[cabf_validation] Subject DN attributes in ICA certificates

Ryan Sleevi sleevi at google.com
Wed Jun 10 08:13:17 MST 2020


On Wed, Jun 10, 2020 at 10:47 AM Doug Beattie <doug.beattie at globalsign.com>
wrote:

> Ryan,
>
>
>
> If the current spec lists just the 3 fields, and the end game is just
> these 3 fields, then is it *necessary* to formally adopt an intermediate
> set of fields to allow other attributes until we prohibit them?
>

We know some folks are going to insist certain fields are essential (e.g.
due to certain interpretations of local legal requirements), and so we
can't just jump to that end point, and I'm wanting to make sure we have a
chance for broader discussion.


> Perhaps we just update the section 7.1.4.3.1 to say: As of (some date in
> 2020), No other attributes are permitted.
>
>
>
> Maybe there are specific short term needs, and if so, then we should only
> permit those very few attributes for this transitional period.  Let’s not
> make this a bigger job than we need.
>
>
>
> Personally I see value in Locality and state/Prov especially when it comes
> to Vanity CAs, so I’m looking forward to seeing why these are harmful to
> the community (again).
>

Yeah, our position is that Vanity CAs themselves are harmful to users and
the broader ecosystem, so I can understand this will be an important
discussion to have, to make sure we're not overlooking a potential value
proposition to server operators and relying parties.

Since we're taking a while with profiles, I'll put together a quick ballot
for discussion. I don't think it'll hit the "Cleanup and Clarifications",
but could be a useful quick follow-up.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200610/5630bc41/attachment.html>


More information about the Validation mailing list