Kirk raised that, but it does not seem to be a founded concern. 1) That requirement applies to all certificates issued against the current BRs 2) The BRs do not retroactively invalidate - or, especially in the case of Ballot 197 - approve - certificate issuance.
A CA has always and only been obligated to state compliance with the in-force BRs with respect to issuance and its activities. On Thu, May 4, 2017 at 3:27 PM, Steve Medin via Public <[email protected]> wrote: > Gerv, could we also request explicit forward-looking language? Kirk raised > the concern about whether this applies to existing roots and intermediates. > We have a root issued in 1997 that does not have a common name. Some > interpretations have been discussed, but we would strongly prefer that this > be written into this change for clear future interpretations. > > > > If I may: > > > > 7.1.4.3. Subject Information – Root Certificates and Subordinate CA > Certificates > > When issuing a Root Certificate or Subordinate CA Certificate, the CA > represents that it followed the procedure set forth in its Certificate > Policy and/or Certification Practice Statement to verify that, as of the > Certificate’s issuance date, all of the Subject Information was accurate > and included the content required by this section. > > > > > > > > *From:* Public [mailto:[email protected]] *On Behalf Of *Ben > Wilson via Public > *Sent:* Thursday, May 04, 2017 11:21 AM > *To:* CA/Browser Forum Public Discussion List <[email protected]> > *Cc:* Ben Wilson <[email protected]> > *Subject:* [EXT] Re: [cabfpub] Ballot 199 - Require commonName in Root > and Intermediate Certificates > > > > Two questions, Gerv. > > > > 1 - Does this ballot rule out “vanity CAs” – CAs with customer names in > the subject field, even though the key is held by the root CA? (I can > provide further clarification, and/or examples, if necessary. > > 2- What is the full current wording of Ballot 199? > > > > Thanks, > > > > Ben > > > > *From:* Public [mailto:[email protected] > <[email protected]>] *On Behalf Of *Gervase Markham via Public > *Sent:* Tuesday, April 25, 2017 9:03 AM > *To:* CABFPub <[email protected]> > *Cc:* Gervase Markham <[email protected]> > *Subject:* [cabfpub] Ballot 199 - Require commonName in Root and > Intermediate Certificates > > > > *Ballot 199 - Require commonName in Root and Intermediate Certificates* > > *Purpose of Ballot: *Section 7.1.4.3 of the BRs, which deals with Subject > Information for Subordinate CA Certificates, currently requires only that > all information in a Subordinate CA Certificate is accurate; it does not > say what information is required. Some of the necessary information is > required elsewhere in the BRs, but it is not complete - commonName is > missing. If commonName is omitted, DN clashes can more easily occur. So > this motion centralises that information in the obvious place, and adds a > commonName requirement. > > The following motion has been proposed by Gervase Markham of Mozilla and > endorsed by Patrick Tronnier of OATI and Ryan Sleevi of Google: > > -- MOTION BEGINS -- > > > Make the following changes to the Baseline Requirements: > > * Delete 7.1.2.1 (e), which currently defines the Subject Information > required in a Root CA Certificate. > > > > * Delete 7.1.2.2 (h), which currently defines the Subject Information > required in a Subordinate CA Certificate. > > > > * Rename section 7.1.4.2, currently titled "Subject Information", to "Subject > Information - Subscriber Certificates". > > > > * Rename section 7.1.4.3, currently titled "Subject Information - Subordinate > CA Certificates" to "Subject Information - Root Certificates and Subordinate > CA Certificates". > > > > * Based on the style used in 7.1.4.2.2 and the content from the now-deleted > 7.1.2.1 (e) and 7.1.2.2 (h), add the following section 7.1.4.3.1: > > > > 7.1.4.3.1 Subject Distinguished Name Fields > > > > Certificate Field: subject:commonName (OID 2.5.4.3) > > Required/Optional: Required > > Contents: This field MUST be present and the contents MUST be an identifier > > for the certificate such that the certificate's Name is unique across all > > certificates issued by the issuing certificate. > > > > b. Certificate Field: subject:organizationName (OID 2.5.4.10) > > Required/Optional: Required > > Contents: This field MUST be present and the contents MUST contain > > either the Subject CA’s name or DBA as verified under Section 3.2.2.2. > > The CA may include information in this field that differs slightly from > > the verified name, such as common variations or abbreviations, provided > > that the CA documents the difference and any abbreviations used are > > locally accepted abbreviations; e.g., if the official record shows > > “Company Name Incorporated”, the CA MAY use “Company Name Inc.” or > > “Company Name”. > > > > c. Certificate Field: subject:countryName (OID: 2.5.4.6) > > Required/Optional: Required > > Contents: This field MUST contain the two‐letter ISO 3166‐1 country code > > for the country in which the CA’s place of business is located. > > -- MOTION ENDS -- > > > > The procedure for approval of this Final Maintenance Guideline ballot is > as follows (exact start and end times may be adjusted to comply with > applicable Bylaws and IPR Agreement): > > > > BALLOT 199 > > Status: Final Maintenance Guideline > > Start time (23:00 UTC) > > End time (23:00 UTC) > > Discussion (7 to 14 days) > > 25 Apr > > 2 May > > Vote for approval (7 days) > > 2 May > > 9 May > > If vote approves ballot: Review Period (Chair to send Review Notice) (30 > days). > > If Exclusion Notice(s) filed, ballot approval is rescinded and PAG to be > created. > > If no Exclusion Notices filed, ballot becomes effective at end of Review > Period. > > Upon filing of Review Notice by Chair > > 30 days after filing of Review Notice by Chair > > > > From Bylaw 2.3: If the Draft Guideline Ballot is proposing a Final > Maintenance Guideline, such ballot will include a redline or comparison > showing the set of changes from the Final Guideline section(s) intended to > become a Final Maintenance Guideline, and need not include a copy of the > full set of guidelines. Such redline or comparison shall be made against > the Final Guideline section(s) as they exist at the time a ballot is > proposed, and need not take into consideration other ballots that may be > proposed subsequently, except as provided in Bylaw Section 2.3(j). > > > > Votes must be cast by posting an on-list reply to this thread on the > Public list. A vote in favor of the motion must indicate a clear 'yes' in > the response. A vote against must indicate a clear 'no' in the response. A > vote to abstain must indicate a clear 'abstain' in the response. Unclear > responses will not be counted. The latest vote received from any > representative of a voting member before the close of the voting period > will be counted. Voting members are listed here: > https://cabforum.org/members/ > <https://clicktime.symantec.com/a/1/dKw74yUwwywtI6okeOVTVyaSAdMUZJBEMrL-dX630M4=?d=-xYkVuOcpeB_7i2NHF_oz1dFP1F57rquP5MlEXbp3GAPRRLI8RFsMpMb4j_OJJ-RhMHiFx-HCMTDVx-_tIxF-u3mqU9z-q7WptvvBEhuTJigaZhyr8fNG9v9pZN8hkWYXGIWuun6ZaZDA2pf_n3O5lqWRzHPf0pc1rCBDdG-MaZLvvdPnYkScNNn1RWfz9pZpCRhd3L_W88IjXZcUhD8_vLyThFXUHQI-8xCZIFYksXcrpnP856XGKgQ_SIZTHuH15nHrq0VxDBwOLxkCzDLSXP98bO0q3RP-cX5eJWuMhZjoL5DONy7zwJoxckvuoRr1BR-xz8TYsohwqBn_Yvn20114gJxqyTjsLBmtVqWdyE82b6EgOvoJLEBGJk_KF8ETUprHWrAmH7GHVy1KFizSb95q-2EuaaflY3X2McB8rVW78WJTFZhc9H1MrkV_M5EuoRxPgvw9wE%3D&u=https%3A%2F%2Fcabforum.org%2Fmembers%2F> > > In order for the motion to be adopted, two thirds or more of the votes > cast by members in the CA category and greater than 50% of the votes cast > by members in the browser category must be in favor. Quorum is shown on > CA/Browser Forum wiki. Under Bylaw 2.2(g), at least the required quorum > number must participate in the ballot for the ballot to be valid, either by > voting in favor, voting against, or abstaining. > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public > >
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
