Re: [pkix] Amendment to CABF Baseline Requirements

[Jeremy Rowley <jeremy.rowley@digicert.com>]

Can you point to any browser software that cares about these limits?  I can’t find any.

 

From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Carl Wallace
Sent: Thursday, April 6, 2017 10:28 AM
To: Ben Wilson <ben.wilson@digicert.com>; pkix@ietf.org
Subject: Re: [pkix] Amendment to CABF Baseline Requirements

 

Given these ASN.1 upper bounds are automatically enforced by ASN.1 compiler generated code, how do we hand wave this away? These changes are a recipe for interoperability pain. 

 

From: pkix <pkix-bounces@ietf.org <mailto:pkix-bounces@ietf.org> > on behalf of Ben Wilson <ben.wilson@digicert.com <mailto:ben.wilson@digicert.com> >
Date: Thursday, April 6, 2017 at 12:24 PM
To: "pkix@ietf.org <mailto:pkix@ietf.org> " <pkix@ietf.org <mailto:pkix@ietf.org> >
Subject: [pkix] Amendment to CABF Baseline Requirements

 

Does anyone want to comment on my draft amendment to the CA/Browser Forum’s Baseline Requirements for SSL/TLS Certificates which would remove the 64-character limit on the commonName and organizationName,  as an exception to RFC 5280?  The text of the relevant Baseline Requirement provision is found below with the proposed additional language in ALL CAPS.  The reason for the first change (commonName) is there are FQDNs (in Subject Alternative Names) that are longer than 64 characters.  The reason for the second change (organizationName) is that there are organizations with names longer than 64 characters.

 

7.1.4.2.2.             Subject Distinguished Name Fields

a.            Certificate Field: subject:commonName (OID 2.5.4.3)  

Required/Optional: Deprecated (Discouraged, but not prohibited)

Contents: If present, this field MUST contain a single IP address or Fully-Qualified Domain Name that is one of the values contained in the Certificate’s subjectAltName extension (see Section 7.1.4.2.1).

MAXIMUM LENGTH:  NO STIPULATION.  (THIS IS AN EXCEPTION TO RFC 5280 WHICH SPECIFIES AN UPPER BOUND OF 64 CHARACTERS.)

b.            Certificate Field: subject:organizationName (OID 2.5.4.10)

Optional.  

Contents: If present, the subject:organizationName field MUST contain either the Subject’s name or DBA as verified under Section 3.2.2.2. The CA may include information in this field that differs slightly from the verified name, such as common variations or abbreviations, provided that the CA documents the difference and any abbreviations used are locally accepted abbreviations; e.g., if the official record shows “Company Name Incorporated”, the CA MAY use “Company Name Inc.” or “Company Name”.  Because Subject name attributes for individuals (e.g. givenName (2.5.4.42) and surname (2.5.4.4)) are not broadly supported by application software, the CA MAY use the subject:organizationName field to convey a natural person Subject’s name or DBA.

MAXIMUM LENGTH:  256 CHARACTERS (THIS IS AN EXCEPTION TO RFC 5280 WHICH SPECIFIES AN UPPER BOUND OF 64 CHARACTERS.)

 

Thanks,

Ben Wilson

_______________________________________________ pkix mailing list pkix@ietf.org <mailto:pkix@ietf.org>  https://www.ietf.org/mailman/listinfo/pkix