Re: [pkix] Amendment to CABF Baseline Requirements

"Sill, Alan" <> Mon, 10 April 2017 17:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 60EAC12947E for <>; Mon, 10 Apr 2017 10:55:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.701
X-Spam-Status: No, score=-4.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id J2d5Dv8mMvEz for <>; Mon, 10 Apr 2017 10:55:06 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5B53A128BB6 for <>; Mon, 10 Apr 2017 10:55:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-ttu-edu; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Hm9patq0ZFAFccacMMvAwlg+pDXN+uZgJgjQMu2hH9I=; b=UinegdPwpioN3TPuReSep9kmtA3C3C2G6KV89rj8OND+dI1aNqu9t+EqVPECMLxXqLV63obVuNQAWn0Hh35EE1TIYo8hg2bHkE+ewQOS9EhRmDgePTfMiAJcm2J+zf8/m0e6BTaxL+V3uEU3847Uwxof1ItEKv/EO0VBkCxHK3Y=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.10; Mon, 10 Apr 2017 17:55:04 +0000
Received: from ([]) by ([]) with mapi id 15.01.1005.025; Mon, 10 Apr 2017 17:55:03 +0000
From: "Sill, Alan" <>
To: Erik Andersen <>
CC: "Sill, Alan" <>, "" <>
Thread-Topic: [pkix] Amendment to CABF Baseline Requirements
Thread-Index: AdKu7+4NHc0VCiezSMq6lazH8C48qgDHQmGAAAWnDQA=
Date: Mon, 10 Apr 2017 17:55:03 +0000
Message-ID: <>
References: <> <000001d2b20c$f8031930$e8094b90$>
In-Reply-To: <000001d2b20c$f8031930$e8094b90$>
Accept-Language: en-US
Content-Language: en-US
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: []
x-microsoft-exchange-diagnostics: 1; CO2PR06MB889; 7:2Kgioy/hipaSxj1a05RZl/UC35js4SUYPwyudRHn44z9u9SD9ufOdPRE69jn5Hoiv2gMzvkkP4bJ9IbOboRHAf0BTwbmG6vGqEtHz+8XxqIA+lD452PSDI4YtA0y2FT1SXvY7eN7u3K806NUDleoDRN49CKd0SfbnHbkzmJh3B8pev9qMSecZPJd0ZMh5Rxy0esI0zPlSlmRRChlViJJ7oLtRbLj0wCJpMf2F55BsDxEG8qwmd9xsOE0R1UQQDPfR7nZHbrIsgo7D7wEoPcleWpS2bw6Qb+lQpLOOAzC9yw9AIseRAFGBpoUP23dU63mU47ohtwrnvAtFfCqBiqW9w==
x-ms-office365-filtering-correlation-id: ea324d37-c9e6-4d2a-3340-08d4803ab75d
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(201703131423075)(201703031133081); SRVR:CO2PR06MB889;
x-techmail-edge-route: EOP
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(278428928389397)(10322497157591);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(601004)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(10201501046)(6041248)(20161123555025)(20161123560025)(20161123564025)(201703131423075)(201702281529075)(201702281528075)(201703061421075)(20161123562025)(6072148); SRVR:CO2PR06MB889; BCL:0; PCL:0; RULEID:; SRVR:CO2PR06MB889;
x-forefront-prvs: 027367F73D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39450400003)(39850400002)(39400400002)(39410400002)(39840400002)(377454003)(24454002)(8676002)(50986999)(81166006)(6246003)(76176999)(54356999)(75432002)(2900100001)(99286003)(236005)(54906002)(6512007)(6306002)(189998001)(5660300001)(77096006)(6506006)(6486002)(6436002)(229853002)(53936002)(33656002)(2906002)(102836003)(6116002)(3846002)(25786009)(38730400002)(6916009)(53376002)(110136004)(2950100002)(122556002)(36756003)(7736002)(3280700002)(88552002)(4326008)(3660700001)(66066001)(86362001)(8936002)(7906003); DIR:OUT; SFP:1102; SCL:1; SRVR:CO2PR06MB889;; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_5408AFDFD15A4B5B842B1BC533D1DF58ttuedu_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Apr 2017 17:55:03.6857 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 178a51bf-8b20-49ff-b655-56245d5c173c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO2PR06MB889
Archived-At: <>
Subject: Re: [pkix] Amendment to CABF Baseline Requirements
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 10 Apr 2017 17:55:10 -0000


Before proceeding with any attempt to deprecate the use of commonName, may I recommend that you read the contents of the OGF’s “Interoperable Certificate Profile” that focuses on non-browser applications of use of directory names, attributes, and extensions in X.509 certificates, such that they are usable by the majority of scientific cyber-infrastructures as supported by the IGTF?

This document is available in its most recent form at

In particular, commonName is a required component of certificates used in such infrastructures and deprecation would cause a great deal of damage to deployed infrastructures for large-scale grid and cloud computing.


On Apr 10, 2017, at 10:13 AM, Erik Andersen <<>> wrote:

Hi Ben and others,
I responded to the upper bound issue before reading Ben’s question. I have a comment not related to the commonName attribute type. The commonName is being (mis)used for all kind of things, so you cannot know what the syntax really is, which should cause interworking problems. The use of commonName should possibly be deprecated.
As to use the commonName for holding an FQDN, it is a little problematic. The matching rule for FQDNs is a little more complicated than the one for commonName. X.520 has a dsnName attribute type and as it is rather new it has not upper bound specification. It is defined as:
6.2.15      Domain name
A value of attribute type dnsName is used for holding a DNS domain name, which may be an internationalized domain name (IDN).

dnsName ATTRIBUTE ::= {
  WITH SYNTAX             DomainName
  LDAP-SYNTAX             dnsString.&id
  LDAP-NAME               {"DNS name"}
  ID                      id-at-dnsName }

DomainName ::= UTF8String (CONSTRAINED BY { -- Conforms to the format of a (internationalized) domain name. -- })
A value of the DomainName data type shall be in the syntax, as specified by section 2.3.1 of IETF RFC 5890 meaning that a domain name is a sequence of labels in the letters, digits, hyphen (LDH) format separated by dots.
A label may be in three formats:

a)     All characters in the label are from the Basic Latin collection as defined by ISO/IEC 10646 (i.e., having code points in the ranges 002D, 0030-0039, 0041-005A and 0061-007A) and it does not start with "xn--". The maximum length is 63 octets.

b)     It is an A-label as defined in IETF RFC 5890, i.e., it starts with the "xn--" and is a U-label converted to valid ASCII characters as in item a) using the Punycode algorithm defined by IETF RFC 3492. The converted string shall be maximum 59 octets. To be valid, it shall be possible for an A-label to be converted to a valid U-label.

NOTE 1 – An A-label is normally not human readable.

c)     It is a U-label as defined in IETF RFC 5890, i.e., it contains characters outside the Basic Latin collection. A valid U-label shall not include any characters that are not included in the restricted Unicode repertoire as defined by IETF RFC 5892 and it shall be convertible to a valid A-label as defined in item b). A valid U-label may be more than 63 octets.

NOTE 2 – In a constraint environment, it is recommended to use a domain name whenever possible, according to item a).

NOTE 3 – When used as a naming attribute, a unique distinguished name may be constructed using only this attribute type.
An attribute of type dnsName to be used as a distinguished name in a public-key certificate or in an attribute certificate shall be a fully-qualified domain name (FQDN), i.e., it shall identify a particular entity. An FQDN may have an asterisk ('*') as an additional leftmost label, which is a substitute (wildcard) for all labels at the next levels of subdomains of the domain identified by the FQDN without the asterisk. An attribute of type dnsName holding an FQDN with a wildcard label may in some cases be used in the subject component of an end-entity public-key certificate.
The corresponding matching rule is defined as:
8.9.2        DNS name match
The dnsNameMatch compares two values of type dnsName for equality and is defined as:

dnsNameMatch MATCHING-RULE ::= {
  SYNTAX       DomainName
  LDAP-SYNTAX  dnsString.&id
  LDAP-NAME    {"dnsNameMatch"}
  ID           id-mr-dnsNameMatch }
The equality matching is performed label for label. If the number of the labels in the two attribute values are different, the rule shall return FALSE. The rule shall return TRUE for each pair of labels matched for the rule to return TRUE for the two values. Otherwise, it shall return FALSE. The matching of the individual labels shall be performed as follows:

a)     If one of the labels to be compared is of the type defined in item a) of clause 6.2.15 and the other label is either an A-label or a U-label as defined in IETF RFC 5890, the rule shall return FALSE.

b)     If the two labels are of the same type, they shall be compared following the rules for caseIgnoreMatch.

c)     If one the labels is of type A-label and the other one is of type U-label, the latter shall be converted to an A-label before comparison following the rules for caseIgnoreMatch.
In addition, the following applies if one or both of the values have wildcard ('*') labels:

d)     If at least one of the values contains more than one wildcard label or if a wildcard label is not the leftmost label, the rule shall return FALSE.

e)     If one or both the values has a wildcard as the leftmost label, the remaining labels shall be matched as stated in a) to c) above and shall return TRUE or FALSE accordingly.

NOTE – The effect of the wildcard match is that *<> will match<> and<> but not<> nor<>m/>.

Fra: pkix [] På vegne af Ben Wilson
Sendt: 06 April 2017 18:24
Emne: [pkix] Amendment to CABF Baseline Requirements

Does anyone want to comment on my draft amendment to the CA/Browser Forum’s Baseline Requirements for SSL/TLS Certificates which would remove the 64-character limit on the commonName and organizationName,  as an exception to RFC 5280?  The text of the relevant Baseline Requirement provision is found below with the proposed additional language in ALL CAPS.  The reason for the first change (commonName) is there are FQDNs (in Subject Alternative Names) that are longer than 64 characters.  The reason for the second change (organizationName) is that there are organizations with names longer than 64 characters.             Subject Distinguished Name Fields
a.            Certificate Field: subject:commonName (OID
Required/Optional: Deprecated (Discouraged, but not prohibited)
Contents: If present, this field MUST contain a single IP address or Fully-Qualified Domain Name that is one of the values contained in the Certificate’s subjectAltName extension (see Section
b.            Certificate Field: subject:organizationName (OID
Contents: If present, the subject:organizationName field MUST contain either the Subject’s name or DBA as verified under Section The CA may include information in this field that differs slightly from the verified name, such as common variations or abbreviations, provided that the CA documents the difference and any abbreviations used are locally accepted abbreviations; e.g., if the official record shows “Company Name Incorporated”, the CA MAY use “Company Name Inc.” or “Company Name”.  Because Subject name attributes for individuals (e.g. givenName ( and surname ( are not broadly supported by application software, the CA MAY use the subject:organizationName field to convey a natural person Subject’s name or DBA.

Ben Wilson
pkix mailing list<>