rmhrisk
commented
1 year ago Unfortunately, the new 1.4 CP is now even more vague.
While it now says:
To distinguish among successive instances of certificates associated with the same entity, the
‘serialNumber’ naming attribute **may also** be included in the DN. It also states:
However, each STI-CA shall certify that subject names are unique among the certificates it issues and must describe the process for creating unique names in the CPS. As you can see subject names must still be unique, the only change is that the requirement of how they should be made unique has been removed.
The reality is that the issue is the requirement of uniqueness of the distinguished name, this only makes sense when there is a directory, STIR/SHAKEN has no such directory. Furthermore opening up the arbitrary population of uniqueness into the subject introduces potential compatibility issues. Regardless if there is a requirement for the uniqueness of the distinguished name then it should be specified how that uniqueness is achieved without such a specification it's not testable.
Since the inception of the STIR/SHAKEN PKI, the requirement was to make the subject names unique, no CAs other than Martini Security do that, removing the testability of the uniqueness requirement only serves to obscure the non-conformity that exists within the STIR/SHAKEN ecosystem.
With that said we, even though the requirement exists for uniqueness and they have made it not testable with this change will move this from a Mandatory (MUST/SHALL) to a Warning to align with the new CP release language.
fenichelar
Error message - STI certificate shall include a ‘serialNumber’ attribute along with the CN. In CP v1.4, section 3.1.1 states that the serial number may be included in the DN to distinguish among successive instances of certificates associated with the same entity. Could you make an update to allow for the serial number not to be present?