Attribute presence requirements in directoryName SANs
Corey Bonnell
Hello,
An issue was recently raised on the pkilint repository [1] asking about the logic used to check the attributes contained in a directoryName SAN. The current behavior of the linter is to apply the same checks used for the subject DN to any directoryName SANs present in the certificate. For example, if the S/MIME certificate is a sponsored multipurpose certificate, then the linter will check if at least one of givenName, surname, or pseudonym are present in the SAN. I believe this matches the intent of the requirements, which is to allow for alternate representations of the subject DN information. However, this is not explicit in the SMBRs and there is a reasonable interpretation that the directoryName requirements do not define which attributes must appear in the SAN.
What would be the best path forward? Clarify the language in the SMBRs, or adjust the linter behavior to be more flexible?
Given my recollection of the discussion on this requirement, I believe a clarification to the SMBRs is warranted to ensure that the attribute presence requirements clearly apply to the subject DN as well as any directoryName SANs. I would be interested to hear what others think on this topic.
Thanks,
Corey