[cabfpub] Subject attribute proposal

Jacob Hoffman-Andrews jsha at letsencrypt.org
Mon Mar 20 19:09:52 UTC 2017


I support this idea, for the same reasons Peter mentioned. We'd like to be
able to issue certificates for hostnames >64 characters, which means that
the hostname can't be included in the Subject CN. Since that would leave
the Subject empty, which causes interoperability problems, we need some
attribute that is legal to include in Subject when doing Domain Validation.
DN Qualifier seems reasonably well-suited to the purpose.

On Sun, Mar 19, 2017 at 4:28 PM, Peter Bowen via Public <public at cabforum.org
> wrote:

> Certificate Field: subject:qnQualifier (OID: 2.5.4.46) )
>

I think this was a small typo and Peter meant to write dnQualifier here.


> Optional.
> Contents: This field is intended to be used when several certificates with
> the same subject can be partitioned into sets of related certificates.
> Each related certificate set ough to have the same dnQualifier.  The CA may
> include a dnQualifier attribute with a zero length value to explicitly
> indicate that the CA makes no assertion about relationship with other
> certificates with the same subject.  The CA MAY wish to set the dnQualifer
> value to the base64 encoding of the SHA1 hash of the subjectAlternativeName
> extnValue if it wishes to indicate grouping of certificates by alternative
> name set.
>

Any reason for SHA1 here over SHA2? I realize the security properties here
are not important, but using an older hash always triggers a bit of a code
smell.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170320/253b493e/attachment-0003.html>


More information about the Public mailing list