[cabfpub] Ballot 208 - dnQualifiers

Peter Bowen pzb at amzn.com
Mon Oct 23 05:00:01 UTC 2017



> On Oct 22, 2017, at 2:35 PM, Geoff Keating <geoffk at apple.com> wrote:
> 
> 
> 
>> On 22 Oct 2017, at 1:24 pm, Peter Bowen <pzb at amzn.com> wrote:
>> 
>>> Another workaround for individual cases is to identify the subscriber!  If you just supply the countryName field, that will do.  It can be determined and verified automatically in most cases.
>> 
>> If it would be agreeable to exclude countryName-only certificates from the definition of certificates which "contain Subject Identity Information”, then this seems like a reasonable workaround.  Otherwise section 7.1.6.1 directs that these be designated OV certificates.
> 
> I don’t think it does… it says
> 
>> {joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) certificate‐policies(1) baseline‐requirements(2) domain‐validated(1)} (2.23.140.1.2.1), if the Certificate complies with these Requirements but lacks Subject Identity Information that is verified in accordance with Section 3.2.2.1 or Section 3.2.3.
>> 
>> If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include organizationName, givenName, surname, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field 
> 
> countryName is not in the list of things you can’t include, and it says 3.2.2.1 not 3.2.2.3, so although countryName is ‘Subject Identity Information’ it is allowed in DV certificates if verified using 3.2.2.3(a)-3.2.2.3(c).  This makes sense because in the other cases you’re determining the countryName from the domain name or IP address.
> 
> In olden times some CAs would put countryName in all their DV certificates.  I suspect that was working around some other bug!

It was pointed out to me off list that domainComponent is also a candidate attribute type, as it is just an alternative representation of the dnsName.

I think the biggest thing is to make sure that DV certificates continue to not be covered in section 3.2.5.  I think we can assure this by making countryName and domainComponent excluded from the definition of Subject Identity Information.

Thanks,
Peter


More information about the Public mailing list