Yes, I´m also agree. This was also taken into account when writting the ETSI standards, and for the CA certs, the minumun is what Peter has indicated plus the common name. We indicate that "... shall contain at least the following attributes ....": countryName, organizationName and commonName according to ITU-T X.520
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+inigo=startcomca....@lists.mozilla.org] On Behalf Of Peter Bowen Sent: martes, 24 de enero de 2017 1:02 To: Kathleen Wilson <[email protected]> Cc: [email protected] Subject: Re: Question about Baseline Requirements section #7.1.4.2 On Mon, Jan 23, 2017 at 3:32 PM, Kathleen Wilson <[email protected]> wrote: > Does section 7.1.4.2 of the CA/Browser Forum's Baseline Requirements only apply to end-entity certificates? > > If yes, where does it specify that in the document? > > This has come up in a few CA requests, due to errors we get when we run Kurt's x509lint test. > Example: > https://github.com/kroeckx/x509lint/issues/17 > https://bugzilla.mozilla.org/show_bug.cgi?id=1099311#c17 Kathleen, I believe that it does not apply to CA certificates, but I can see how this is not clear. To help understand the intent of this section, it is helpful to look at the history of the section. 7.1.4.2 has not been substantially changed since BR 1.3.0, which was the version that switched from the old structure to the new RFC 3647 structure. As seen in https://cabforum.org/wp-content/uploads/RFC3647_Comparison_Table_for_Baselin e_Requirements.pdf, 7.1.4.2 was previously section 9.2 and 7.1.4.1 was previously section 9.1. In 2015, the CA/Browser Forum passed ballot 148 (https://cabforum.org/2015/04/02/ballot-148-issuer-field-correction/) which changed sections 9.1 and 9.2 and appears to clearly call out that the intent is to require different content in the subjects for CA certificates than end-entity certificates. I agree that the BRs could be clearer, but it seems to me that the only requirements are country and organization name. Thanks Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
