[Servercert-wg] Browser Alignment Ballot - Name Chaining

Corey Bonnell CBonnell at securetrust.com
Mon May 4 11:57:43 MST 2020 

Hello,

Having reviewed the Browser Alignment Ballot [1], I have concerns about the new requirements in section 7.1.4.1 concerning Name Chaining.

 

The previous language is as follows:

The content of the Certificate Issuer Distinguished Name field MUST match the Subject DN of the Issuing CA to support Name chaining as specified in RFC 5280, section 4.1.2.4.

 

The proposed language is:

The encoded content of the Issuer Distinguished Name field of a Certificate SHALL be byte-for-byte identical with the encoded form of the Subject Distinguished Name field of the Issuing CA certificate.

 

The encoded content of the Subject Distinguished Name field of a Certificate SHALL be byte-for-byte identical among all Certificates whose Subject Distinguished Name can be compared as equal according to RFC 5280, Section 7.1.

 

Section 4.1.2.4 of RFC 5280 does not mandate binary equality for DNs to support name chaining but instead defers to section 7.1, so I don’t believe this is an existing Root Program requirement. The closest thing to such a requirement that I’m aware of is Mozilla’s Potentially Problematic Practice of “Issuer Encoding in CRL” [2] (with associated discussion here on MDSP [3]), but despite being frowned upon, it is currently not a policy violation to not use binary-equal DNs (although understandably certificates may not work otherwise depending on the UA implementation).

 

Initially, I was under the impression that the Browser Alignment ballot was merely a codification of existing Root Program requirements and no additional requirements would be introduced, but these two requirements in 7.1.4.1 give me pause. Is my initial impression correct, or is the intent to introduce additional requirements?

 

[1] https://github.com/sleevi/cabforum-docs/pull/10

[2] https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Issuer_Encoding_in_CRL

[3] https://groups.google.com/d/topic/mozilla.dev.security.policy/zsBB_XqdOCg/discussion

 

Thanks,

Corey Bonnell 
Software Architect

 


 <http://www.securetrust.com/> www.securetrust.com


 <https://securetrust.com/resources/library/documents/2019-global-compliance-report/> 2019 Global Compliance Intelligence Report

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200504/3a5622f1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 10027 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200504/3a5622f1/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4947 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200504/3a5622f1/attachment-0001.p7s>

More information about the Servercert-wg mailing list