Relax minimum subject DN field values for trustedIdentities to not include state/province (S/ST)

[ianjmcm]

Currently in the Trust Store and Trust Policy Specification in the Trusted Identities Constraints section there is a minimum field requirement on x.509 cert subject DN values stated as:

"Each identity in identities list MUST contain country (C), state or province (ST), and organization (O) RDNs. All other RDNs are optional. The minimal possible value is x509.subject: C=${country}, ST=${state}, O={organization},"

Not all identities will have a state/province value unless the identity is in the US or Canada, so the ST or S value need to NOT be required. The minimum subject DN fields should be CN=, O=, L=, C=. Signing certs commonly use these values as the minimum for subject DN.

[yizha1]

@gokarnm @priteshbandi @shizhMSFT @Two-Hearts Would you mind taking a look at this issue?

[priteshbandi]

Hi Ian -
As per BR of cabforum- Section 7.1.4.2, should it be either C=${country}, ST=${state}, O={organization} Or C=${country}, L=${localityName}, O={organization} ? Why do we need CN?

[ianjmcm]

CN and O field values are commonly the same values, but there are many cases where a legal tradename or "dba" (doing business as) name can be placed in the O field while the CN value remains to the be legal organization or individual name. That said, we could allow for the minimum to exclude CN as @priteshbandi recommends.

[yizha1]

@priteshbandi I checked the section 7.1.4.2.2 in specification, it seems commonName is a required field for both EV and non-EV Code Signing Certificates. Would you mind checking it again?