[caops-wg] Fwd: Change in Subject Alternative Names policy for host certificates issued by the CERN CA
Sill, Alan
alan.sill at ttu.edu
Fri May 19 06:55:21 EDT 2017
Begin forwarded message:
From: Paolo Tedesco <Paolo.Tedesco at cern.ch<mailto:Paolo.Tedesco at cern.ch>>
Date: May 19, 2017 at 4:24:30 AM CDT
To: "dg-eur-ca at services.cnrs.fr<mailto:dg-eur-ca at services.cnrs.fr>" <dg-eur-ca at services.cnrs.fr<mailto:dg-eur-ca at services.cnrs.fr>>
Cc: Emmanuel Ormancey <Emmanuel.Ormancey at cern.ch<mailto:Emmanuel.Ormancey at cern.ch>>, Thomas Baron <Thomas.Baron at cern.ch<mailto:Thomas.Baron at cern.ch>>, Daniel Fernandez Rodriguez <daniel.fernandez at cern.ch<mailto:daniel.fernandez at cern.ch>>
Subject: Change in Subject Alternative Names policy for host certificates issued by the CERN CA
Reply-To: Paolo Tedesco <Paolo.Tedesco at cern.ch<mailto:Paolo.Tedesco at cern.ch>>
Dear all,
As you probably know, recently Google Chrome has stopped supporting the common name in host certificates (https://groups.google.com/a/chromium.org/forum/#!msg/security-dev/IGT2fLJrAeo/csf_1Rh1AwAJ) and now expects the certificate to contain a DNS Subject Alternative Name.
After this change, we have started receiving support cases for the CERN Certification Authority about CERN certificates being rejected by Chrome.
For this reason, we would like to introduce a new requirement in our CP/CPS, stating that host certificate requets must contain a SAN in DNS format matching the host in the certificate subject.
I'm attaching the updated CP/CPS document for review. The changed sections are 4.1.2 (for host certificates autoenrollment) and 4.2.1 (for user submitted requests).
If I don't get any objections by Monday 5 June, I'll publish the updated CP/CPS and proceed to update the tools and the website to be compliant with the new policies.
Best regards,
Paolo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.ogf.org/pipermail/caops-wg/attachments/20170519/27d619b7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CERN Grid Certification Authority CP-CPS.DOCX
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 425786 bytes
Desc: CERN Grid Certification Authority CP-CPS.DOCX
URL: <http://www.ogf.org/pipermail/caops-wg/attachments/20170519/27d619b7/attachment-0001.docx>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.ogf.org/pipermail/caops-wg/attachments/20170519/27d619b7/attachment-0001.htm>
More information about the caops-wg
mailing list