[Servercert-wg] Subject Common Name recommendation vs practice

[Aaron Gable]

Hi ServerCert folks,

The BRs Section 7.1.4.2.2 says that the Subject Common Name field in
Subscriber Certificates is Deprecated, i.e. discouraged but not yet
prohibited. This statement has been in place since at least the Baseline
Requirements version 1, adopted over eleven years ago.

However, a quick survey of the WebPKI via censys.io leads to the following
observations:
- 0.2% of publicly-trusted certificates omit the CN field
- 0% of certs issued by Let's Encrypt omit the CN field
- 5% of certs issued by GTS and ZeroSSL (the two CAs issuing the most
non-CN certs) omit the CN field, and all of these appear to be exactly the
subset of certificates which have no SANs short enough (64 chars or less)
to be hoisted into the CN field

It seems untenable to me that a recommendation made over a decade ago still
has less than 1% adoption.

So my question is: how do we go about moving the ecosystem towards a place
where the CN field could transition from Deprecated to Prohibited? What
steps can we as a forum take to help push this transition forward?

Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230315/04d33903/attachment.html>