<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p><font face="Calibri">Thank you both, now I see more clearly the
        line of reasoning that brought to the current text.</font></p>
    <p><font face="Calibri">Adriano</font></p>
    <p><br>
    </p>
    <div class="moz-cite-prefix">Il 09/05/2019 16:26, Tim Hollebeek ha
      scritto:<br>
    </div>
    <blockquote type="cite"
cite="mid:MWHPR14MB15332E38BA60C068CFD2E16183330@MWHPR14MB1533.namprd14.prod.outlook.com">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
        {mso-style-name:msonormal;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
span.EmailStyle19
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri",sans-serif;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal">Yup, that’s a good summary of how we got
          here.<o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal">The only other thing that I’d add is that
          the ballot also gives CAs a reasonable amount of time to
          implement this new extension (it isn’t mandatory until next
          year).<o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal">-Tim<o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <div style="border:none;border-left:solid blue 1.5pt;padding:0in
          0in 0in 4.0pt">
          <div>
            <div style="border:none;border-top:solid #E1E1E1
              1.0pt;padding:3.0pt 0in 0in 0in">
              <p class="MsoNormal"><b>From:</b> Servercert-wg <a
                  class="moz-txt-link-rfc2396E"
                  href="mailto:servercert-wg-bounces@cabforum.org"><servercert-wg-bounces@cabforum.org></a>
                <b>On Behalf Of </b>Ryan Sleevi via Servercert-wg<br>
                <b>Sent:</b> Thursday, May 9, 2019 10:19 AM<br>
                <b>To:</b> Adriano Santoni <a
                  class="moz-txt-link-rfc2396E"
                  href="mailto:adriano.santoni@staff.aruba.it"><adriano.santoni@staff.aruba.it></a>;
                CA/B Forum Server Certificate WG Public Discussion List
                <a class="moz-txt-link-rfc2396E"
                  href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a><br>
                <b>Subject:</b> Re: [Servercert-wg] Ballot SC17 version
                7: Alternative registration numbers for EV certificates<o:p></o:p></p>
            </div>
          </div>
          <p class="MsoNormal"><o:p> </o:p></p>
          <div>
            <div>
              <p class="MsoNormal"><o:p> </o:p></p>
            </div>
            <p class="MsoNormal"><o:p> </o:p></p>
            <div>
              <div>
                <p class="MsoNormal">On Thu, May 9, 2019 at 5:11 AM
                  Adriano Santoni via Servercert-wg <<a
                    href="mailto:servercert-wg@cabforum.org"
                    moz-do-not-send="true">servercert-wg@cabforum.org</a>>
                  wrote:<o:p></o:p></p>
              </div>
              <blockquote style="border:none;border-left:solid #CCCCCC
                1.0pt;padding:0in 0in 0in
                6.0pt;margin-left:4.8pt;margin-right:0in">
                <div>
                  <p>Hello Tim, Dimistris,<o:p></o:p></p>
                  <p>I probably missed some posts to the list, as I just
                    realized that this ballot (since version 4) mandates
                    inclusion of the new extension
                    CABFOrganizationIdentifier if the
                    subject:organizationIdentifier field is present.
                    Home comes that? I got lost in the discussions...<o:p></o:p></p>
                  <p>That seems exceedingly complex to me, especially as
                    I cannot see its purpose, and implies development
                    work on CA software for implementation of the new
                    CABFOrganizationIdentifier extension.<o:p></o:p></p>
                  <p class="MsoNormal">Please bear with me and remind me
                    the rationale leading to such a proposal....<o:p></o:p></p>
                </div>
              </blockquote>
              <div>
                <p class="MsoNormal"><o:p> </o:p></p>
              </div>
              <div>
                <p class="MsoNormal">Hi Adriano,<o:p></o:p></p>
              </div>
              <div>
                <p class="MsoNormal"><o:p> </o:p></p>
              </div>
              <div>
                <p class="MsoNormal">I'm not Tim or Dimitris, but I can
                  hopefully shed some insight into this.<o:p></o:p></p>
              </div>
              <div>
                <p class="MsoNormal"><o:p> </o:p></p>
              </div>
              <div>
                <p class="MsoNormal">This was discussed somewhat during
                  the CA/Browser Forum F2F in Cupertino. The reasoning
                  is that the use of the subject:organizationIdentifier
                  to convey structured information like this is
                  problematic on a number of dimensions, as has
                  previously been shared with our ETSI Liasons. Much
                  like ITU-T and IETF collaborated in the definition of
                  the Subject Alt Name extension, recognizing the
                  inherent problems of the X.500 naming scheme of the
                  Subject in the absence of a global X.500 hierarchy,
                  the extension represents an attempt by the CA/Browser
                  Forum to more collaboratively engage with ETSI on
                  matters of technical expertise. By ensuring that the
                  extension is present, this provides the opportunity
                  for ETSI to, in a future update to its TS set of
                  documents related to PSD2, seemlessly transition from
                  the problematic form of the
                  subject:organizationIdentifier and into the more
                  structured form of the CABFOrganizationIdentifier,
                  without disrupting sites or end users.<o:p></o:p></p>
              </div>
              <div>
                <p class="MsoNormal"><o:p> </o:p></p>
              </div>
              <div>
                <p class="MsoNormal">By ensuring both are present, we
                  have a system that is compatible with the unfortunate
                  legacy decisions found within the current PSD2
                  profile, while providing a seamless path forward, to a
                  more compliant approach. The approach taken with
                  respect to the CABFOrganizationIdentifier aligns with
                  the approach ETSI has taken in other aspects of its
                  qualifications - ensuring that information is reliably
                  and unambiguously separated, for example - and thus
                  avoids the significant security risks that the
                  approach presently taken by ETSI presents.<o:p></o:p></p>
              </div>
              <div>
                <p class="MsoNormal"><o:p> </o:p></p>
              </div>
              <div>
                <p class="MsoNormal">Does that help? <o:p></o:p></p>
              </div>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
  </body>
</html>