[cabfpub] Naming rules

Jeremy Rowley jeremy.rowley at digicert.com
Tue Mar 21 18:02:03 UTC 2017


Is this a correct summary?

1.	Taiwan has a country-level registration
2.	Taiwan has a city-level registration
3.	The two are not mutually exclusive (ie ABC Company at the country level might be a completely different entity than ABC Company at the city level)
4.	You want the BRs to distinguish whether the ABC Company was registered with the country of Taiwan vs. a city registration.
5.	If locality is included in a cert, the actions of ABC Company (country) could be falsely attributed to the ABC Company (local)

 

Is that a fair statement?

 

Jeremy

 

From: realsky(CHT) [mailto:realsky at cht.com.tw] 
Sent: Tuesday, March 21, 2017 11:41 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Jeremy Rowley <jeremy.rowley at digicert.com>
Subject: Re: [cabfpub] Naming rules

 

Jeremy,

 

     I suggest to read https://cabforum.org/pipermail/public/2017-March/010123.html first.  I quote Wen-Cheng's replying in previous URL as follows:

 

     " The intrinsic difference between the existing X.500 directory naming conventions and the subject naming rules of the CAB BRs is that the X.500 namespace is hierarchical and therefore the upper and lower entries identified with selected relative distinguished names (RDNs) represent "subordinate" relationship, while the current CAB BRs use the distinguished name (DN) to indicate to the identity and address of the organization and therefore the naming rules require that at least one of the localityName attribute or stateOrProvinceName attribute needs to be included in the subject DN.

With the X.500 directory naming conventions and the interpretation of "subordinate" relationship between RDNs, the DN of a national-level entity will not contain an RDN with the localityName attribute or stateOrProvinceName attribute. For example, in the naming rules of Taiwan GPKI, the "Executive Yuan" (i.e, the Cabinet of our government) is a national-level entity and therefore the DN "C=TW, O=Executive Yuan" can unambiguously identify it. If as required by the naming rules of the current CAB BRs, we add the RDN "L=Taipei City" to the DN of "Executive Yuan", its DN will become "C=TW, L=Taipei City, O=Executive Yuan" and therefore it will be an entity subordinate to the “Taipei City” in the directory tree and no longer be a national-level entity. This is actually misleading from the perspective of X.500 naming conventions.

Although there are intrinsic different interpretations between the existing X.500 directory naming conventions and the subject naming rules of the CAB BRs, fortunately the generated naming forms are only slightly different. For a national-level entity, the DN in X.500 directory naming conventions will not contain an RDN with the localityName attribute or stateOrProvinceName attribute. However, for a local-level entity, the naming forms in X.500 naming conventions and the BRs naming rules are identical.  "

 

 

 

 

       Now I take some example. 

 

The subject DN for a central government entity in Taiwan, for example as below:

C=TW, O=Executive Yuan, OU=National Development Council

So the Subject DN of a NDC’s SSL certificate is
C = TW, O = Executive Yuan, OU =National Development Council, CN = www.cp.gov.tw <http://www.cp.gov.tw> , SERIALNUMBER = 0000000010026835

 

The subject DN for a local government entity, for example as below:

C = TW, L =  Taichung City , O =  City Government, OU = Civil Affairs Bureau

the Subject DN of this local government entity's SSL certificate is 

C = TW, L =  Taichung City , O =  City Government, OU = Civil Affairs Bureau, CN = eform.taichung.gov.tw, SERIALNUMBER = 0000000010026435 

 

      In Taiwan, according our Company Act, the company name must be unique for the whole country. Please see English version of our Company Act in 
http://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=J0080001
Company Act article 18  said
"No company may use a corporate name which is identical with that of another company."

 

       In Taiwan, according our Company Law, the company name must be unique for the whole country. Furthermore, our Company Law requires the company to register its business location which will be some city or county. 

     This is an example where the legally naming uniqueness scope for an entity is not the same as where the entity is legally located. 
     In Taiwan, since the company name must be unique for the whole country, the subject DN for a company, such as Chunghwa Telecom, should look like   "C=TW, O=Chunghwa Telecom Co., Ltd"


     This subject DN already uniquely identifies the company. 

     If we specify the subject DN as "C=TW, L=Taipei City, O=Chunghwa Telecom Co., Ltd.", that will mean it is a company registered in Taipei City in Taiwan's Goverenment DIT.  This will not conform to our Company Law because companies in Taiwan are registered in the country level not in the municipal level.

 

      On the other hand, in Taiwan, we have small businesses (such as stores,or "business entitiy" in EVGL) that are established and registered according to our Business Registration Law (http://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=J0080004). 
In Taiwan, small businesses are registered in municipal level (that will be a city ,a county or a special municipality ). 
The Business Registration Law requires that the name of the small business must be unique with the municipality ( where it is registered). See Article 28.

 

       For example, there might be a small business named "ABC Store" registered in New Taipei City, while there might be another "ABC Store" registered in Pingtung county. 
Therefore, the suitable subject DN for these two small businesses will be 
“C=TW, L=New Taipei City, O=ABC Store" and 
“C=TW, L= Pingtung county, O=ABC Store" respectively.

 

       So the subject DN of these two small business's SSL servers will be

“C=TW, L=New Taipei City, O=ABC Store , Common Name=FQDN of ABC Store regitered in New Taipei city" and 
“C=TW, L= Pingtung county, O=ABC Store,  Common Name=FQDN of ABC Store regitered in Pingtung county" respectively.

 

 

 

      In Taiwan, a corporation can be registered at country-level but can also be register at city/county-level.  If there is a country-level corporation named “Farmer’s Association” of which physical address is located in Taipei City, with current Subject DN rule of BR, its Subject DN will be “C=TW, L=Taipei City, O=Farmer’s Association”.  

 

     However, if there is also a city/county-level “Farmer’s Association” in Taipei City, its Subject DN will also be “C=TW, L=Taipei City, O=Farmer’s Association”.   How do you distinguish them by DN?

 

    Please see attached image file from Annex B of ITU-T X.521 (Suggested name form and Directory information tree structures),   Please note path 1 -> 3, it suggests that there is no need to include a Locality attribute in the directory name.  

     

    

    I hope above information is helpful. Thank you.

 

           Li-Chun Chen

 


-----Original message-----
From:Jeremy Rowley via Public<public at cabforum.org <mailto:public at cabforum.org> >
To:CA/Browser Forum Public Discussion List<public at cabforum.org <mailto:public at cabforum.org> >
Cc:Jeremy Rowley<jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> >
Date: Tue, 21 Mar 2017 22:51:41
Subject: [外部郵件] Re: [cabfpub] Naming rules

Despite the discussion today, I’m still not clear on why the cert can’t include locality information. Although there is a national registry, what prohibits a CA from adding the Locality information based on address? Even if there are multiple localities for an organization, does that matter? Can’t the entity requesting the cert decide which one they want included? 

 

From: Public [ <mailto:public-bounces at cabforum.org> mailto:public-bounces at cabforum.org] On Behalf Of ??? via Public
Sent: Sunday, March 19, 2017 9:23 AM
To: CA/Browser Forum Public Discussion List < <mailto:public at cabforum.org> public at cabforum.org>
Cc: 王文正 < <mailto:wcwang at cht.com.tw> wcwang at cht.com.tw>
Subject: Re: [cabfpub] Naming rules

 

Peter,

 

I have proposed a minimum change to the BRs to accommodate X.500 directory naming rules of existing PKIs in my reply to Gerv’s mail. In that reply, I have made the rationales why the BRs should embrace the existing X.500 naming rules. I also explain it is not proper to add an RDN with the localityName attribute or stateOrProvinceName attribute to the DN of a national-level entity, because doing so will cause misleading under the X.500 namespace. Therefore, I would not repeat my rationales here.

 

As for your argument about "there are always localities that can be added into the subject DN", please see my reply inline.

 

> On March 10, 2017, at 11:33 PM, Peter Bowen <  <mailto:pzb at amzn.com> pzb at amzn.com> wrote:

> [snip]

> Based on everything you have provided so far, there is no 

> evidence that Taiwan does not have localities (cities, 

> towns, villages, or similar) or that they are not used in 

> postal addressing.  Much to the contrary, every postal 

> address example you have provided has included a 

> locality.  Therefore this appears to be a situation where 

> the PKI does not want to change (possibly for quite valid 

> reasons) rather than cannot change.

Yes, there are always different levels of "localities" under a jurisdiction or country. We never said Taiwan does not have localities. What we argue is that does it makes sense to force adding an RDN with the localityName attribute or stateOrProvinceName attribute to the DN of a national-level entity?

 

I had not participated in the early stage discussions of CAB Forum, therefore I just do not understand why CAB though it is so important to include the applicant's location of existence or operation so that the BRs mandate at least one of the localityName attribute or stateOrProvinceName attribute must exist in the subject DN? I guess it is because the only Subject Identity Information that many commercial CAs can verify is whether the applicant actually exists and is in operation and they have no way to guarantee the uniqueness of the subject DN because they have no link to the official registration database maintained by the government. Therefore, the CAB BRs simply leveraged the naming attributes to indicate the identity and location of the applicant but avoid interpreting RDNs as "subordinate" relationships and do not guarantee the uniqueness of the subject DN.

 

However, there are existing PKIs where the X.500 directory naming rules are endorsed by the government and CAs in the PKI have the authority to link to the official registration database maintained by the government. Those PKIs actually provide better quality of subject identity information. I think the purpose of CAB forum is to improve the security of website identities, why not we embrace the subject identity information provided by these existing PKIs if they would not cause any compatibility problems?

 

As I mentioned, in the X.500 naming conventions, the DN of a national-level entity will not need to have a RDN with the localityName attribute or stateOrProvinceName attribute. For example, the Executive Yuan (i.e., the Cabinet of our government) in the X.500 naming rules of Taiwan Government PKI (GPKI) will be:

 

C=TW, O=Executive Yuan

 

This is unambiguous naming for Taiwan people because everybody knows that there is only one Executive Yuan in Taiwan.

 

If you want to enforce adding a localityName in the DN of the Executive Yuan of Taiwan, the DN will looks like:

 

C=TW, L=Taipei City, O=Executive Yuan

This is not only not suitable for the "subordinate" naming conventions of the X.500 but also misleading to Taiwan people. Besides, the executive yuan is a national-level entity, it has many offices all over the country, and the question is which location should be added into its DN?

 

I believe this is the same reason why in the Common Certificate Policy of US FPKI, the naming form of the Device names is defined as follows:

 

C=US, o=U.S. Government, [ou=department],  [ou=agency], [ou=structural_container], cn=device name

 

With the X.500 naming conventions, the name form will not be:

 

C=US, S="Washington, D.C. ", o=U.S. Government, [ou=department],  [ou=agency], [ou=structural_container], cn=device name

 

In addition, I have seen some foreign CAs issuing SSL certificates to customers in Taiwan with strange Subject DNs. Their put improper values in the localityName attribute or stateOrProvinceName attribute simply because the want to claim they comply the naming rules of the BRs. However, the values of the localityName attribute or stateOrProvinceName attribute are actually not meaningful or even misleading. For example, a subject DN might looks like this:

 

C = TW

S = Taichung

L = Taichung

O = COTA Commercial Bank

OU = ITD

 

This naming form comply the BRs, but ironically there is never a state or province name named "Taichung" in Taiwan. Is this the naming that CAB forum wants?

 

I hope you can support my suggestion for the BRs to embrace the existing X.500 naming rules. We need just do a little change to the BRs, and then we do not need to enforce the existing PKIs to break the X.500 naming rules and result some strange subject DNs.

 

Besides, please note in the beginning of section 3.2.2 of the BRs, it says:

 

If the Applicant requests a Certificate that will contain Subject Identity Information comprised only of the countryName field, then the CA SHALL verify the country associated with the Subject using a verification process meeting the requirements of Section 3.2.2.3 and that is described in the CA's Certificate Policy and/or Certification Practice Statement.

 

Please not that it says " Subject Identity Information comprised only of the countryName field " Does not that imply that the subject can be a national-level entity so that it can comprise only the countryName field and without the localityName attribute or stateOrProvinceName attribute? However, the section 7.1.4.2.2 of the BRs mandates at least one of the localityName attribute or stateOrProvinceName attribute must exist in the subject DN. Isn't that a conflict between Section 3.2.2.3 and Section 7.1.4.2.2?

 

Best Regards,

Wen-Cheng Wang



本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. 
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information. 

_______________________________________________
Public mailing list
 <mailto:Public at cabforum.org> Public at cabforum.org
 <https://cabforum.org/mailman/listinfo/public> https://cabforum.org/mailman/listinfo/public

 

本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. 

Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170321/8e87d63f/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170321/8e87d63f/attachment-0001.p7s>


More information about the Public mailing list