> On Apr 6, 2016, at 3:17 PM, Ryan Sleevi <[email protected]> wrote: > > On Wed, Apr 6, 2016 at 2:57 PM, Peter Bowen <[email protected] > <mailto:[email protected]>> wrote: > > Append " - Subscriber Certificates" to the the title of section 7.1.4.2. > > Apologies for missing this during the first discussion, could you explain the > motivation for this change? This seems to substantially change the > obligations regarding the construction of subordinate CA certificates, and so > it's helpful to understand the context.
This change is to address https://bugzilla.cabforum.org/show_bug.cgi?id=31 <https://bugzilla.cabforum.org/show_bug.cgi?id=31>, which is one of the bugs Gerv listed in the prior thread. 7.1.4.3 is already "Subject Information – Subordinate CA Certificates”, so I was following the same heading format. 7.1.4.2 says the subject alternative name extension is required and the "extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully‐Qualified Domain Name or an iPAddress containing the IP address of a server”. Clearly this is incorrect for CA certificates. 7.1.2.1/7.1.2.2 call out the requirement for validation of organizationName for CA certificates. I admit that BR structure here is a little weird — very similar requirements are applied to different types of certificates in 7.1.2 and 7.1.4. It would probably be better to call out validation requirements in one place. However that is starting to feel like its own ballot as it is going to take some careful thought on how to make it work correctly. Would you prefer we drop the change to the heading on 7.1.4.2? Thanks, Peter
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
