Regarding gnoi.cert CSRParams message

[andaru]

The CSRParams message in cert.proto makes no requirements for any CSR parameters to be set, either formally or informally.

Tooling such as openssl req ... doesn't appear to require any field to be set, either; as long as the subject starts with a slash.

However, one of the purposes of creating an x509v3 certificate is to assign an intended usage to the key.

While it appears to be valid to provide empty CSR parameters, would this be considered an operator mistake by some? Or is it common practice?

[andaru]

Relevant RFC section: https://tools.ietf.org/html/rfc5280#section-4.1.2.6

The answer from this appears to be maybe some fields are necessary; the target can be considered a CA if it's generating the signing request itself.