[cabfpub] Naming rules
陳立群
realsky at cht.com.tw
Fri Mar 10 10:18:47 UTC 2017
Peter,
Please see our responses inline below.
-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen via Public
Sent: Tuesday, March 07, 2017 12:04 AM
To: CA/Browser Forum Public Discussion List
Cc: Peter Bowen
Subject: [外部郵件] Re: [cabfpub] Naming rules
> On Mar 6, 2017, at 2:59 AM, Gervase Markham via Public < <mailto:public at cabforum.org> public at cabforum.org> wrote:
>
> On 06/03/17 06:51, Kirk Hall wrote:
>> Gerv – we worked on BR 9.16.3 together – the whole point was to ALLOW
>> CAs to deviate from (modify) the BRs if required by applicable law
>
> Yes, if _required_ by applicable _law_. I may be misunderstanding the
> situation, but if Peter's summary is correct:
>
> "I believe the government on Taiwan falls into the latter case. They
> have a PKI which has the policy that names must be taken from an
> existing Directory Information Tree operated by the government. Many
> of the Names in the existing DIT don’t include attributes that are
> required by the BRs."
>
> ...then this is not a 9.16.3 situation. There is no law anyone has
> quoted which requires Chunghwa Telecom to issue certificates for this
> PKI from publicly-trusted roots. So they can solve the "problem"
> either by not issuing certificates for this PKI, or by issuing them
> from private roots. The fact that they might _want_ to issue
> certificates for it from publicly-trusted roots for convenience is not
> in itself enough to allow them to use 9.16.3.
>
> Let's imagine this DIT was operated by a private company. Would they
> then be allowed to use 9.16.3? Of course not. The fact that the
> government is operating it doesn't make any difference, unless there's
> a law which says that all Taiwanese CAs _must_ issue for it from any
> root the government chooses. The government doesn't get a special
> carve-out from the BRs for its PKIs just be virtue of being the government.
>
> As I said, I may have misunderstood the situation, but that's how I
> see it at the moment.
Li-Chun: Can you clarify? Is there any law in Taiwan that requires specific name forms or is this discussion about getting an existing established PKI to be BR-compliant by changing the BRs instead of changing the PKI?
===>
We hope this discussion is about getting an existing established PKI to be BR-compliant by changing the BRs instead of changing the PKI.
The DIT naming rules of Taiwan Government PKI (GPKI) were defined according to related laws or regulations. For government entities in the DIT, their Distinguished Names (DNs) were specified according to the related government organizational laws, such as Organizational Act of the Executive Yuan ("Executive Yuan" is our Cabinet.). For private organizations such as companies or business entities, their Distinguished Names (DNs) were specified according to the name rules required by the related registration laws such as Company Act or Business Registration Act. The DIT naming rules were then incorporated into the CPS of CAs in the GPKI and were also incorporated into the Certificate and CRL profiles of the GPKI. Our Government CA needs to follow the naming rules specified in the CPS and the Certificate Profile.
For central government agencies/units under the Executive Yuan (i.e., our Cabinet.), the name form is:
C=TW,
O=行政院 (i.e., "Executive Yuan" in Chinese)
OU= the official name of the Ministry, Council or Commission as specified in the Organizational Act of the Executive Yuan
OU= the official name of the subordinate agency or unit under the Ministry, Council or Commission as specified in the Organizational Act of the Ministry, Council or Commission
OU=......Since the government organization is a hierarchy, there can be multiple levels of OUs
For example, for the Ministry of Finance, the Distinguish Name (DN) in the DIT will be:
C=TW,
O=行政院 (i.e., "Executive Yuan" if written in Chinese)
OU=財政部 (i.e., "Ministry of Finance" if written in Chinese)
This is according to the Article 2 and Article 3 of the Organizational Act of the Executive Yuan:
Article 2
The Executive Yuan shall exercise the powers granted by the Constitutional Law.
Article 3
The Executive Yuan establishes the Ministries as follows:
(1)Ministry of the Interior;
(2)Ministry of Foreign Affairs;
(3)Ministry of National Defense;
(4)Ministry of Finance;
(5)Ministry of Education;
(6)Ministry of Justice;
(7)Ministry of Economic and Energy Affairs;
(8)Ministry of Transportation and Construction;
(9)Ministry of Labor;
(10)Ministry of Agriculture;
(11)Ministry of Health and Welfare;
(12)Ministry of Environment and Natural Resources;
(13)Ministry of Culture; and
(14)Ministry of Science and Technology.
For local government agencies/units, the name form is:
C=TW,
L=the official name of the City or County
L=the official name of the District, County-administered City, or Township under the City or County (Optional, only for the government agencies at the District, County-administered City, or Township level)
O=市政府 or 縣政府 (i.e., "City Government" or "County Government" if written in Chinese)
OU= the official name of the agencies/units as specified in the Self-Government Ordinances of the city government or county government
OU= the official name of the subordinate agency or unit under the agency/unit as specified in the Self-Government Regulation of the agency/unit
OU=......Since the local government organization is a hierarchy, there can be multiple levels of OUs
For example, for the Department of Finance of the Taipei City Government, the Distinguish Name (DN) in the DIT will be:
C=TW,
L=臺北市 (i.e., "Taipei City" if written in Chinese)
O=市政府 (i.e., "City Government" if written in Chinese)
OU=財政局 (i.e., "Department of Finance" if written in Chinese)
If you are interested in the DIT hierarchy of our Government PKI, you can visit the following web page. However, the web page is in Chinese.
http://oid.nat.gov.tw/infobox1/personmain.jsp
Thank you.
Li-Chun Chen
Chunghwa Telecom
Thanks,
Peter
_______________________________________________
Public mailing list
<mailto:Public at cabforum.org> Public at cabforum.org
<https://cabforum.org/mailman/listinfo/public> https://cabforum.org/mailman/listinfo/public
本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170310/18f506f2/attachment-0003.html>
More information about the Public
mailing list