> On 22 Oct 2017, at 1:24 pm, Peter Bowen <p...@amzn.com> wrote: > >> Another workaround for individual cases is to identify the subscriber! If >> you just supply the countryName field, that will do. It can be determined >> and verified automatically in most cases. > > If it would be agreeable to exclude countryName-only certificates from the > definition of certificates which "contain Subject Identity Information”, then > this seems like a reasonable workaround. Otherwise section 7.1.6.1 directs > that these be designated OV certificates.
I don’t think it does… it says > {joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) > certificate‐policies(1) baseline‐requirements(2) domain‐validated(1)} > (2.23.140.1.2.1), if the Certificate complies with these Requirements but > lacks Subject Identity Information that is verified in accordance with > Section 3.2.2.1 or Section 3.2.3. > > If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it > MUST NOT include organizationName, givenName, surname, streetAddress, > localityName, stateOrProvinceName, or postalCode in the Subject field countryName is not in the list of things you can’t include, and it says 3.2.2.1 not 3.2.2.3, so although countryName is ‘Subject Identity Information’ it is allowed in DV certificates if verified using 3.2.2.3(a)-3.2.2.3(c). This makes sense because in the other cases you’re determining the countryName from the domain name or IP address. In olden times some CAs would put countryName in all their DV certificates. I suspect that was working around some other bug!
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public