> On 3 Nov 2017, at 2:37 pm, Peter Bowen via Public <[email protected]> wrote: … > From the discussion on the list, I propose that we explicitly exclude > countryName from Subject Identity Information. As Geoff pointed out, > historically some DV certs have included countryName and there is a process > in the BRs for validation of countryName when it is the only item in the > subject. > > What do others think? Is it reasonable to allow DV certificates with > countryName in the subject?
I guess it should also be mentioned that if you use the process in the BRs, you’re not really validating that the countryName is the country of the subscriber; in this case the countryName is the country of a domain name or IP address. It’ll be a country associated with the subscriber but not necessarily the subscriber's home. So I think it would be reasonable to exclude it from Subject Identity Information. If we were up for some editing, I think it should be ‘Subscriber Identity Information’, though, not ‘Subject’. The BRs are a bit confused about what a Subject might be: > Subject: The natural person, device, system, unit, or Legal Entity identified > in a Certificate as the Subject. The Subject is either the Subscriber or a > device under the control and operation of the Subscriber. … so, in a certificate with CN=www.example.com/O=Example <http://www.example.com/O=example> Inc./C=US, is the Subject ‘Example Inc.’, or ‘www.example.com’, and if the second, why is ‘www.example.com’ not Subject Identity Information, and if the first, then what is the Subject for ‘CN=www.example.com’?
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
