[cabfpub] Naming rules
Ryan Sleevi
sleevi at google.com
Sat Mar 25 19:22:24 UTC 2017
Unfortunately, that doesn't really solve the issue :(
On Sat, Mar 25, 2017 at 3:16 PM, Ben Wilson <ben.wilson at digicert.com> wrote:
> One alternative is to just drop the criterion, and then it doesn’t create
> an issue. “This field is also optional if the Relative Distinguished Name
> (RDN) matches the RDN of an organization’s registration in a
> national-government-adopted X.500 directory that does not contain the
> localityName attribute.”
>
>
>
>
>
>
>
> *From:* Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Friday, March 24, 2017 10:28 PM
> *To:* Moudrick M. Dadashov <md at ssc.lt>
> *Cc:* CA/Browser Forum Public Discussion List <public at cabforum.org>; Ben
> Wilson <ben.wilson at digicert.com>
>
> *Subject:* Re: [cabfpub] Naming rules
>
>
>
> Indeed, but as security specialists, we must think about the hypothetical
> scenarios that the rules permit - because very quickly, whether we intend
> to or not, we find them made manifest and causing issue. This is, of
> course, specific to proposals that make broad exceptions, and highlight the
> need to be specific in the guidance, rather than assume it won't happen.
>
>
>
> On Fri, Mar 24, 2017 at 9:22 PM, Moudrick M. Dadashov <md at ssc.lt> wrote:
>
> Indeed, we are talking about two different things - I refer to government
> managed registries where D1 and D2 will maintain only data objects under
> their respective control.
>
>
>
> The case that a country can maintain a registry overlaping with (native)
> data objects of another jurisdiction sounds quite hypothetical.
>
>
>
> Thanks,
>
> M.D.
>
>
>
>
>
>
>
>
>
>
>
> Sent from Samsung tablet.
>
>
>
> -------- Original message --------
>
> From: Ryan Sleevi <sleevi at google.com>
>
> Date: 3/25/17 01:39 (GMT+01:00)
>
> To: "Moudrick M. Dadashov" <md at ssc.lt>
>
> Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>, Ben
> Wilson <ben.wilson at digicert.com>
>
> Subject: Re: [cabfpub] Naming rules
>
>
>
> Jurisdiction A defines an independent directory tree (D1).
>
> Jurisdiction B defines an independent directory tree (D2).
>
>
>
> D1 uses the naming scheme defined by Jurisdiction A
>
> D2 uses the naming scheme defined by Jurisdiction B.
>
>
>
> Unless you know all of the laws regarding Jurisdiction A, B, C, ... Z, and
> can make an effective declaration that no jurisdiction exists that defines
> a directory tree (D0) that conflicts with either D1 or D2, then you cannot
> assert that D1 or D2 are unique.
>
>
>
> On Fri, Mar 24, 2017 at 8:31 PM, Moudrick M. Dadashov <md at ssc.lt> wrote:
>
> Hi Ryan, can you give an example of 'cross-jurisdictional directory trees'?
>
>
>
> Thanks,
>
> M.D.
>
>
>
>
>
>
>
> Sent from Samsung tablet.
>
>
>
> -------- Original message --------
>
> From: Ryan Sleevi <sleevi at google.com>
>
> Date: 3/25/17 01:15 (GMT+01:00)
>
> To: "Moudrick M. Dadashov" <md at ssc.lt>
>
> Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>, Ben
> Wilson <ben.wilson at digicert.com>
>
> Subject: Re: [cabfpub] Naming rules
>
>
>
>
>
>
>
> On Fri, Mar 24, 2017 at 8:07 PM, Moudrick M. Dadashov <md at ssc.lt> wrote:
>
> Auditor examine it through the same government adopted registry.
>
>
>
> In fact if government has a centralised register, there is a very little
> chance that the same data catogories will be maintained in two different
> resources - duplication of responsibilitiies is prohibited by law.
>
>
>
> Thanks,
>
> M.D.
>
>
>
>
>
> Hi Moudrick,
>
>
>
> I'm sorry, but it may not have been clear, I was talking about
> cross-jurisdictional directory trees. There's nothing that would ensure
> their unambiguous uniqueness here, and as proposed, two entities could have
> X.500 DITs that reflected both _their_ jurisdiction and, more importantly,
> how _their_ jurisdiction views other jurisdictions.
>
>
>
> I believe you've misunderstood this to be about a single jurisdiction, but
> I was not talking about that. Auditors would have to be aware of all
> jurisdictions - and more importantly, all jurisdictional laws that apply or
> are relevant for CAs. This is much like the can of worms related to 9.16.3
> in which some laws or registries only apply to specific participants.
>
>
>
> So while your responses would be correct for a single jurisdiction, that's
> not the issue :)
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170325/e731a761/attachment-0003.html>
More information about the Public
mailing list