There are a large number of CAs that follow the practice of vetting SOME of the information they put into cert subject names, but not all, and in fact deliberately making no attempt to vet certain attributes at all.
Examples known to me include: OU names: typically not vetted at all CNs other than the last (most specific) one, if it is a DNS name. Maybe it's pointless to try, but can we write into this RFC that conforming certs contain NO unvetted attributes in the subject name nor in any Subject Alt Name attributes? Since CAs seem to have such a strong desire to do so, maybe we should invent a new extension: unvetted subject alt names, where they can put whatever nonsense they want, and apps that care to use only vetted info can ignore. It MUST NOT be a critical extension. On the other hand, the correct processing of that extension should be defined to ignore it (:-) so that all apps may claim to properly handle it, even if it is critical. _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
