[Servercert-wg] Subject name requirements for CA Certificates
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Thu Oct 24 11:56:43 MST 2019
On 2019-10-23 9:46 μ.μ., Ryan Sleevi wrote:
>
>
> On Wed, Oct 23, 2019 at 2:32 PM Dimitris Zacharopoulos (HARICA)
> <dzacharo at harica.gr <mailto:dzacharo at harica.gr>> wrote:
>
> In the absence of any rationale to limit only a c/ountryName,
> organizationName/ and /commonName /field in subjectDNs of CA
> Certificates, I propose we create a ballot that clarifies the
> expectation to include /stateOrProvinceName/, /localityName/,
> /organizationalUnitName/ and perhaps /organizationIdentifier/,
> along with their validation rules (we already have good rules for
> those fields), and add a clause that other fields SHALL NOT be
> present.
>
>
> As I mentioned, we're not supportive of this. The argument you're
> advancing is the one that I've tried to highlight is problematic "Why
> not", not "Why". I appreciate that it's a very compelling argument,
> because it tries to preserve the incorrectly-presumed status quo, but
> it's not actually a desirable outcome for us, at least.
We have two issues at hand. Issue one is about CAs that have already
included subjectDN attributes in CA Certificates. Issue two is what
should be the expectation going forward. I would like to focus on issue
two at least in this response.
>
> If you have compelling reason for why this information is necessary to
> be in a subject, that's worthwhile. There's no technical reason to
> include this, and there is compelling technical reason to omit it, as
> it is not information that is necessary for the correct functioning of
> the certificates, and more importantly, it's not information that
> needs to nor should be sent in every TLS handshake.
Sure. I believe CAs should be allowed to add more information to the CA
Certificates for the same reasons we require Subscriber Certificates to
include /stateOrProvinceName /OR /localityName/. Relying Parties have
the right to have more information for the issuer in order to
disambiguate between conflicting companies with the same name and to be
able to identify the Issuer more accurately. The conflict is
significantly less if you have organizationName, stateOrProvinceName OR
localityName, countryName compared to organizationName, countryName.
In addition to that, eIDAS Regulation mandates in Annex I (b) and Annex
III (b) that the Certificates "SHALL contain a set of data data
unambiguously representing the qualified trust service provider issuing
the qualified certificates including at least, the Member State in which
that provider is established and:
— for a legal person: the name and, where applicable, registration
number as stated in the official records,..."
This has been decided to be carried out in issuerDN field of end-entity
Certificates. According to RFC5280 section 4.1.2.4 for name chaining,
this means that the same information must be in the subjectDN of the
Issuing CA Certificate. ETSI has decided to carry out this "registration
number" via the /organizationIdentifier /subjectDN field of the Issuing
CA Certificate, which is why you see several Qualified Trust Service
Providers including the /organizationIdentifier /attribute in CA
Certificates.
Forbidding this attribute in CA Certificates will make it impossible to
add the "registration number as stated in the official records" to the
TSP Certificate.
Identity information in CA Certificates was not added because of
technical reasons, you could just have a CN in the subjectDN.
>
> On a technical level, the only essential element is that a CA's
> Subject name be distinct within the certificate chain. That can be
> wholly accomplished by simply generating a random distinguished name -
> there's no dependency on the X.500 hierarchy for naming, and Relying
> Parties have or can obtain the information out of band (e.g. Microsoft
> delivers it out of band as part of their root store updates via the
> Friendly name). However, since that's a more radical shift, the
> provision of countryName, organizationName, and commonName provides
> sufficient distinction for the operating entity (C+O) and allows them
> the flexibility for creation of multiple CAs (commonName). There is no
> need for those other fields, and there is ample harm caused by them.
No harm (let alone "ample") has been caused all these years by having
stateOrProvinceName or localityName or both in CA Certificates. HARICA
has seen no errors or warnings or has had any complains about delays or
other problems from Relying Parties or Subscribers. I am sure other CAs
will confirm the same thing.
> I hope this will be an uncontroversial issue just like it happened
> with ballot SC16.
>
>
> This is unlikely :)
Why do we have to disagree even for obvious issues? This is exactly what
happened in SC16 and we have a precedent. You object to applying a fix
for a problem that had the same root cause. Google voted "yes" to SC16
judging that it was a good fix for that particular problem. Why is it
not a good fix for this problem? The default-deny default-allow
discussion is a lot more controversial than this issue and definitely
deserves more discussion.
> The default-allow default-deny is a very interesting discussion
> but we have spotted a real practical problem in the guidelines
> that causes confusion and possible compliance risks that needs to
> be taken care of sooner than later.
>
>
> I think this is actually the more pressing problem. This is why I
> tried to focus on the systemic issue, rather than trying, as we did
> with SC16, to try to patch each individual issue and simply introduce
> more confusion through inconsistency.
Why patching each individual issue introduces more confusion? This would
be true if the language introduced to fix the issue was worse than what
the existing language :) Making things clearer and less ambiguous is an
improvement and should be welcomed.
Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191024/350e39ec/attachment-0001.html>
More information about the Servercert-wg
mailing list