[cabfpub] Require commonName in Root and Intermediate Certificates ballot draft

Peter Bowen pzb at amzn.com
Tue Mar 28 13:39:09 UTC 2017


> On Mar 28, 2017, at 6:34 AM, Gervase Markham via Public <public at cabforum.org> wrote:
> 
> 
> Hi everyone,
> 
> Here's a draft of a ballot to require commonName to be present in root and Intermediate certificates, which is something we've talked about in the past although not all that recently. This idea has had less review, so it may require more wordsmithing.
> 
> 7.1.4.3.1 Subject Distinguished Name Fields
> 
> Certificate Field: subject:commonName (OID 2.5.4.3)
> Required/Optional: Required
> Contents: This field MUST be present and the contents MUST be an identifier 
> for the certificate which is unique across all certificates issued by the 
> issuing certificate.

Gerv,

What is the rationale of requiring a unique commonName attribute per issuer rather than a unique Name per issuer?  Amazon purposefully chose to use the same commonName (but different Names) for issuers that follow the same policy and only vary by cryptographic parameters (e.g. public key algorithm, key size and signature hash algorithm).

Thanks,
Peter


More information about the Public mailing list