[Servercert-wg] Browser Alignment Ballot - Name Chaining
Corey Bonnell
CBonnell at securetrust.com
Tue May 12 10:11:54 MST 2020
> Yes to the point about applying to CAs, although no to the point about aligning across all certificates associated with a CA Public Key. There are CAs that use the same SPKI but with different CA Subject Names, and that's valid and allowed (from a UA perspective and from a 5280 perspective)
It appears there are some still-valid intermediates listed in CCADB whose subjectDN would match per RFC 5280 section 7.1 (RFC 4518) but are not byte-for-byte equal due to differences in encoding using PrintableString vs. UTF8String in different certificates. These would run afoul of the new requirement.
> The encoded content of the Subject Distinguished Name field of a Certificate SHALL be byte-for-byte identical among all Certificates whose Subject Distinguished Name can be compared as equal according to RFC 5280, Section 7.1, if at least one Certificate is a CA Certificate.
Can you expand a bit on the goal of this requirement? I originally thought it was to force a 1:1 mapping of CA Public Key to subjectDN encoding for all CA Certificates, but as you noted that’s not the case.
Thanks,
Corey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200512/29eb83cb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4947 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200512/29eb83cb/attachment.p7s>
More information about the Servercert-wg
mailing list