On Mon, Jan 23, 2017 at 3:32 PM, Kathleen Wilson <[email protected]> wrote: > Does section 7.1.4.2 of the CA/Browser Forum's Baseline Requirements only > apply to end-entity certificates? > > If yes, where does it specify that in the document? > > This has come up in a few CA requests, due to errors we get when we run > Kurt's x509lint test. > Example: > https://github.com/kroeckx/x509lint/issues/17 > https://bugzilla.mozilla.org/show_bug.cgi?id=1099311#c17
Kathleen, I believe that it does not apply to CA certificates, but I can see how this is not clear. To help understand the intent of this section, it is helpful to look at the history of the section. 7.1.4.2 has not been substantially changed since BR 1.3.0, which was the version that switched from the old structure to the new RFC 3647 structure. As seen in https://cabforum.org/wp-content/uploads/RFC3647_Comparison_Table_for_Baseline_Requirements.pdf, 7.1.4.2 was previously section 9.2 and 7.1.4.1 was previously section 9.1. In 2015, the CA/Browser Forum passed ballot 148 (https://cabforum.org/2015/04/02/ballot-148-issuer-field-correction/) which changed sections 9.1 and 9.2 and appears to clearly call out that the intent is to require different content in the subjects for CA certificates than end-entity certificates. I agree that the BRs could be clearer, but it seems to me that the only requirements are country and organization name. Thanks Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
