Hi Gerv, I'm also confused with the proposal, so wanted to discuss our methodology.
From our point of view, we create a subordinate certification authority and give this CA a distinguished name. We use the CN to give the CA a unique identifier, so that the common name will not be mixed up with any other subordinate CAs. Then we need to give the subordinate CA trust, so we issue it a subordinate CA certificate from a root CA. The subordinate CA certificate will have the same distinguished name. If for some reason we need to issue the subordinate CA another CA certificate (e.g., the original certificate expires), then the new certificate will have the identical subject name as the original. I am hoping that this is acceptable and meets your requirements. Thanks, Bruce. -----Original Message----- From: Public [mailto:[email protected]] On Behalf Of Gervase Markham via Public Sent: Wednesday, April 26, 2017 12:57 PM To: Peter Bowen <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Cc: Gervase Markham <[email protected]> Subject: [EXTERNAL]Re: [cabfpub] Ballot 199 - Require commonName in Root and Intermediate Certificates On 25/04/17 18:15, Peter Bowen wrote: > What does "such that the certificate's Name is unique across all > certificates issued by the issuing certificateā mean? How is this a > requirement on commonName, if this means the full subject Name? In the previous discussion, you wrote: "What is the rationale of requiring a unique commonName attribute per issuer rather than a unique Name per issuer? Amazon purposefully chose to use the same commonName (but different Names) for issuers that follow the same policy and only vary by cryptographic parameters (e.g. public key algorithm, key size and signature hash algorithm)." And I said: "If everyone else is fine with this, I am. (By Name, do you mean DN?)" No-one else commented, so I just used your words in the ballot - "unique Name per issuer". Gerv _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
