Re: [pkix] Amendment to CABF Baseline Requirements

Michael StJohns <msj@nthpermutation.com> Thu, 06 April 2017 16:54 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBED5128854 for <pkix@ietfa.amsl.com>; Thu, 6 Apr 2017 09:54:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KImuQaPkTfaQ for <pkix@ietfa.amsl.com>; Thu, 6 Apr 2017 09:54:43 -0700 (PDT)
Received: from mail-qt0-x22e.google.com (mail-qt0-x22e.google.com [IPv6:2607:f8b0:400d:c0d::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4539F12420B for <pkix@ietf.org>; Thu, 6 Apr 2017 09:54:43 -0700 (PDT)
Received: by mail-qt0-x22e.google.com with SMTP id n21so41266217qta.1 for <pkix@ietf.org>; Thu, 06 Apr 2017 09:54:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=MkxNdC237Br/IaHHdLzKgLQiu8iWXxXI/UgfliqU614=; b=DJibl3IrKU3sMpEXEJh+0cXBfu5RutVT5P0GBYaiX6xMuyf9xvF+BL2QNxKooZsKYW 2wCmjdiiYjpldRnaaEuy9EsSbiYwNIqR6BzZIMl8m6qHlQj3XtdPlLHwNgvl0aGPSL2X 1k2uwjWWxT9rZ+pi2UNKvMQ3SUrg/6IK3fZkPgPkIGbfgy1cKtyIegSmJtGcctwCVjoA Jppn22VSg9mQCnUfW/MNjxVRdME1i7Wmpdfe2vMNiTCNJOepx3D7vSdFB/1jfcPjvwtW QjWSTA+faokO1lnXJuf7D2CNtWAhxGoq8j8NC5EFdS1L4OF02YuSkzau5wCv58WR0XK4 pI3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=MkxNdC237Br/IaHHdLzKgLQiu8iWXxXI/UgfliqU614=; b=AmFkOB3nJp8za9YkKWjcZz8DnN5EtgRXhyBxNKn8kT9GpFy2CPremFmDPie2tSjQkY zs/IEkhSPPrEBT4oFdKl3zS+85cASL3Db3awNmjMi/uTIlETm3j8EqJ39ln3VXhdLcz8 Fc5Ed2ecArY6scCF/fj8FqX43NCE8CCciUqafvKvSXJYYvLFPFcLDEuREDkBCZR8o129 eqHclMZO63+VA7Hm86MWHkzYGAk/MgwuobxsCgokulpvGlG6zgJSKYgHFcYxfATUsLX7 jiJO2FyygLjSQpRnfIpnyhTz+QJsqa5tzPcIt6XpUntHHhdxLu/Cb/k+AWcw7Ym7GNVY EQYQ==
X-Gm-Message-State: AFeK/H3gzBMh/wYTeG5uVpL8hhGyW6QQoVMQUbCweQsKDDf9f0JibkQEvlIHZi2j6Hc61g==
X-Received: by 10.200.53.150 with SMTP id k22mr34088410qtb.154.1491497681845; Thu, 06 Apr 2017 09:54:41 -0700 (PDT)
Received: from ?IPv6:2601:152:4400:a2e0::159b? ([2601:152:4400:a2e0::159b]) by smtp.gmail.com with ESMTPSA id q66sm1284206qkd.69.2017.04.06.09.54.40 for <pkix@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Apr 2017 09:54:41 -0700 (PDT)
To: pkix@ietf.org
References: <906f1c1dde4f44789646197d887da312@EX2.corp.digicert.com>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <a24a24b9-542c-a619-3445-47e812f9c46b@nthpermutation.com>
Date: Thu, 6 Apr 2017 12:54:59 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <906f1c1dde4f44789646197d887da312@EX2.corp.digicert.com>
Content-Type: multipart/alternative; boundary="------------8271104F42630979D3E9198E"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/cr8pXGbMlwK8Z1z8HUbJfhRZi6A>
Subject: Re: [pkix] Amendment to CABF Baseline Requirements
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Apr 2017 16:54:46 -0000

Hi Ben -

IETF 5280 et al are profiles of the X.509 documents.  The upper length 
bounds for orgnaizationName and commonName fields in 5280 is no 
different than the upper bounds specified in X.509 (at least as of the 
2014 document).  I would suggest that you will pretty much break any and 
all implementations of X.509 clients that rely or enforce this limit as 
well as any code that generates certificate requests.

I will note that overloading text fields with structured data is 
generally not a good idea - as you've found.

Mike



On 4/6/2017 12:24 PM, Ben Wilson wrote:
>
> Does anyone want to comment on my draft amendment to the CA/Browser 
> Forum’s Baseline Requirements for SSL/TLS Certificates which would 
> remove the 64-character limit on the commonName and organizationName,  
> as an exception to RFC 5280?  The text of the relevant Baseline 
> Requirement provision is found below with the proposed additional 
> language in ALL CAPS.  The reason for the first change (commonName) is 
> there are FQDNs (in Subject Alternative Names) that are longer than 64 
> characters.  The reason for the second change (organizationName) is 
> that there are organizations with names longer than 64 characters.
>
> 7.1.4.2.2.             Subject Distinguished Name Fields
>
> a.            Certificate Field: subject:commonName (OID 2.5.4.3)
>
> Required/Optional: Deprecated (Discouraged, but not prohibited)
>
> Contents: If present, this field MUST contain a single IP address or 
> Fully-Qualified Domain Name that is one of the values contained in the 
> Certificate’s subjectAltName extension (see Section 7.1.4.2.1).
>
> MAXIMUM LENGTH:  NO STIPULATION.  (THIS IS AN EXCEPTION TO RFC 5280 
> WHICH SPECIFIES AN UPPER BOUND OF 64 CHARACTERS.)
>
> b.            Certificate Field: subject:organizationName (OID 2.5.4.10)
>
> Optional.
>
> Contents: If present, the subject:organizationName field MUST contain 
> either the Subject’s name or DBA as verified under Section 3.2.2.2. 
> The CA may include information in this field that differs slightly 
> from the verified name, such as common variations or abbreviations, 
> provided that the CA documents the difference and any abbreviations 
> used are locally accepted abbreviations; e.g., if the official record 
> shows “Company Name Incorporated”, the CA MAY use “Company Name Inc.” 
> or “Company Name”.  Because Subject name attributes for individuals 
> (e.g. givenName (2.5.4.42) and surname (2.5.4.4)) are not broadly 
> supported by application software, the CA MAY use the 
> subject:organizationName field to convey a natural person Subject’s 
> name or DBA.
>
> MAXIMUM LENGTH:  256 CHARACTERS (THIS IS AN EXCEPTION TO RFC 5280 
> WHICH SPECIFIES AN UPPER BOUND OF 64 CHARACTERS.)
>
> Thanks,
>
> Ben Wilson
>
>
>
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix