Relax minimum subject DN field values for trustedIdentities to not include state/province (S/ST)

[ianjmcm]

Currently in the Trust Store and Trust Policy Specification in the Trusted Identities Constraints section there is a minimum field requirement on x.509 cert subject DN values stated as:

"Each identity in identities list MUST contain country (C), state or province (ST), and organization (O) RDNs. All other RDNs are optional. The minimal possible value is x509.subject: C=${country}, ST=${state}, O={organization},"

Not all identities will have a state/province value unless the identity is in the US or Canada, so the ST or S value need to NOT be required. The minimum subject DN fields should be CN=, O=, L=, C=. Signing certs commonly use these values as the minimum for subject DN.

[yizha1]

@gokarnm @priteshbandi @shizhMSFT @Two-Hearts Would you mind taking a look at this issue?

[priteshbandi]

Hi Ian -
As per BR of cabforum- Section 7.1.4.2, should it be either C=${country}, ST=${state}, O={organization} Or C=${country}, L=${localityName}, O={organization} ? Why do we need CN?

[ianjmcm]

CN and O field values are commonly the same values, but there are many cases where a legal tradename or "dba" (doing business as) name can be placed in the O field while the CN value remains to the be legal organization or individual name. That said, we could allow for the minimum to exclude CN as @priteshbandi recommends.

[yizha1]

@priteshbandi I checked the section 7.1.4.2.2 in specification, it seems commonName is a required field for both EV and non-EV Code Signing Certificates. Would you mind checking it again?

[priteshbandi]

The "commonName" (CN) field is required when issuing certificates. For TLS/SSL certificates, the commonName is usually set to the domain name that the certificate will be used for. For code signing certificates, the commonName is often set to the name of the organization.

However, for the purposes of signature verification, IMO the commonName should be optional as "Organization" (O) DN is already a mandatory component of trusted identity. Also, we have C, ST, O as mandatory field to uniquely identify an organization.