[cabfpub] [EXTERNAL] Require commonName in Root and Intermediate Certificates ballot draft

Ryan Sleevi sleevi at google.com
Tue Mar 28 14:33:18 UTC 2017


On Tue, Mar 28, 2017 at 10:20 AM, Bruce Morton via Public <
public at cabforum.org> wrote:

> Gerv,
>
>
>
> For CNs for Subordinate CAs, the ballot states “This field MUST be present
> and the contents MUST be an identifier for the certificate which is unique
> across all certificates issued by the issuing certificate.”
>
>
>
> In some cases the certificate for a Subordinate CA may be reissued. In
> this case the Subject Name should stay the same, so the CN should not
> change. I haven’t figured out alternative language, but I think it should
> imply that the CN is unique per each Subordinate CA and not unique per
> certificate.
>

While arguably something for a separate ballot, I do hope you and others
will think of clear technical reasons why that's desirable, as opposed to
issuing a newly-named subordinate and transitionining issuance to that.

Significant complexities and challenges can be introduced by the approach
you describe, and it would be useful (and again, not for this ballot) to
explicitly prohibit it. However, if that has unintended consequences (where
the intended consequence is a significant simplification for clients and
relying party/subscribers as to configuration and security), it would be
good to be ruminating on them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170328/40c5e9fc/attachment-0003.html>


More information about the Public mailing list