In this particular case, because issued certificates contain the subject name from the issuer, you could argue that issuance from a CA without a subject name is no longer allowed—7.1.4.1 says that the issuer name must match the subject name of the issuer (of course!), and that brings the issuer's name into scope at the time of issuance. This is different from other properties of the issuer’s certificate, like the algorithm it is signed with or its expiry date, because those don’t propagate to the issued certificate.
Or not. You can make arguments either way. > On 4 May 2017, at 1:06 pm, Ryan Sleevi <[email protected]> wrote: > > How so? The Ballot only applies to the profile of the issuance of > roots/sub-CAs, not from. > > If it applied to from, the existing BRs would already rule out a number of > members' roots and intermediates :) > > > On Thu, May 4, 2017 at 4:04 PM, Geoff Keating <[email protected] > <mailto:[email protected]>> wrote: > >> On 4 May 2017, at 12:30 pm, Ryan Sleevi via Public <[email protected] >> <mailto:[email protected]>> wrote: >> >> Kirk raised that, but it does not seem to be a founded concern. >> >> 1) That requirement applies to all certificates issued against the current >> BRs >> 2) The BRs do not retroactively invalidate - or, especially in the case of >> Ballot 197 - approve - certificate issuance. >> >> A CA has always and only been obligated to state compliance with the >> in-force BRs with respect to issuance and its activities. > > In this context, saying the BRs apply to ‘all certificates issued’ might mean > that you could no longer issue a certificate against a root without a common > name, and so cannot renew any sub-CAs. > >> On Thu, May 4, 2017 at 3:27 PM, Steve Medin via Public <[email protected] >> <mailto:[email protected]>> wrote: >> Gerv, could we also request explicit forward-looking language? Kirk raised >> the concern about whether this applies to existing roots and intermediates. >> We have a root issued in 1997 that does not have a common name. Some >> interpretations have been discussed, but we would strongly prefer that this >> be written into this change for clear future interpretations. >> >> >> >> If I may: >> >> >> >> 7.1.4.3. Subject Information – Root Certificates and Subordinate CA >> Certificates >> >> When issuing a Root Certificate or Subordinate CA Certificate, the CA >> represents that it followed the procedure set forth in its Certificate >> Policy and/or Certification Practice Statement to verify that, as of the >> Certificate’s issuance date, all of the Subject Information was accurate and >> included the content required by this section. >> >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
