specifications icon indicating copy to clipboard operation
specifications copied to clipboard
verified publisher icon notaryproject

Relax minimum subject DN field values for trustedIdentities to not include state/province (S/ST)

Open ianjmcm opened this issue 1 year ago • 5 comments

Currently in the Trust Store and Trust Policy Specification in the Trusted Identities Constraints section there is a minimum field requirement on x.509 cert subject DN values stated as:

"Each identity in identities list MUST contain country (C), state or province (ST), and organization (O) RDNs. All other RDNs are optional. The minimal possible value is x509.subject: C=${country}, ST=${state}, O={organization},"

Not all identities will have a state/province value unless the identity is in the US or Canada, so the ST or S value need to NOT be required. The minimum subject DN fields should be CN=, O=, L=, C=. Signing certs commonly use these values as the minimum for subject DN.

ianjmcm avatar Jan 29 '24 21:01 ianjmcm

@gokarnm @priteshbandi @shizhMSFT @Two-Hearts Would you mind taking a look at this issue?

yizha1 avatar Jan 30 '24 04:01 yizha1

Hi Ian - As per BR of cabforum- Section 7.1.4.2, should it be either C=${country}, ST=${state}, O={organization} Or C=${country}, L=${localityName}, O={organization} ? Why do we need CN?

priteshbandi avatar Feb 09 '24 21:02 priteshbandi

CN and O field values are commonly the same values, but there are many cases where a legal tradename or "dba" (doing business as) name can be placed in the O field while the CN value remains to the be legal organization or individual name. That said, we could allow for the minimum to exclude CN as @priteshbandi recommends.

ianjmcm avatar Feb 12 '24 15:02 ianjmcm

@priteshbandi I checked the section 7.1.4.2.2 in specification, it seems commonName is a required field for both EV and non-EV Code Signing Certificates. Would you mind checking it again?

yizha1 avatar May 07 '24 06:05 yizha1

The "commonName" (CN) field is required when issuing certificates. For TLS/SSL certificates, the commonName is usually set to the domain name that the certificate will be used for. For code signing certificates, the commonName is often set to the name of the organization.

However, for the purposes of signature verification, IMO the commonName should be optional as "Organization" (O) DN is already a mandatory component of trusted identity. Also, we have C, ST, O as mandatory field to uniquely identify an organization.

priteshbandi avatar Aug 02 '24 04:08 priteshbandi