Hi, On Fri, 11 Dec 2020 10:51:44 +0000 Burton via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> The common name of the Let's Encrypt R3 intermediate certificate ( > https://crt.sh/?id=3479778542) is in my opinion short and ambiguous. > It doesn't have any information in common name that can identify the > operator of the CA "Let's Encrypt" which can cause confusion who is > running the CA. > > The intermediate certificate common name "R3" naming shouldn't be > allowed. It's like the past root store naming that had ambiguous > naming such as "Root CA". I am somewhat "guilty" of that because I proposed to Let's Encrypt [1] to try to shorten strings in the intermediate in order to make it smaller (it is transmitted very often, so small savings matter). The rationale in the discussion for the R3 common name was that the organizationName already contains "Let's Encrypt" and is required, thus putting the CA name into the CN is redundant. I guess this comes down to the question whether you expect the common name on its own to be meaningful in intermediate certs or if you consider the whole subject. If you manage your CA store by always showing the whole subject this problem does not exist. I feel this makes sense, if an organizationName is required anyway then there shouldn't be a need. And given that certs are transmitted very often and the info in the subject is read rarely (it is after all just informational and has little technical meaning except for identifying the cert) I feel there shouldn't be rules that make this info needlessly long. [1] https://community.letsencrypt.org/t/lets-encrypt-new-hierarchy-plans/125517/18 -- Hanno Böck https://hboeck.de/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
