[Servercert-wg] Browser Alignment Ballot - Name Chaining

Ryan Sleevi sleevi at google.com
Mon May 11 11:51:23 MST 2020 

On Thu, May 7, 2020 at 11:09 AM Corey Bonnell <CBonnell at securetrust.com>
wrote:

> I am concerned by this proposed language:
>
> “The encoded content of the Subject Distinguished Name field of a
> Certificate SHALL be byte-for-byte identical among all Certificates whose
> Subject Distinguished Name can be compared as equal according to RFC 5280,
> Section 7.1.
>
>
>
> If this is currently a Root Program requirement, then it is afoul of
> policy if a CA issues two end-entity certificates, one with a CN of
> WWW.EXAMPLE.COM and another end-entity certificate with a CN of
> www.example.com.  I’m thinking the intent here is that for a given CA
> Public Key, the subjectDN must be byte-to-byte equal for all Certificates
> that contain the CA Public Key in the SubjectPublicKeyInfo. Is that an
> accurate assessment of the intent?
>

Yes to the point about applying to CAs, although no to the point about
aligning across all certificates associated with a CA Public Key. There are
CAs that use the same SPKI but with different CA Subject Names, and that's
valid and allowed (from a UA perspective and from a 5280 perspective)

I think this ends up as:
The encoded content of the Subject Distinguished Name field of a
Certificate SHALL be byte-for-byte identical among all Certificates whose
Subject Distinguished Name can be compared as equal according to RFC 5280,
Section 7.1, *if at least one Certificate is a CA Certificate.*

I considered other variants of that language, but rejected them for the
reasons below:

   - Subordinate CA or Root CA - This has the problem we've seen that for
   some CAs it's not clear this also covers Cross-Certs (Which are Subordinate
   CAs)
   - "capable of being used to issue new certificates" - This is the
   language from Section 8.1, but we don't use that phrase beyond that
   section, where it's also defined
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200511/f02538bc/attachment.html>

More information about the Servercert-wg mailing list