I'm not sure that the following is of any use in your discussion but, as
Larry points out, CA certificates compliant with RFC 3280 MUST contain a
non empty DN.
The reason is not just to provide a meaningful name of CA's but rather
that implementations may fail building the certificate path unless CA
certificates contains a DN.
Subject certificates may omit a subject DN but MUST then contain a
non-empty subjectAltName extension marked as critical.
Program Manager, Standards Liaison
> -----Original Message-----
> From: Jeffrey Hutzelman [mailto:[hidden email]]
> Sent: den 14 juli 2005 17:23
> To: Liqiang(Larry) Zhu; [hidden email] > Cc: [hidden email]; Stefan Santesson; [hidden email] > Subject: RE: What's in a Name?
> On Thursday, July 14, 2005 05:15:50 PM -0700 "Liqiang(Larry) Zhu"
> <[hidden email]> wrote:
> > Jeffrey Hutzelman wrote:
> >> We run into those issues anyway for TD-TRUSTED-CERTIFIERS and
> > AD-INITIAL->
> >> VERIFIED-CAS.
> > No, my assumption is the subject DN is always present for the CA
> > certificate.
> OK, so we don't run into the "Name not present" for
> What about AD-INITIAL-VERIFIED-CA's? I don't remember; does that
> the leaf cert or only the CA's?