[cabfpub] Naming rules
Moudrick M. Dadashov
md at ssc.lt
Sat Mar 25 00:07:47 UTC 2017
Auditor examine it through the same government adopted registry.
In fact if government has a centralised register, there is a very little chance that the same data catogories will be maintained in two different resources - duplication of responsibilitiies is prohibited by law.
Thanks,M.D.
Sent from Samsung tablet.
-------- Original message --------From: Ben Wilson via Public <public at cabforum.org> Date: 3/24/17 23:23 (GMT+01:00) To: sleevi at google.com, public at cabforum.org Cc: Ben Wilson <ben.wilson at digicert.com> Subject: Re: [cabfpub] Naming rules
I don’t have an answer for that one except let the CA assert that it is uniquely identifiable and let the auditor examine it. From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Friday, March 24, 2017 4:20 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Ben Wilson <ben.wilson at digicert.com>
Subject: Re: [cabfpub] Naming rules Ben, On a technical level: How do you quantify, audit, and ensure uniquely identifiable? Given that we do not have an X.500 Directory Information Tree, it is easily possible for two such directories to exist, which within their DIT are uniquely identifiable, but in their totality are not. On Fri, Mar 24, 2017 at 5:46 PM, Ben Wilson via Public <public at cabforum.org> wrote:Attached is a redlined snippet from the Baseline Requirements. It proposes adding the following sentence(s) to sections on localityName and stateOrProvinceName: This field is also optional if the organization is uniquely identifiable by registration in a national-government-adopted X.500 directory that does not contain the [localityName/stateOrProvinceName] attribute. Feel free to modify and debate as necessary. From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Moudrick M. Dadashov via Public
Sent: Wednesday, March 22, 2017 1:51 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Moudrick M. Dadashov <md at ssc.lt>
Subject: Re: [cabfpub] Naming rules Good question, the problem is that the entity requesting the cert has no idea what locality/state means. Thanks,M.D. Sent from Samsung tablet. -------- Original message --------From: Jeremy Rowley via Public <public at cabforum.org> Date: 3/21/17 15:51 (GMT+01:00) To: CA/Browser Forum Public Discussion List <public at cabforum.org> Cc: Jeremy Rowley <jeremy.rowley at digicert.com> Subject: Re: [cabfpub] Naming rules Despite the discussion today, I’m still not clear on why the cert can’t include locality information. Although there is a national registry, what prohibits a CA from adding the Locality information based on address? Even if there are multiple localities for an organization, does that matter? Can’t the entity requesting the cert decide which one they want included? From: Public [mailto:public-bounces at cabforum.org] On Behalf Of ??? via Public
Sent: Sunday, March 19, 2017 9:23 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: 王文正 <wcwang at cht.com.tw>
Subject: Re: [cabfpub] Naming rules Peter, I have proposed a minimum change to the BRs to accommodate X.500 directory naming rules of existing PKIs in my reply to Gerv’s mail. In that reply, I have made the rationales why the BRs should embrace the existing X.500 naming rules. I also explain it is not proper to add an RDN with the localityName attribute or stateOrProvinceName attribute to the DN of a national-level entity, because doing so will cause misleading under the X.500 namespace. Therefore, I would not repeat my rationales here. As for your argument about "there are always localities that can be added into the subject DN", please see my reply inline. > On March 10, 2017, at 11:33 PM, Peter Bowen < pzb at amzn.com> wrote:> [snip]> Based on everything you have provided so far, there is no > evidence that Taiwan does not have localities (cities, > towns, villages, or similar) or that they are not used in > postal addressing. Much to the contrary, every postal > address example you have provided has included a > locality. Therefore this appears to be a situation where > the PKI does not want to change (possibly for quite valid > reasons) rather than cannot change.Yes, there are always different levels of "localities" under a jurisdiction or country. We never said Taiwan does not have localities. What we argue is that does it makes sense to force adding an RDN with the localityName attribute or stateOrProvinceName attribute to the DN of a national-level entity? I had not participated in the early stage discussions of CAB Forum, therefore I just do not understand why CAB though it is so important to include the applicant's location of existence or operation so that the BRs mandate at least one of the localityName attribute or stateOrProvinceName attribute must exist in the subject DN? I guess it is because the only Subject Identity Information that many commercial CAs can verify is whether the applicant actually exists and is in operation and they have no way to guarantee the uniqueness of the subject DN because they have no link to the official registration database maintained by the government. Therefore, the CAB BRs simply leveraged the naming attributes to indicate the identity and location of the applicant but avoid interpreting RDNs as "subordinate" relationships and do not guarantee the uniqueness of the subject DN. However, there are existing PKIs where the X.500 directory naming rules are endorsed by the government and CAs in the PKI have the authority to link to the official registration database maintained by the government. Those PKIs actually provide better quality of subject identity information. I think the purpose of CAB forum is to improve the security of website identities, why not we embrace the subject identity information provided by these existing PKIs if they would not cause any compatibility problems? As I mentioned, in the X.500 naming conventions, the DN of a national-level entity will not need to have a RDN with the localityName attribute or stateOrProvinceName attribute. For example, the Executive Yuan (i.e., the Cabinet of our government) in the X.500 naming rules of Taiwan Government PKI (GPKI) will be: C=TW, O=Executive Yuan This is unambiguous naming for Taiwan people because everybody knows that there is only one Executive Yuan in Taiwan. If you want to enforce adding a localityName in the DN of the Executive Yuan of Taiwan, the DN will looks like: C=TW, L=Taipei City, O=Executive YuanThis is not only not suitable for the "subordinate" naming conventions of the X.500 but also misleading to Taiwan people. Besides, the executive yuan is a national-level entity, it has many offices all over the country, and the question is which location should be added into its DN? I believe this is the same reason why in the Common Certificate Policy of US FPKI, the naming form of the Device names is defined as follows: C=US, o=U.S. Government, [ou=department], [ou=agency], [ou=structural_container], cn=device name With the X.500 naming conventions, the name form will not be: C=US, S="Washington, D.C. ", o=U.S. Government, [ou=department], [ou=agency], [ou=structural_container], cn=device name In addition, I have seen some foreign CAs issuing SSL certificates to customers in Taiwan with strange Subject DNs. Their put improper values in the localityName attribute or stateOrProvinceName attribute simply because the want to claim they comply the naming rules of the BRs. However, the values of the localityName attribute or stateOrProvinceName attribute are actually not meaningful or even misleading. For example, a subject DN might looks like this: C = TWS = TaichungL = TaichungO = COTA Commercial BankOU = ITD This naming form comply the BRs, but ironically there is never a state or province name named "Taichung" in Taiwan. Is this the naming that CAB forum wants? I hope you can support my suggestion for the BRs to embrace the existing X.500 naming rules. We need just do a little change to the BRs, and then we do not need to enforce the existing PKIs to break the X.500 naming rules and result some strange subject DNs. Besides, please note in the beginning of section 3.2.2 of the BRs, it says: If the Applicant requests a Certificate that will contain Subject Identity Information comprised only of the countryName field, then the CA SHALL verify the country associated with the Subject using a verification process meeting the requirements of Section 3.2.2.3 and that is described in the CA's Certificate Policy and/or Certification Practice Statement. Please not that it says " Subject Identity Information comprised only of the countryName field " Does not that imply that the subject can be a national-level entity so that it can comprise only the countryName field and without the localityName attribute or stateOrProvinceName attribute? However, the section 7.1.4.2.2 of the BRs mandates at least one of the localityName attribute or stateOrProvinceName attribute must exist in the subject DN. Isn't that a conflict between Section 3.2.2.3 and Section 7.1.4.2.2? Best Regards,Wen-Cheng Wang
本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170325/a38fca02/attachment-0003.html>
More information about the Public
mailing list