[cabfpub] Subject attribute proposal

Peter Bowen pzb at amzn.com
Mon Mar 20 19:14:52 UTC 2017


> On Mar 20, 2017, at 12:09 PM, Jacob Hoffman-Andrews <jsha at letsencrypt.org> wrote:
> 
> I support this idea, for the same reasons Peter mentioned. We'd like to be able to issue certificates for hostnames >64 characters, which means that the hostname can't be included in the Subject CN. Since that would leave the Subject empty, which causes interoperability problems, we need some attribute that is legal to include in Subject when doing Domain Validation. DN Qualifier seems reasonably well-suited to the purpose.
> 
> On Sun, Mar 19, 2017 at 4:28 PM, Peter Bowen via Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
> Certificate Field: subject:qnQualifier (OID: 2.5.4.46) )
>  
> I think this was a small typo and Peter meant to write dnQualifier here

Correct.  This should be subject:dnQualifier

> Optional.
> Contents: This field is intended to be used when several certificates with the same subject can be partitioned into sets of related certificates.  Each related certificate set ough to have the same dnQualifier.  The CA may include a dnQualifier attribute with a zero length value to explicitly indicate that the CA makes no assertion about relationship with other certificates with the same subject.  The CA MAY wish to set the dnQualifer value to the base64 encoding of the SHA1 hash of the subjectAlternativeName extnValue if it wishes to indicate grouping of certificates by alternative name set.
> 
> Any reason for SHA1 here over SHA2? I realize the security properties here are not important, but using an older hash always triggers a bit of a code smell.

I was modeling this after the KeyId extensions.  I’m happy with most any option here given that it is a “may wish to”.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170320/8ecb3911/attachment-0003.html>


More information about the Public mailing list