On 2018-07-13 12:02, [email protected] wrote:
We suggest that CA "in principle" must comply with the string length limit
of RFC 5280 for organizationalUnitName or organizationName filed in Subject of a
certificate. But if it is necessary after verification to express an organization’s name
in the organizationalUnitName or organizationName filed of the subject field that exceeds
the string length limit of RFC 5280, then Mozilla should not regard these special cases
as errors of a CA. After all, X.500 standard has no limit on the length of the string,
and let the issuing CA and the Subscriber who has accepted that SSL certificate may bear
the possibility of any incompatibility issues.
As pointed out in the discussion, RFC 5280 itself has those limits, and
references an older X.509 standard that also has the limits. RFC 5280 is
what is implemented. What documents like CA/B Forum requirements or
newer X.509 versions say is not relevant. The CA/B Forum can not remove
requirements, only add new requirements. Implementations can and do
implement the RFC 5280 / X.509 length limits.
If you want those lengths to be changed, an update of RFC 5280 is
required. And it seems unlikely that this will actually get changed.
Kurt
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
