[cabfpub] Path forward for DV cert subjects
pzb at amzn.com
Fri Nov 3 21:37:20 UTC 2017
Last week Ballot 208 failed to obtain the necessary votes to pass. There was a decent amount of discussion on the list about the ballot during the period where several items were identified as deficiencies in the proposal. I would like to circle back to rationale behind the ballot in the first place and see if we can get rough consensus on an alternative.
As a CA, I want to be able to offer certificates that do not contain information classified as Personal Data, Personally Identifiable Information, Personal Information, or similar classifications. The simplest solution is to only include Domain Names, IP Addresses, and other technical identifiers in certificates. This is what many CAs call a “DV certificate”.
We have run into two problems with this approach, both related to the Subject in the certificate. The Subject is required to be a Distinguished Name (DN). While the standards allow a DN to empty, we run into the first problem: a number of clients do not accept certificates where the DN is the empty sequence. Therefore we need to include at least one AttributeTypeAndValue in the DN. The current approach is to include a commonName attribute, but this brings the second problem. commonName can only be 64 characters long while a dNSName can be up to 253 characters long. This means that it is not possible to include a commonName if the all names in certificate exceed 64 characters.
Therefore we would like to include some other attribute, besides commonName, in Subject DNs in DV certificates. In testing clients, we have discovered that some clients only accept certain attribute types in DNs, so for broadest compatibility we will need to include one from their permitted list. We also want to make sure we are not including “Subject Identity Information”, as defined in the BRs, as we don’t want to trigger two sections of the BRs which are clearly meant for OV/EV certs:
3.2.5 Validation of Authority
If the Applicant for a Certificate containing Subject Identity Information is an organization, the CA SHALL use a Reliable Method of Communication to verify the authenticity of the Applicant Representative’s certificate request.
9.6.1 CA Representations and Warranties
Identity of Applicant: That, if the Certificate contains Subject Identity Information, the CA (i) implemented a procedure to verify the identity of the Applicant in accordance with Sections 3.2 and 11.2; (ii) followed the procedure when issuing the Certificate; and (iii) accurately described the procedure in the CA’s Certificate Policy and/or Certification Practice Statement
[PZB Note that 11.2 doesn’t exist; this seems to be a legacy reference]
From the discussion on the list, I propose that we explicitly exclude countryName from Subject Identity Information. As Geoff pointed out, historically some DV certs have included countryName and there is a process in the BRs for validation of countryName when it is the only item in the subject.
What do others think? Is it reasonable to allow DV certificates with countryName in the subject?
More information about the Public