[cabf_validation] 7.1.2.2.h Subordinate CA Common Name

Peter Bowen pzb at amzn.com
Sat Mar 11 12:26:09 MST 2017


Jeremy,

I agree.  Requiring a CN seems fine and the CA should probably have to show some right to use the name, but it does make sense that the CN could be used to identify a specific customer.

Thanks,
Peter

> On Mar 9, 2017, at 1:50 PM, Jeremy Rowley via Validation <validation at cabforum.org> wrote:
> 
> I don’t think we should require the CA’s name in the CN. The Microsoft requirement only applies to root certificates, not intermediates. Instead, we should leave the CN requirement to non-misleading. Afterall, I suspect with the intermediate use separation requirements a lot of intermediates will want to use “Company ABC – Client Certs”.
>   <>
> From: Validation [mailto:validation-bounces at cabforum.org <mailto:validation-bounces at cabforum.org>] On Behalf Of Ben Wilson via Validation
> Sent: Thursday, March 9, 2017 11:22 AM
> To: realsky at cht.com.tw <mailto:realsky at cht.com.tw>; validation at cabforum.org <mailto:validation at cabforum.org>
> Cc: Ben Wilson <ben.wilson at digicert.com <mailto:ben.wilson at digicert.com>>
> Subject: Re: [cabf_validation] 7.1.2.2.h Subordinate CA Common Name
>  
> Li-Chun, please see my responses inline below.
>  
> From: 陳立群 [mailto:realsky at cht.com.tw <mailto:realsky at cht.com.tw>] 
> Sent: Thursday, March 9, 2017 7:39 AM
> To: 'CA/Browser Forum Validation WG List' <validation at cabforum.org <mailto:validation at cabforum.org>>
> Cc: Ben Wilson <ben.wilson at digicert.com <mailto:ben.wilson at digicert.com>>
> Subject: RE: [cabf_validation] 7.1.2.2.h Subordinate CA Common Name
>  
> Dear Ben,
>  
>      - commonName (OID 2.5.4.3):  This field MUST be present for Subordinate CA Certificates where the corresponding Key Pair is generated after [compliance date].
>  
>             “The compliance date” means a day after the ballot will be passed, right? 
>  
> BEN:  Correct
>  
>           Otherwise as I said in last call, there are some Root CAs or Subordinate CAs use OU to specify a CA’s name instead of in Common Name. That is , that CA is belong to an Organization. So put the CA’s name in OU. No value is in Common Name.
>  
> BEN:  I realize that is how it is done in the  past.  I know that  Banca d’Italia did this, but they are the only CA I’m aware of—I’m sure there are many others.  Would there be a problem with requiring CA name in the CN in the future?  
>  
>       Also, please see attached file, in 2013 , Microsoft Root Certificate program had not yet specified Common Name is required for Root CA or Sub CA. (Only Root CA Organization Name must appear in the Root Certificate
> Subject Name in any CA certificates (root or intermediate) must contain the name of the organization that operates the CA at the time of issuance.
>  
>      It was in 2015, Microsoft Root Certificate Program asked new Root CA to follow:
>  
> The CN attribute must identify the publisher and must be unique.
>  
> The CN attribute must be in a language that is appropriate for the CA’s market and readable by a typical customer in that market.
>  
> BEN:  That is correct.  Since 2015, new CAs should put the name of the CA in the CN to comply with Microsoft.  In CABF Baseline Requirements, we should follow that requirement.
>  
> Sincerely Yours,
>  
>                Li-Chun Chen
>  
> From: Validation [mailto:validation-bounces at cabforum.org <mailto:validation-bounces at cabforum.org>] On Behalf Of Ben Wilson via Validation
> Sent: Friday, February 24, 2017 1:04 AM
> To: validation at cabforum.org <mailto:validation at cabforum.org>
> Cc: Ben Wilson
> Subject: [外部郵件] [cabf_validation] 7.1.2.2.h Subordinate CA Common Name
>  
> As a follow up to today’s discussion, here is a first draft of an amendment to the Baseline Requirements that would address the requirement to have a Common Name in CA certificates.
>  
> 7.1.2.2. Subordinate CA Certificate
> Subject Information
> The Certificate Subject MUST contain the following:
> - countryName (OID 2.5.4.6). This field MUST contain the two-letter ISO 3166-1 country code for the country in which the CA’s place of business is located.
> - organizationName (OID 2.5.4.10): This field MUST be present and the contents MUST contain either the Subject CA’s name or DBA as verified under Section 3.2.2.2. The CA may include information in this field that differs slightly from the verified name, such as common variations or abbreviations, provided that the CA documents the difference and any abbreviations used are locally accepted abbreviations; e.g., if the official record shows “Company Name Incorporated”, the CA MAY use “Company Name Inc.” or “Company Name”.
> - commonName (OID 2.5.4.3):  This field MUST be present for Subordinate CA Certificates where the corresponding Key Pair is generated after [compliance date].
>  
> This raises a question for similar language in section 7.1.2.1.e, Subject information for Root CA Certificates:
>  
> e.            Subject Information
> The Certificate Subject MUST contain the following:
> - countryName (OID 2.5.4.6). This field MUST contain the two-letter ISO 3166-1 country code for the country in which the CA’s place of business is located.
> - organizationName (OID 2.5.4.10): This field MUST be present and the contents MUST contain either the Subject CA’s name or DBA as verified under Section 3.2.2.2. The CA may include information in this field that differs slightly from the verified name, such as common variations or abbreviations, provided that the CA documents the difference and any abbreviations used are locally accepted abbreviations; e.g., if the official record shows “Company Name Incorporated”, the CA MAY use “Company Name Inc.” or “Company Name”.
> - commonName (OID 2.5.4.3) ):  This field MUST be present for Root CA Certificates where the corresponding Key Pair is generated after [compliance date].
>  
>  
>  
> Ben Wilson, JD, CISA, CISSP
> VP Compliance
> +1 801 701 9678
> 
>  
>  
> 本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. 
> Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.
>  
>  
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org <mailto:Validation at cabforum.org>
> https://cabforum.org/mailman/listinfo/validation <https://cabforum.org/mailman/listinfo/validation>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170311/f19e9f26/attachment-0001.html>


More information about the Validation mailing list