Relax minimum subject DN field values for trustedIdentities to not include state/province (S/ST)

[ianjmcm]

Currently in the Trust Store and Trust Policy Specification in the Trusted Identities Constraints section there is a minimum field requirement on x.509 cert subject DN values stated as:

"Each identity in identities list MUST contain country (C), state or province (ST), and organization (O) RDNs. All other RDNs are optional. The minimal possible value is x509.subject: C=${country}, ST=${state}, O={organization},"

Not all identities will have a state/province value unless the identity is in the US or Canada, so the ST or S value need to NOT be required. The minimum subject DN fields should be CN=, O=, L=, C=. Signing certs commonly use these values as the minimum for subject DN.

[yizha1]

@gokarnm @priteshbandi @shizhMSFT @Two-Hearts Would you mind taking a look at this issue?

[priteshbandi]

Hi Ian -
As per BR of cabforum- Section 7.1.4.2, should it be either C=${country}, ST=${state}, O={organization} Or C=${country}, L=${localityName}, O={organization} ? Why do we need CN?

[ianjmcm]

CN and O field values are commonly the same values, but there are many cases where a legal tradename or "dba" (doing business as) name can be placed in the O field while the CN value remains to the be legal organization or individual name. That said, we could allow for the minimum to exclude CN as @priteshbandi recommends.

[yizha1]

@priteshbandi I checked the section 7.1.4.2.2 in specification, it seems commonName is a required field for both EV and non-EV Code Signing Certificates. Would you mind checking it again?

[priteshbandi]

The "commonName" (CN) field is required when issuing certificates. For TLS/SSL certificates, the commonName is usually set to the domain name that the certificate will be used for. For code signing certificates, the commonName is often set to the name of the organization.

However, for the purposes of signature verification, IMO the commonName should be optional as "Organization" (O) DN is already a mandatory component of trusted identity. Also, we have C, ST, O as mandatory field to uniquely identify an organization.

[hostalp]

I too vote for making the ST/S fields optional. They aren't of much use in many countries and even for example DigiCert CA don't use them in their own intermediate and root certificates.
We can't use any x509.subject in the Trust Policy trustedIdentities because of this requirement.

[ianjmcm]

To mirror existing PKI norms and requirements (such as CA/B Forum) the ST/S fields on certificates must only be present on end entity certificates issued to organizations and persons that reside in the US or Canada. Otherwise, they should be optional.

With regards to CN and O field values, the norms for end-entity certificates in code signing is to have both in support of DBA and tradenames where the more common tradename or DBA is recognized by consumers more than the organization itself.