Forked from #457
It is surprising that the countryName field is permitted in DV certificates. The name "Domain Validated" indicates that the validated information is the domain, so the inclusion of other validated information (which must be validated using methods more common to OV/IV/EV certificates) is a surprise.
In addition, I believe that the inclusion of the countryName field serves no real purpose in DV certs. It is not displayed by relying parties, and the information it carries is redundant at best and misleading at worst. Per 3.2.2.3, a countryName can be validated in four ways:
- by IP geolocation -- this is potentially misleading, and should be disallowed
- by ccTLD -- this is redundant
- by Registrar -- this is effectively a subset of (4) below, since a registrar is a Reliable Data Source
- by one of the Organization Validation methods -- in which case you should just be issuing an OV cert, not a DV cert
Finally, almost no DV certs include a countryName: this censys query shows less than 100 currently-valid trusted DV certs with a countryName. Forbidding this practice would have almost no effect on the webpki, but would simplify the BRs profiles and reduce confusion.
As such, I think we should consider forbidding inclusion of countryName in DV certs.
Forked from #457
It is surprising that the countryName field is permitted in DV certificates. The name "Domain Validated" indicates that the validated information is the domain, so the inclusion of other validated information (which must be validated using methods more common to OV/IV/EV certificates) is a surprise.
In addition, I believe that the inclusion of the countryName field serves no real purpose in DV certs. It is not displayed by relying parties, and the information it carries is redundant at best and misleading at worst. Per 3.2.2.3, a countryName can be validated in four ways:
Finally, almost no DV certs include a countryName: this censys query shows less than 100 currently-valid trusted DV certs with a countryName. Forbidding this practice would have almost no effect on the webpki, but would simplify the BRs profiles and reduce confusion.
As such, I think we should consider forbidding inclusion of countryName in DV certs.