[cabf_validation] Proposed ballot - EV State Optional
Doug Beattie
doug.beattie at globalsign.com
Thu Dec 15 12:20:13 MST 2016
What if we put this in an implementation guide that remained outside of the formal BRs like we did for "Guidance on Deprecation of use on internal server names" or https://cabforum.org/guidance-ip-addresses-certificates/ ?
Doug
From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Bruce Morton via Validation
Sent: Thursday, December 15, 2016 1:54 PM
To: Tim Hollebeek <THollebeek at trustwave.com>; Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>
Cc: Bruce Morton <Bruce.Morton at entrustdatacard.com>
Subject: Re: [cabf_validation] Proposed ballot - EV State Optional
My concern with the list is that it will take some time to evaluate and come to agreement on 249 countries. Once that is completed, then we will have to maintain the list forever.
I think that the CAs have been verifying Place of Business appropriately, but the guidelines are just poorly worded. The result is we do not know how to handle countries with no states and countries that have states, but do not use them as part of the address. This also means that the auditor can state that we have problems when we either do not include the state field or falsely put information in the state field.
I would prefer that we just change the wording to as Tim put it, "if it's in the address, it's required." If moving forward, we see a vulnerability with this method, then let's at that time to consider the other method.
Thanks, Bruce.
From: Tim Hollebeek [mailto:THollebeek at trustwave.com]
Sent: Thursday, December 15, 2016 1:41 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>; Bruce Morton <Bruce.Morton at entrustdatacard.com>
Subject: RE: Proposed ballot - EV State Optional
Yes I like that even better as we can all debate the merits of each case and agree on the correct handling so there is absolutely no ambiguity. Each country does tend to have subtle differences when we've previously discussed this on the policy calls.
But people don't seem to want to do that, and if they still don't, I think "if it's in the address, it's required" is a reasonable low effort solution to move forward.
From: Kirk Hall [mailto:Kirk.Hall at entrustdatacard.com]
Sent: Thursday, December 15, 2016 1:35 PM
To: CA/Browser Forum Validation WG List; Bruce Morton
Cc: Tim Hollebeek
Subject: RE: Proposed ballot - EV State Optional
Another possibility is to leave state or province as required, but then add:
"State or province is not required for the countries listed on Appendix X"
Then we add places (Taiwan, Monaco, Vatican City, Germany, United Kingdom) as people bring them forward. We could include an initial list with this ballot to avoid having to prepare another ballot to add places.
From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Tim Hollebeek via Validation
Sent: Thursday, December 15, 2016 10:26 AM
To: Bruce Morton <Bruce.Morton at entrustdatacard.com<mailto:Bruce.Morton at entrustdatacard.com>>; CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
Cc: Tim Hollebeek <THollebeek at trustwave.com<mailto:THollebeek at trustwave.com>>
Subject: Re: [cabf_validation] Proposed ballot - EV State Optional
Yes, I like something along those lines.
From: Bruce Morton [mailto:Bruce.Morton at entrustdatacard.com]
Sent: Thursday, December 15, 2016 1:25 PM
To: Tim Hollebeek; CA/Browser Forum Validation WG List
Subject: RE: Proposed ballot - EV State Optional
How about this?
Required/Optional:
City and country - Required;
State - Required, if verified per Section 11.4.1 as part of the address for the Place of Business;
Street and postal code - Optional
If there is no state or the state is not used as part of the address, then it is not required.
Bruce.
From: Tim Hollebeek [mailto:THollebeek at trustwave.com]
Sent: Thursday, December 15, 2016 10:19 AM
To: CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
Cc: Bruce Morton <Bruce.Morton at entrustdatacard.com<mailto:Bruce.Morton at entrustdatacard.com>>
Subject: RE: Proposed ballot - EV State Optional
But City + Country is not unique in many common, important cases ("Springfield, United States"), and the state is also important since state laws tend to vary quite a bit in the US ... I think something more in the spirit of the current BRs that does a better job of tightening up what "where applicable" means would be better.
I don't want to lose the requirement that US EV certificates MUST include the state.
-Tim
From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Bruce Morton via Validation
Sent: Thursday, December 15, 2016 9:28 AM
To: CA/Browser Forum Validation WG List
Cc: Bruce Morton
Subject: [cabf_validation] Proposed ballot - EV State Optional
Here is a proposed ballot per my action.
Thanks, Bruce.
Background:
There is confusion on whether the state or province OID MUST be included in an EV certificate. EV section 9.2.7 states in one place "State or province (where applicable)" and also "City, state and country - Required."
Since many countries do not have states or provinces and some that do have states or provinces do not use them for their address, it is proposed that inclusion of the state or province OID should be optional.
-- MOTION BEGINS --
Current section 9.2.7 of EV Guidelines:
Required/Optional: City, state, and country - Required; Street and postal code - Optional
Proposed section 9.2.7 of EV Guidelines:
Required/Optional: City and country - Required; Street, state and postal code - Optional
-- MOTION ENDS --
The review period for this ballot shall commence at 2200 UTC on XX, and will close at 2200 UTC on XX. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on XX. Votes must be cast by posting an on-list reply to this thread.
A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: https://cabforum.org/members/<https://scanmail.trustwave.com/?c=4062&d=4uLS2LctdUselJfNN_qKqhlUiQGKRBR1RnDgtqpA8A&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmembers%2f>
In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Quorum is currently nine (9) members- at least nine members must participate in the ballot, either by voting in favor, voting against, or abstaining.
________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20161215/1c5adc31/attachment-0001.html>
More information about the Validation
mailing list