[Servercert-wg] Subject name requirements for CA Certificates

Ryan Sleevi sleevi at google.com
Tue Oct 22 13:32:19 MST 2019

On Tue, Oct 22, 2019 at 4:14 PM Doug Beattie <doug.beattie at globalsign.com>

> Ryan,
> We’re saying the same thing as far as “older -> old -> new -> intermediate
> -> end entity".  New roots should be able to be cross signed only with
> older roots.  That is what we did and is consistent with your comments
> below, so totally agree.
> The unfortunate aspect of this is that the subject DN of our “old” root
> isn’t compliant with the current definition of Subordinate CA subject DN,
> thus the issue if/when we treat a Cross Certificate as a Subordinate CA
> certificate when it comes to naming requirements.  If this was not an
> issue, we wouldn’t be having this conversion.

Then it's unclear where the issue is?

If "new" complies with the BRs, then signing "new" with "old" is not an
issue. Old can still comply with the BRs, signing "new", which also
complies with the BRs.

The whole point of this exercise is to provide a path to phase out
certificates that do not comply with the BRs, and to continually move new
issuance on to newer, "more compliant" (i.e. more recent) issuing
hierarchies. It may be that "older" and "old" are trust anchors on legacy
systems - and that's why you create that path to "new" for them.

If "new"'s subject does not comply, you create "newer" - and move your
issuance to that.

New signs newer -> totally fine with the BRs
Old already signed new -> totally fine with the BRs
Older already signed old -> totally fine with the BRs

Now, the only scenario I can see this being an issue is if a path "old ->
new" wasn't created, "new" doesn't comply with the BRs, "old" is still
subject to the BRs, and "new" is included as a trust anchor on some
systems, while "old" is included as a trust anchor on other systems. That
is exactly the scenario that I don't want to have happen / have to support,
and it reflects a problem in the design/ceremony when "new" was created
(that it wasn't cross-certified to 'old' to ensure continuity). This only
happens, though, if you're not following the above flow, so it's hard to
see how agree with X but also X is a problem.

> I would certainly like to hear from others, CAs and Root program members
> on their view of this situation.   Does everybody feel that cross
> certificates between roots should be prohibited when the “old” root subject
> DN does not contain exactly C, Org and CN?  I have to assume this is a
> problem for more than just GlobalSign.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191022/09ab4e6b/attachment-0001.html>

More information about the Servercert-wg mailing list