[cabf_validation] 7.1.2.2.h Subordinate CA Common Name

陳立群 realsky at cht.com.tw
Thu Mar 9 07:39:00 MST 2017


Dear Ben,

 

     - commonName (OID 2.5.4.3):  This field MUST be present for Subordinate
CA Certificates where the corresponding Key Pair is generated after
[compliance date].

 

            “The compliance date” means a day after the ballot will be
passed, right? 

 

          Otherwise as I said in last call, there are some Root CAs or
Subordinate CAs use OU to specify a CA’s name instead of in Common Name.
That is , that CA is belong to an Organization. So put the CA’s name in OU.
No value is in Common Name.

 

      Also, please see attached file, in 2013 , Microsoft Root Certificate
program had not yet specified Common Name is required for Root CA or Sub CA.
(Only Root CA Organization Name must appear in the Root Certificate
Subject Namein any CA certificates (root or intermediate) must contain the
name of the organization that operates the CA at the time of issuance.

 

     It was in 2015, Microsoft Root Certificate Program asked new Root CA to
follow:

 

The CN attribute must identify the publisher and must be unique.

 

The CN attribute must be in a language that is appropriate for the CA’s
market and readable by a typical customer in that market.

 

Sincerely Yours,

 

               Li-Chun Chen

 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Ben
Wilson via Validation
Sent: Friday, February 24, 2017 1:04 AM
To: validation at cabforum.org
Cc: Ben Wilson
Subject: [外部郵件] [cabf_validation] 7.1.2.2.h Subordinate CA Common Name

 

As a follow up to today’s discussion, here is a first draft of an amendment
to the Baseline Requirements that would address the requirement to have a
Common Name in CA certificates.

 

7.1.2.2. Subordinate CA Certificate

h.	Subject Information

The Certificate Subject MUST contain the following:

- countryName (OID 2.5.4.6). This field MUST contain the two-letter ISO
3166-1 country code for the country in which the CA’s place of business is
located.

- organizationName (OID 2.5.4.10): This field MUST be present and the
contents MUST contain either the Subject CA’s name or DBA as verified under
Section 3.2.2.2. The CA may include information in this field that differs
slightly from the verified name, such as common variations or abbreviations,
provided that the CA documents the difference and any abbreviations used are
locally accepted abbreviations; e.g., if the official record shows “Company
Name Incorporated”, the CA MAY use “Company Name Inc.” or “Company
Name”.

- commonName (OID 2.5.4.3):  This field MUST be present for Subordinate CA
Certificates where the corresponding Key Pair is generated after [compliance
date].

 

This raises a question for similar language in section 7.1.2.1.e, Subject
information for Root CA Certificates:

 

e.            Subject Information

The Certificate Subject MUST contain the following:

- countryName (OID 2.5.4.6). This field MUST contain the two-letter ISO
3166-1 country code for the country in which the CA’s place of business is
located.

- organizationName (OID 2.5.4.10): This field MUST be present and the
contents MUST contain either the Subject CA’s name or DBA as verified under
Section 3.2.2.2. The CA may include information in this field that differs
slightly from the verified name, such as common variations or abbreviations,
provided that the CA documents the difference and any abbreviations used are
locally accepted abbreviations; e.g., if the official record shows “Company
Name Incorporated”, the CA MAY use “Company Name Inc.” or “Company
Name”.

- commonName (OID 2.5.4.3) ):  This field MUST be present for Root CA
Certificates where the corresponding Key Pair is generated after [compliance
date].

 

 

 

Ben Wilson, JD, CISA, CISSP

VP Compliance

+1 801 701 9678



 



本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. 
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170309/c051f4e7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 2169 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20170309/c051f4e7/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Windows Root Certificate Program - Technical Requirements version 2_0 - TechNet Articles - United States (English) - TechNet Wiki_aspx.mht
Type: application/octet-stream
Size: 2998514 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20170309/c051f4e7/attachment-0001.obj>


More information about the Validation mailing list