Superfluous roles in Leaf Certificate Common Name

[remia]

Hi,

Just wanted to confirm that this check is indeed coming from the DCI specification and that it should be considered as an error. Anyone had to deal with this error yet ? https://github.com/wolfgangw/backports/blob/master/dcp_inspect#L1621

Relevant specifications quotes follow.

DCI 1.3 9.4.3.5

The associated KDM's ContentAuthenticator element matches a certificate thumbprint of one of the certificates in the CPL's signer chain (see item 1 above), and that such certificate indicate only a "Content Signer" (CS) role per Section 5.3.4, "Naming and Roles" of the certificate specification [SMPTE 430-2 D-Cinema Operation - Digital Certificate].

SMPTE ST 430-2 6.2

If the certificate is a leaf certificate (one where the CA attribute of the BasicConstraint field is False), check that there is at least one role specified in the CommonName. (Note: It is permitted for non-leaf certificates – those with BasicConstraint.CA set to True – to have an empty list of roles, in which case the first character of the CommonName shall be the period character, which marks the end of the role field within the CommonName.) If the validation context includes a desired role, check that this role appears (see Section 6.1 and informative note there-in).

SMPTE ST 430-2 Annex A

Security devices should ignore unrecognized roles appearing in the CommonName.