[Servercert-wg] Subject name requirements for CA Certificates

Curt Spann cspann at apple.com
Thu Oct 24 08:51:10 MST 2019

We (Apple) approach the BRs as Default-Deny in which it only specifies what is allowed. The Default-Deny approach makes it less ambiguous to determine the requirement for operating a publicly trusted CA.

I encourage CAs to review their practices against the BRs using Default-Deny. If CAs would like to add additional statements to the BRs to align with their practices the CAs should create ballots to update the BRs.

- Curt

More information about the Servercert-wg mailing list