[Servercert-wg] Subject Common Name recommendation vs practice

Ryan Dickson ryandickson at google.com
Mon Mar 20 18:58:02 UTC 2023


Hi Aaron,


For those of us who are still somewhat new to the ecosystem (like me!), can
you - or others - highlight historical justification for not defining a
deprecation date?


The approved version of SC62 (Profiles Ballot) transitioned the related
language observed in 7.1.4.2.2 ("*Deprecated (Discouraged, but not
prohibited)"*) to "*NOT RECOMMENDED*" - which might be interpreted as a
regression.


Minimally, we could pursue a ballot to indicate that using Common Name in
subscriber certificates is "pending prohibition" - a new term introduced
via SC62, while also providing a date where this transitions to "MUST NOT."


*Pending Prohibition*: The use of a behavior described with this label is
> highly discouraged, as it is planned to be deprecated and will likely be
> designated as MUST NOT in the future.


It would be ideal if the community could work together to identify blockers
and establish a date to transition from "Pending Prohibition" to "MUST
NOT." If at the same time, we could signal precise dates for the existing
"Pending Prohibition" items (related to Key Usage), that would also seem
beneficial.


Thanks,

Ryan

On Wed, Mar 15, 2023 at 7:05 PM Aaron Gable via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Hi ServerCert folks,
>
> The BRs Section 7.1.4.2.2 says that the Subject Common Name field in
> Subscriber Certificates is Deprecated, i.e. discouraged but not yet
> prohibited. This statement has been in place since at least the Baseline
> Requirements version 1, adopted over eleven years ago.
>
> However, a quick survey of the WebPKI via censys.io leads to the
> following observations:
> - 0.2% of publicly-trusted certificates omit the CN field
> - 0% of certs issued by Let's Encrypt omit the CN field
> - 5% of certs issued by GTS and ZeroSSL (the two CAs issuing the most
> non-CN certs) omit the CN field, and all of these appear to be exactly the
> subset of certificates which have no SANs short enough (64 chars or less)
> to be hoisted into the CN field
>
> It seems untenable to me that a recommendation made over a decade ago
> still has less than 1% adoption.
>
> So my question is: how do we go about moving the ecosystem towards a place
> where the CN field could transition from Deprecated to Prohibited? What
> steps can we as a forum take to help push this transition forward?
>
> Aaron
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230320/4f15e173/attachment.html>


More information about the Servercert-wg mailing list