On Mon, Jan 23, 2017 at 04:01:58PM -0800, Peter Bowen wrote:
> On Mon, Jan 23, 2017 at 3:32 PM, Kathleen Wilson <kwi...@mozilla.com
> > Does section 220.127.116.11 of the CA/Browser Forum's Baseline Requirements only apply to end-entity certificates?
> > If yes, where does it specify that in the document?
> > This has come up in a few CA requests, due to errors we get when we run Kurt's x509lint test.
> > Example:
> > https://github.com/kroeckx/x509lint/issues/17
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1099311#c17
> I believe that it does not apply to CA certificates, but I can see how
> this is not clear.
> To help understand the intent of this section, it is helpful to look
> at the history of the section. 18.104.22.168 has not been substantially
> changed since BR 1.3.0, which was the version that switched from the
> old structure to the new RFC 3647 structure. As seen in
> 22.214.171.124 was previously section 9.2 and 126.96.36.199 was previously section
> In 2015, the CA/Browser Forum passed ballot 148
> which changed sections 9.1 and 9.2 and appears to clearly call out
> that the intent is to require different content in the subjects for CA
> certificates than end-entity certificates.