[cabfpub] Subject attribute proposal
pzb at amzn.com
Mon Mar 20 09:59:00 MST 2017
> On Mar 20, 2017, at 5:37 AM, Gervase Markham <gerv at mozilla.org> wrote:
> On 19/03/17 23:28, Peter Bowen via Public wrote:
>> I would like to allow CAs to add a dnQualifier attribute to certificate subjects without it being considered “Subject Identity Information”.
> Why? :-)
Right now the BRs say that only CN is excluded from being Subject Identity Information. So including anything other attribute type in a subject (e.g. OU, description, etc) means the certificate has to meet the rules for Subject Identity Information, such as:
The CA (i) implemented a procedure to verify the identity of the Applicant in accordance with Sections 3.2 and 11.2; (ii) followed the procedure when issuing the Certificate; and (iii) accurately described the procedure in the CA’s Certificate Policy and/or Certification Practice Statement;
If the Applicant for a Certificate […] is an organization, the CA SHALL use a Reliable Method of Communication to verify the authenticity of the Applicant Representative’s certificate request.
In other words, even if the certificate does not contain the organization name, but does contain some attribute, then the CA must follow 3.2 and 11.2 to confirm the identity of the applicant and may need to verify the authenticity of the certificate request.
As I read it, a certificate with a subject such as “/OU=Domain Control Validated/OU=Hosted by Contoso Hosting/CN=*.example.com” triggers the above rules.
Unfortunately leaving the subject completely out (e.g. an empty sequence for the Subject Name) breaks operating systems from a browser member. This can be tested by trying to visit https://no-subject.badssl.com/
We also know that commonName is limited to 64-characters and is required to contain a name from the subjectAlternativeNames list. If all the names in the SAN are longer than 64-characters, the CA cannot today issue a certificate without Subject Identity Information.
This proposal provides for an attribute that can be used in a subject without triggering the SII rule. It allows CAs to issue no-SII certificates that work on all current OSes for all valid FQDN without violating the BRs.
More information about the Public