Re: [pkix] Amendment to CABF Baseline Requirements

Carl Wallace <carl@redhoundsoftware.com> Thu, 06 April 2017 16:28 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B04112954A for <pkix@ietfa.amsl.com>; Thu, 6 Apr 2017 09:28:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4F5zaEINfgbD for <pkix@ietfa.amsl.com>; Thu, 6 Apr 2017 09:28:48 -0700 (PDT)
Received: from mail-qt0-x234.google.com (mail-qt0-x234.google.com [IPv6:2607:f8b0:400d:c0d::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38AA912955D for <pkix@ietf.org>; Thu, 6 Apr 2017 09:28:26 -0700 (PDT)
Received: by mail-qt0-x234.google.com with SMTP id i34so40700347qtc.0 for <pkix@ietf.org>; Thu, 06 Apr 2017 09:28:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=user-agent:date:subject:from:to:message-id:thread-topic :mime-version; bh=pVD3AqhborvDVZYOTQBiAaOwVPvI/hee19oHmVeyij8=; b=HdzvKWzqQjOzlfId2QKXMFp6zI8frChh/kUyuhOpO7gT76NHv89uwp4OLo1Fbba2DW X605mlqLv+Q6gSbiyCjCsjewqsj4Wlmggje1c16ggUq8ABYSCD4NivP7UuqqsQOMgaTY a8ai/BFIAQF3sRdCRO2C4JGXzcnU/OSAY1SNw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:message-id :thread-topic:mime-version; bh=pVD3AqhborvDVZYOTQBiAaOwVPvI/hee19oHmVeyij8=; b=MC8PpgRVptu4hkt45tjn6Kpd+A8+jgKCT7BYWH0vgzR3TTz+CzWdUSeRhDG1ZLLyGG iaLj64IZEqd9ZF113bp0Bqlm+O1Lrh1FozObhVOIZBDen+Q2UYarKafvdKq+KL+mxIDM SQlvqJCAhl3Q/VZ8Rtsba+lZ+zRO3TSG2y9phpNPSGrhk9RFLuYqn5fKedMZCNf/QOR2 jmFjNpn9jaPgGM4RCWmXIcFp9Y8knXS6kw97NrDMX0hW7yJJ5oPtY5Jsf/xm74AlxHoq SIGdaZ6KzG0TYpX14nmVhQLP6KLp74trSZLa3alD7BE/O6EIlk6TXUgFV1jmHGrTZD1M LfFg==
X-Gm-Message-State: AFeK/H2lRtPRCRhC2pwlz2BhFUwYV9/fBMXYPyD8tQuhZw7Bc1bzPcDVzjuzBHXHwvaK0w==
X-Received: by 10.237.59.8 with SMTP id p8mr35789863qte.270.1491496105106; Thu, 06 Apr 2017 09:28:25 -0700 (PDT)
Received: from [192.168.2.27] (pool-173-73-188-160.washdc.fios.verizon.net. [173.73.188.160]) by smtp.googlemail.com with ESMTPSA id m12sm1259755qtf.25.2017.04.06.09.28.22 (version=TLS1 cipher=AES128-SHA bits=128/128); Thu, 06 Apr 2017 09:28:24 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/14.7.1.161129
Date: Thu, 06 Apr 2017 12:28:20 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: Ben Wilson <ben.wilson@digicert.com>, "pkix@ietf.org" <pkix@ietf.org>
Message-ID: <D50BE42A.85E25%carl@redhoundsoftware.com>
Thread-Topic: [pkix] Amendment to CABF Baseline Requirements
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3574326504_1504937"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/6XCoDKpKyx7ArD-RoCctnlZn5ak>
Subject: Re: [pkix] Amendment to CABF Baseline Requirements
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Apr 2017 16:28:51 -0000

Given these ASN.1 upper bounds are automatically enforced by ASN.1 compiler
generated code, how do we hand wave this away? These changes are a recipe
for interoperability pain.

From:  pkix <pkix-bounces@ietf.org> on behalf of Ben Wilson
<ben.wilson@digicert.com>
Date:  Thursday, April 6, 2017 at 12:24 PM
To:  "pkix@ietf.org" <pkix@ietf.org>
Subject:  [pkix] Amendment to CABF Baseline Requirements

> Does anyone want to comment on my draft amendment to the CA/Browser Forum’s
> Baseline Requirements for SSL/TLS Certificates which would remove the
> 64-character limit on the commonName and organizationName,  as an exception to
> RFC 5280?  The text of the relevant Baseline Requirement provision is found
> below with the proposed additional language in ALL CAPS.  The reason for the
> first change (commonName) is there are FQDNs (in Subject Alternative Names)
> that are longer than 64 characters.  The reason for the second change
> (organizationName) is that there are organizations with names longer than 64
> characters.
>  
> 7.1.4.2.2.             Subject Distinguished Name Fields
> a.            Certificate Field: subject:commonName (OID 2.5.4.3)
> Required/Optional: Deprecated (Discouraged, but not prohibited)
> Contents: If present, this field MUST contain a single IP address or
> Fully-Qualified Domain Name that is one of the values contained in the
> Certificate’s subjectAltName extension (see Section 7.1.4.2.1).
> MAXIMUM LENGTH:  NO STIPULATION.  (THIS IS AN EXCEPTION TO RFC 5280 WHICH
> SPECIFIES AN UPPER BOUND OF 64 CHARACTERS.)
> b.            Certificate Field: subject:organizationName (OID 2.5.4.10)
> Optional.  
> Contents: If present, the subject:organizationName field MUST contain either
> the Subject’s name or DBA as verified under Section 3.2.2.2. The CA may
> include information in this field that differs slightly from the verified
> name, such as common variations or abbreviations, provided that the CA
> documents the difference and any abbreviations used are locally accepted
> abbreviations; e.g., if the official record shows “Company Name Incorporated”,
> the CA MAY use “Company Name Inc.” or “Company Name”.  Because Subject name
> attributes for individuals (e.g. givenName (2.5.4.42) and surname (2.5.4.4))
> are not broadly supported by application software, the CA MAY use the
> subject:organizationName field to convey a natural person Subject’s name or
> DBA.
> MAXIMUM LENGTH:  256 CHARACTERS (THIS IS AN EXCEPTION TO RFC 5280 WHICH
> SPECIFIES AN UPPER BOUND OF 64 CHARACTERS.)
>  
> Thanks,
> Ben Wilson
> _______________________________________________ pkix mailing list
> pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix