> On Oct 22, 2017, at 2:35 PM, Geoff Keating <[email protected]> wrote: > > > >> On 22 Oct 2017, at 1:24 pm, Peter Bowen <[email protected]> wrote: >> >>> Another workaround for individual cases is to identify the subscriber! If >>> you just supply the countryName field, that will do. It can be determined >>> and verified automatically in most cases. >> >> If it would be agreeable to exclude countryName-only certificates from the >> definition of certificates which "contain Subject Identity Information”, >> then this seems like a reasonable workaround. Otherwise section 7.1.6.1 >> directs that these be designated OV certificates. > > I don’t think it does… it says > >> {joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) >> certificate‐policies(1) baseline‐requirements(2) domain‐validated(1)} >> (2.23.140.1.2.1), if the Certificate complies with these Requirements but >> lacks Subject Identity Information that is verified in accordance with >> Section 3.2.2.1 or Section 3.2.3. >> >> If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it >> MUST NOT include organizationName, givenName, surname, streetAddress, >> localityName, stateOrProvinceName, or postalCode in the Subject field > > countryName is not in the list of things you can’t include, and it says > 3.2.2.1 not 3.2.2.3, so although countryName is ‘Subject Identity > Information’ it is allowed in DV certificates if verified using > 3.2.2.3(a)-3.2.2.3(c). This makes sense because in the other cases you’re > determining the countryName from the domain name or IP address. > > In olden times some CAs would put countryName in all their DV certificates. > I suspect that was working around some other bug!
It was pointed out to me off list that domainComponent is also a candidate attribute type, as it is just an alternative representation of the dnsName. I think the biggest thing is to make sure that DV certificates continue to not be covered in section 3.2.5. I think we can assure this by making countryName and domainComponent excluded from the definition of Subject Identity Information. Thanks, Peter _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
