Hi,

On Fri, 11 Dec 2020 10:51:44 +0000
Burton via dev-security-policy <dev-security-policy@lists.mozilla.org>
wrote:

> The common name of the Let's Encrypt R3 intermediate certificate (
> https://crt.sh/?id=3479778542) is in my opinion short and ambiguous.
> It doesn't have any information in common name that can identify the
> operator of the CA "Let's Encrypt" which can cause confusion who is
> running the CA.
> 
> The intermediate certificate common name "R3" naming shouldn't be
> allowed. It's like the past root store naming that had ambiguous
> naming such as "Root CA".

I am somewhat "guilty" of that because I proposed to Let's Encrypt [1]
to try to shorten strings in the intermediate in order to make it
smaller (it is transmitted very often, so small savings matter).

The rationale in the discussion for the R3 common name was that the
organizationName already contains "Let's Encrypt" and is required,
thus putting the CA name into the CN is redundant.

I guess this comes down to the question whether you expect the common
name on its own to be meaningful in intermediate certs or if you
consider the whole subject. If you manage your CA store by always
showing the whole subject this problem does not exist. I feel this
makes sense, if an organizationName is required anyway then there
shouldn't be a need. And given that certs are transmitted very often
and the info in the subject is read rarely (it is after all just
informational and has little technical meaning except for identifying
the cert) I feel there shouldn't be rules that make this info
needlessly long.

[1]
https://community.letsencrypt.org/t/lets-encrypt-new-hierarchy-plans/125517/18
-- 
Hanno Böck
https://hboeck.de/
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to