Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Relax minimum subject DN field values for trustedIdentities to not include state/province (S/ST) #293

Open
ianjmcm opened this issue Jan 29, 2024 · 5 comments
Open

Relax minimum subject DN field values for trustedIdentities to not include state/province (S/ST) #293

ianjmcm opened this issue Jan 29, 2024 · 5 comments
Assignees
@priteshbandi
Milestone
1.2.0

Comments

@ianjmcm
Copy link
Contributor

ianjmcm commented Jan 29, 2024

Currently in the Trust Store and Trust Policy Specification in the Trusted Identities Constraints section there is a minimum field requirement on x.509 cert subject DN values stated as:

"Each identity in identities list MUST contain country (C), state or province (ST), and organization (O) RDNs. All other RDNs are optional. The minimal possible value is x509.subject: C=${country}, ST=${state}, O={organization},"

Not all identities will have a state/province value unless the identity is in the US or Canada, so the ST or S value need to NOT be required. The minimum subject DN fields should be CN=, O=, L=, C=. Signing certs commonly use these values as the minimum for subject DN.
@yizha1
Copy link
Contributor

yizha1 commented Jan 30, 2024
edited
Loading

@gokarnm @priteshbandi @shizhMSFT @Two-Hearts Would you mind taking a look at this issue?

@priteshbandi
Copy link
Contributor

Hi Ian -
As per BR of cabforum- Section 7.1.4.2, should it be either C=${country}, ST=${state}, O={organization} Or C=${country}, L=${localityName}, O={organization} ? Why do we need CN?

@ianjmcm
Copy link
Contributor Author

ianjmcm commented Feb 12, 2024

CN and O field values are commonly the same values, but there are many cases where a legal tradename or "dba" (doing business as) name can be placed in the O field while the CN value remains to the be legal organization or individual name. That said, we could allow for the minimum to exclude CN as @priteshbandi recommends.

@r-nolasco r-nolasco mentioned this issue Mar 4, 2024
Closed
@yizha1 yizha1 added this to the 1.1.0 milestone Mar 5, 2024
@yizha1
Copy link
Contributor

yizha1 commented May 7, 2024

@priteshbandi I checked the section 7.1.4.2.2 in specification, it seems commonName is a required field for both EV and non-EV Code Signing Certificates. Would you mind checking it again?

@shizhMSFT shizhMSFT mentioned this issue Jul 30, 2024
Merged
@priteshbandi
Copy link
Contributor

priteshbandi commented Aug 2, 2024
edited
Loading

The "commonName" (CN) field is required when issuing certificates. For TLS/SSL certificates, the commonName is usually set to the domain name that the certificate will be used for. For code signing certificates, the commonName is often set to the name of the organization.

However, for the purposes of signature verification, IMO the commonName should be optional as "Organization" (O) DN is already a mandatory component of trusted identity. Also, we have C, ST, O as mandatory field to uniquely identify an organization.

@yizha1 yizha1 modified the milestones: 1.1.0, 1.2.0 Aug 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@priteshbandi priteshbandi

Labels
None yet
Projects
None yet
Milestone
1.2.0
Development

No branches or pull requests
3 participants
@priteshbandi @ianjmcm @yizha1