[Servercert-wg] Subject name requirements for CA Certificates

Ryan Sleevi sleevi at google.com
Tue Oct 22 14:36:55 MST 2019


I do think that's conflating things a little bit, although I can understand
the appeal.

https://cabforum.org/pipermail/servercert-wg/2019-October/001178.html
discussed paths forward for the inclusion of additional fields, including
paths forward to resolve the matter for cross-certificates, as well as to
manage expectations about "Default Deny". As far as I can tell, this
relevant to the CAs you remarked on, and the larger list originally
provided (in
https://cabforum.org/pipermail/servercert-wg/2019-October/001154.html ).

However, to the point of GlobalSign, it was issuing certificates omitting
fields required since Ballot 199. That does seem a difference in kind and
substance, doesn't it? The argument advanced here is simply that "We
thought there were no rules for Cross Certificates" (as neither the Root CA
nor Subordinate CA rules were seen as applying), and that's... harder to
reconcile and, as mentioned, systemically problematic.

Unlike the aforementioned cases, there's not a reasonable path forward for
that, short of saying they're no longer required or not required in some
situations - which ultimately means there's no path to removal. But
https://cabforum.org/pipermail/servercert-wg/2019-October/001178.html is
still just as relevant as a path forward: by making sure we focus on the
systemic problem, and find solutions for it first and foremost.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191022/1347d4a2/attachment-0001.html>


More information about the Servercert-wg mailing list