On Fri, Dec 11, 2020 at 5:51 AM Burton via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> The common name of the Let's Encrypt R3 intermediate certificate (
> https://crt.sh/?id=3479778542) is in my opinion short and ambiguous. It
> doesn't have any information in common name that can identify the operator
> of the CA "Let's Encrypt" which can cause confusion who is running the CA.
>
> The intermediate certificate common name "R3" naming shouldn't be allowed.
> It's like the past root store naming that had ambiguous naming such as
> "Root CA".
>
> If such common name naming was adopted by other CAs it would terrible to
> manage certificate stores and cause chaos of confusion.
>
>  Burton
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy


I see nothing wrong here, and believe it would benefit users if more CAs
adopted this.

I’m honestly shocked that the benefits aren’t self-evident, although I
appreciate Let’s Encrypt having documented them as well. What possible
reason could you have for raising concern? I cannot see any fathomable
reason for wanting to, say, repeat the organization name within the CN, nor
is there any need whatsoever to have any “human readable” strings there in
the CN, as long as there is a unique string.

Ideally, users would most benefit from simply having a random value in the
DN (no details, period) for both roots *and* intermediates, as this
metadata both can and should be addressed by CCADB. After all, we have
plenty of examples over the past 25 years where, for both roots and
intermediates, every bit of the DN becomes inaccurate over time (e.g. roots
are sold, companies rebrand, etc).

So, while I understand the “I can’t look at the cert and tells who owns it”
argument, which I’m not sure if you’re making, but which is demonstrably
nonsense already, could you perhaps clarify more about why you don’t like
it?
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to