] FUNDAMENTAL SSL RULE CHANGE REQUIRED

Geoff Keating geoffk at apple.com
Tue Oct 23 04:27:38 UTC 2018


[redirecting discussion to cabfpub]

> On 22 Oct 2018, at 6:45 pm, Ryan Sleevi via Questions <questions at cabforum.org> wrote:

> Thus if you want a certificate for a single hostname, the SAN must be <= 64 characters. If you want to have a certificate for a SAN > 64 characters, you need to encode an additional SAN (that is <= 64 characters), or you need to use OV/EV. Ballot 208 would have fixed that.

I think you misunderstand the purpose of ballot 208.  If you don’t want to use OV or EV, and you can’t fit any of the SANs in the commonName, you can just not provide a commonName; it’s optional!  But, the claimed reason for ballot 208 is that there is some software out there which can't support empty subjectName and also supported only specific subjectName fields and that some people wanted to use this software without validating any part of the certificate except for the hostname.  Oh, and they didn’t want to use countryName nor serialNumber nor [several other alternatives omitted]...

Now, there are a bunch of alternatives to work around the various problems/bugs/whatevers, but the overall principle is:

- If your software has a lot of bugs and problems and missing features,
- And you're pretty picky, you must have DV and you won't rename your host and so on,
- Then eventually you paint yourself into a corner and nothing works.

I’m not sure anything can really save people from that.

So, my answer to the original question (is there even a question there?) is:


Thank you for your question.  The commonName field in a certificate subjectName is optional.  If all the host names in the certificate are too long to fit in the commonName, it must be omitted.  The host names will be placed in the dNSName part of the subjectAlternativeName field.  All SSL clients should use the subjectAlternativeName field to match the host so it should not matter that the commonName field is not present.

Under some circumstances, this may lead to a completely empty subjectName, which may cause difficulties with some software.  If such problems are encountered, and the software cannot be upgraded, it is suggested to add validated information to the subjectName field, such as countryName and/or organizationName, producing an OV certificate.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3395 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20181022/1e9f1bcb/attachment-0002.p7s>


More information about the Public mailing list