[cabf_validation] OU attribute in CA Certificates

Ben Wilson bwilson at mozilla.com
Fri Oct 21 15:32:12 UTC 2022


At some point we should look at the next line, "commonName", and consider
prohibiting CNs that are too generic, if that's possible.

For me, the following CNs are too generic:  Issuing CA, Server CA, EV CA,
Government CA, Citizen CA, Corporate CA, Class 1 CA, etc.

Right now, that line says, "The contents SHOULD be an identifier for the
certificate such that the certificate's Name is unique across all
certificates issued by the issuing certificate."

It might say, "The contents MAY include a company name or brand and SHOULD
be an identifier for the CA that is unique and provides sufficient
information to distinguish the CA from other CAs having the same issuer or
organizationName."

Ben



On Fri, Oct 21, 2022 at 1:39 AM Dimitris Zacharopoulos (HARICA) via
Validation <validation at cabforum.org> wrote:

>
> On 14/10/2022 11:22 π.μ., Dimitris Zacharopoulos (HARICA) via Validation
> wrote:
>
> The breakdown makes it clearer, thanks Doug. We just need to see how this
> will appear in the table via markdown.
>
> Dimitris.
>
> On 13/10/2022 11:05 μ.μ., Doug Beattie wrote:
>
> Hi Dimitris,
>
>
>
> I’d lean towards you option #2:
>
>    1. Update 7.1.2.10.2, add the Attribute Type OU, and in the Presence
>    column state "MUST NOT," except for Non-TLS Subordinate CA Certificates
>    that meet the Certificate Profile described in section 7.1.2.3".
>
> Just a suggestion:
>
>    1. Update 7.1.2.10.2, add the Attribute Type OU, and in the Presence
>    column state:
>       - MUST NOT for TLS Subordinate CA Certificates defined in section
>       7.1.2.3,
>       - SHOULD NOT for all other CAs"
>
>
>
>
>
>
> Seeing no objections, I created
> https://github.com/cabforum/servercert/pull/398/files with the proposed
> language. Let me know if the formatting (single line) works for everyone.
>
> Thanks,
> Dimitris.
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/validation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20221021/9710fe01/attachment.html>


More information about the Validation mailing list