Re: [pkix] Amendment to CABF Baseline Requirements

Carl Wallace <carl@redhoundsoftware.com> Thu, 06 April 2017 17:08 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1BD012954C for <pkix@ietfa.amsl.com>; Thu, 6 Apr 2017 10:08:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kqEVFA_yeFQ8 for <pkix@ietfa.amsl.com>; Thu, 6 Apr 2017 10:08:01 -0700 (PDT)
Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5589124234 for <pkix@ietf.org>; Thu, 6 Apr 2017 10:08:00 -0700 (PDT)
Received: by mail-qt0-x230.google.com with SMTP id r45so41565196qte.3 for <pkix@ietf.org>; Thu, 06 Apr 2017 10:08:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=user-agent:date:subject:from:to:message-id:thread-topic:references :in-reply-to:mime-version; bh=ddZbqR9xK/76fAbuiTMayXJM5GcKuFKiSQNdD8dHiCI=; b=zj86oVcTs0qhlx06lX73LZlFL2OKW7v2L1Y04NmZx6c6r+YorQnLCfZ3Tq2XdtQtek PY9oKmAxUuZxF5d+jSP/eb+WdcMpL+Ij1f7RxHTRkKvJ/XQRTnfDOoYX7/gZzcekA1zs va80ofxl/Lz7I3Ru376rSwSLX/DZjTtJcb5ss=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:message-id :thread-topic:references:in-reply-to:mime-version; bh=ddZbqR9xK/76fAbuiTMayXJM5GcKuFKiSQNdD8dHiCI=; b=KQ4xKBNHlr+ytxdQnu/NMKMAhoAyF2URdARNwnHIDis6DrbksNqhbtLglsdefB580y pGpP1yRk77fsn/Dxa0YzkSfM4WlheREETABJHN7GbQM2xd21deAMqgFKSR8+lZ7kmpsg 0j+JAAXOpdtTv9OC/5JpYkvznADLkXf5OTbMsi2OEBUqFVRCSd1M3sn8jLPREfbdwwPv K4SZnNc6E4ZExpSQTe7oKtSvPpXuOIsPYgrzrHDVRlf0hGwelf0u6cKbxZoTiVSlVoPm jTzuxwmppQ7u00bPyrovkITvJlLM1QIvUSAG5Sp91kJWlvaTo6B+5h/RvKkRyqi+wfzz sDWQ==
X-Gm-Message-State: AFeK/H35IY0ozDx8Xyqd2vVCKlA83l/PubfjNL5QjMgziJ6ZwBt15RxkFEzuvUuviaLOkQ==
X-Received: by 10.200.45.137 with SMTP id p9mr36077958qta.201.1491498479768; Thu, 06 Apr 2017 10:07:59 -0700 (PDT)
Received: from [192.168.2.27] (pool-173-73-188-160.washdc.fios.verizon.net. [173.73.188.160]) by smtp.googlemail.com with ESMTPSA id k4sm1336991qta.5.2017.04.06.10.07.56 (version=TLS1 cipher=AES128-SHA bits=128/128); Thu, 06 Apr 2017 10:07:59 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/14.7.1.161129
Date: Thu, 06 Apr 2017 13:07:51 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: Jeremy Rowley <jeremy.rowley@digicert.com>, Ben Wilson <ben.wilson@digicert.com>, "pkix@ietf.org" <pkix@ietf.org>
Message-ID: <D50BEDEE.85E5F%carl@redhoundsoftware.com>
Thread-Topic: [pkix] Amendment to CABF Baseline Requirements
References: <D50BE42A.85E25%carl@redhoundsoftware.com> <cf94d4038d594b8c9e929e9b4e215bac@EX2.corp.digicert.com>
In-Reply-To: <cf94d4038d594b8c9e929e9b4e215bac@EX2.corp.digicert.com>
Mime-version: 1.0
Content-type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3574328871_1635205"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/gSO0Hyr6zWKCxEGklxZxqgSw2Cs>
Subject: Re: [pkix] Amendment to CABF Baseline Requirements
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Apr 2017 17:08:04 -0000

Ah, I assumed you had all the browser folks covered and sought broader
comments (hence posting here). If breaking non-browser instances is of no
concern, feel free to ignore my comment.

From:  Jeremy Rowley <jeremy.rowley@digicert.com>
Date:  Thursday, April 6, 2017 at 12:40 PM
To:  Carl Wallace <carl@redhoundsoftware.com>om>, Ben Wilson
<ben.wilson@digicert.com>om>, "pkix@ietf.org" <pkix@ietf.org>
Subject:  RE: [pkix] Amendment to CABF Baseline Requirements

> Can you point to any browser software that cares about these limits?  I can’t
> find any.
>  
> 
> From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Carl Wallace
> Sent: Thursday, April 6, 2017 10:28 AM
> To: Ben Wilson <ben.wilson@digicert.com>om>; pkix@ietf.org
> Subject: Re: [pkix] Amendment to CABF Baseline Requirements
>  
> 
> Given these ASN.1 upper bounds are automatically enforced by ASN.1 compiler
> generated code, how do we hand wave this away? These changes are a recipe for
> interoperability pain.
> 
>  
> 
> From: pkix <pkix-bounces@ietf.org> on behalf of Ben Wilson
> <ben.wilson@digicert.com>
> Date: Thursday, April 6, 2017 at 12:24 PM
> To: "pkix@ietf.org" <pkix@ietf.org>
> Subject: [pkix] Amendment to CABF Baseline Requirements
> 
>  
>> 
>> Does anyone want to comment on my draft amendment to the CA/Browser Forum’s
>> Baseline Requirements for SSL/TLS Certificates which would remove the
>> 64-character limit on the commonName and organizationName,  as an exception
>> to RFC 5280?  The text of the relevant Baseline Requirement provision is
>> found below with the proposed additional language in ALL CAPS.  The reason
>> for the first change (commonName) is there are FQDNs (in Subject Alternative
>> Names) that are longer than 64 characters.  The reason for the second change
>> (organizationName) is that there are organizations with names longer than 64
>> characters.
>>  
>> 7.1.4.2.2.             Subject Distinguished Name Fields
>> a.            Certificate Field: subject:commonName (OID 2.5.4.3)
>> Required/Optional: Deprecated (Discouraged, but not prohibited)
>> Contents: If present, this field MUST contain a single IP address or
>> Fully-Qualified Domain Name that is one of the values contained in the
>> Certificate’s subjectAltName extension (see Section 7.1.4.2.1).
>> MAXIMUM LENGTH:  NO STIPULATION.  (THIS IS AN EXCEPTION TO RFC 5280 WHICH
>> SPECIFIES AN UPPER BOUND OF 64 CHARACTERS.)
>> b.            Certificate Field: subject:organizationName (OID 2.5.4.10)
>> Optional.  
>> Contents: If present, the subject:organizationName field MUST contain either
>> the Subject’s name or DBA as verified under Section 3.2.2.2. The CA may
>> include information in this field that differs slightly from the verified
>> name, such as common variations or abbreviations, provided that the CA
>> documents the difference and any abbreviations used are locally accepted
>> abbreviations; e.g., if the official record shows “Company Name
>> Incorporated”, the CA MAY use “Company Name Inc.” or “Company Name”.  Because
>> Subject name attributes for individuals (e.g. givenName (2.5.4.42) and
>> surname (2.5.4.4)) are not broadly supported by application software, the CA
>> MAY use the subject:organizationName field to convey a natural person
>> Subject’s name or DBA.
>> MAXIMUM LENGTH:  256 CHARACTERS (THIS IS AN EXCEPTION TO RFC 5280 WHICH
>> SPECIFIES AN UPPER BOUND OF 64 CHARACTERS.)
>>  
>> Thanks,
>> Ben Wilson
>> _______________________________________________ pkix mailing list
>> pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix