Gerv, I think this still presents problems for vanity CAs. I can agree with the need to validate the entity in the O field (i.e. that the root CA has permission to create a CA with the sub CA's tradename), but I would want to preserve some flexibility. Right now, the language I'm concerned about says, "This field MUST be present and the contents MUST contain either the Subject CA’s name or DBA as verified under Section 3.2.2.2." How strict will this be interpreted / applied? Also, I assume an internally operated CA with a vanity CA name would still be included in the root CA's audits but what BR-related obligations might be unintentionally incurred by the entity listed in the O field.
Ben -----Original Message----- From: Gervase Markham [mailto:[email protected]] Sent: Friday, May 5, 2017 7:23 AM To: Ben Wilson <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Subject: Re: [cabfpub] Ballot 199 - Require commonName in Root and Intermediate Certificates On 04/05/17 16:20, Ben Wilson wrote: > 1 - Does this ballot rule out “vanity CAs” – CAs with customer names > in the subject field, even though the key is held by the root CA? (I > can provide further clarification, and/or examples, if necessary. I don't think so. It doesn't mandate the contents of the CN field other than a SHOULD-based uniqueness constraint. > 2- What is the full current wording of Ballot 199? It is as posted on 25th April, but with a MUST changed to a SHOULD. I will send out a full copy. Gerv
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
