<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><font face="Calibri">Thank you both, now I see more clearly the
line of reasoning that brought to the current text.</font></p>
<p><font face="Calibri">Adriano</font></p>
<p><br>
</p>
<div class="moz-cite-prefix">Il 09/05/2019 16:26, Tim Hollebeek ha
scritto:<br>
</div>
<blockquote type="cite"
cite="mid:MWHPR14MB15332E38BA60C068CFD2E16183330@MWHPR14MB1533.namprd14.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Yup, that’s a good summary of how we got
here.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The only other thing that I’d add is that
the ballot also gives CAs a reasonable amount of time to
implement this new extension (it isn’t mandatory until next
year).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-Tim<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in
0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Servercert-wg <a
class="moz-txt-link-rfc2396E"
href="mailto:servercert-wg-bounces@cabforum.org"><servercert-wg-bounces@cabforum.org></a>
<b>On Behalf Of </b>Ryan Sleevi via Servercert-wg<br>
<b>Sent:</b> Thursday, May 9, 2019 10:19 AM<br>
<b>To:</b> Adriano Santoni <a
class="moz-txt-link-rfc2396E"
href="mailto:adriano.santoni@staff.aruba.it"><adriano.santoni@staff.aruba.it></a>;
CA/B Forum Server Certificate WG Public Discussion List
<a class="moz-txt-link-rfc2396E"
href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a><br>
<b>Subject:</b> Re: [Servercert-wg] Ballot SC17 version
7: Alternative registration numbers for EV certificates<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Thu, May 9, 2019 at 5:11 AM
Adriano Santoni via Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true">servercert-wg@cabforum.org</a>>
wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p>Hello Tim, Dimistris,<o:p></o:p></p>
<p>I probably missed some posts to the list, as I just
realized that this ballot (since version 4) mandates
inclusion of the new extension
CABFOrganizationIdentifier if the
subject:organizationIdentifier field is present.
Home comes that? I got lost in the discussions...<o:p></o:p></p>
<p>That seems exceedingly complex to me, especially as
I cannot see its purpose, and implies development
work on CA software for implementation of the new
CABFOrganizationIdentifier extension.<o:p></o:p></p>
<p class="MsoNormal">Please bear with me and remind me
the rationale leading to such a proposal....<o:p></o:p></p>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Hi Adriano,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I'm not Tim or Dimitris, but I can
hopefully shed some insight into this.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This was discussed somewhat during
the CA/Browser Forum F2F in Cupertino. The reasoning
is that the use of the subject:organizationIdentifier
to convey structured information like this is
problematic on a number of dimensions, as has
previously been shared with our ETSI Liasons. Much
like ITU-T and IETF collaborated in the definition of
the Subject Alt Name extension, recognizing the
inherent problems of the X.500 naming scheme of the
Subject in the absence of a global X.500 hierarchy,
the extension represents an attempt by the CA/Browser
Forum to more collaboratively engage with ETSI on
matters of technical expertise. By ensuring that the
extension is present, this provides the opportunity
for ETSI to, in a future update to its TS set of
documents related to PSD2, seemlessly transition from
the problematic form of the
subject:organizationIdentifier and into the more
structured form of the CABFOrganizationIdentifier,
without disrupting sites or end users.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">By ensuring both are present, we
have a system that is compatible with the unfortunate
legacy decisions found within the current PSD2
profile, while providing a seamless path forward, to a
more compliant approach. The approach taken with
respect to the CABFOrganizationIdentifier aligns with
the approach ETSI has taken in other aspects of its
qualifications - ensuring that information is reliably
and unambiguously separated, for example - and thus
avoids the significant security risks that the
approach presently taken by ETSI presents.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Does that help? <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</body>
</html>