[cabf_validation] Given Name and Surname v2

Rick Andrews Rick_Andrews at symantec.com
Thu Jun 2 16:20:26 MST 2016


Jeremy, I have a couple of comments.



On the phone call, didn’t we discuss whether you needed both givenName and
surname? I don’t remember the specifics. Does it ever make sense to have
one and not the other? (I guess if you’re issuing a cert to Cher, Bono or
Prince ;^)



Regarding 7.1.6.1, should we also say that if you include givenName and/or
surname, then the certificate must assert the IV policy identifier of
2.23.140.1.2.3? I know that the BRs say that the use of these OIDs is
optional, but Microsoft requires them. Should we make them mandatory in this
ballot?



-Rick



From: validation-bounces at cabforum.org
[mailto:validation-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Thursday, June 02, 2016 8:33 AM
To: validation (validation at cabforum.org) <validation at cabforum.org>
Subject: [cabf_validation] Given Name and Surname v2



Updated based on discussion:



Over the past year, we’ve discussed a few times about the lack of support
for givenName and surname in the BRs.



Here’s a rough ballot proposal to add support:



Insert a new (C) under 7.1.4.2.2, renumbering all subsequent bullets.



c. Certificate Field: subject:givenName (2.5.4.42) and subject:surname (2.5.
4.4)

Optional.

Contents:  If present, the subject:givenName field and subject:surname field
MUST contain an natural person Subject’s name as verified under Section
3.2.3.



d. Certificate Field: Number and street: subject:streetAddress (OID:
2.5.4.9)

    Optional if the subject:organizationName field, subject: givenName
field, or subject:surname field are is present. Prohibited if the
subject:organizationName field, subject:givenName, and subject:surname field
are is absent.

   Contents: If present, the subject:streetAddress field MUST contain the
Subject’s street address information as verified under Section 3.2.2.1.



e. Certificate Field: subject:localityName (OID: 2.5.4.7)

Required if the subject:organizationName field, subject:givenName field, or
subject:surname field are is present and the subject:stateOrProvinceName
field is absent. Optional if the subject:stateOrProvinceName field and the
subject:organizationName field, subject:givenName field, or subject:surname
field are present. Prohibited if the subject:organizationName field,
subject:givenName, and subject:surname field are is absent.

Contents: If present, the subject:localityName field MUST contain the
Subject’s locality information as verified under Section 3.2.2.1. If the
subject:countryName field specifies the ISO 3166‐1 user‐assigned code of
XX in accordance with Section 7.1.4.2.2(g), the localityName field MAY
contain the Subject’s locality and/or state or province information as
verified under Section 3.2.2.1.



f. Certificate Field: subject:stateOrProvinceName (OID: 2.5.4.8)

Required if the subject:organizationName field field, subject:givenName
field, or subject:surname field are is present and the subject:localityName
field is absent. Optional if the subject:localityName field and the subject:
organizationName field, the subject:givenName field, or subject:surname
field are present. Prohibited if the subject:organizationName field,
subject:givenName field , or subject:surname field are is absent. Contents:
If present, the subject:stateOrProvinceName field MUST contain the Subject’
s state or province information as verified under Section 3.2.2.1. If the
subject:countryName field specifies the ISO 3166‐1 user‐assigned code of
XX in accordance with Section 7.1.4.2.2(g), the subject:stateOrProvinceName
field MAY contain the full name of the Subject’s country information as
verified under Section 3.2.2.1.



g. Certificate Field: subject:postalCode (OID: 2.5.4.17)

Optional if the subject:organizationName, subject:givenName field, or
subject:surname fields are is present. Prohibited if the
subject:organizationName field, subject:givenName field, or subject:surname
field are is absent.

Contents: If present, the subject:postalCode field MUST contain the
Subject’s zip or postal information as verified under Section 3.2.2.1.



h. Certificate Field: subject:countryName (OID: 2.5.4.6)

Required if the subject:organizationName field, subject:givenName , or
subject:surname field is present. Optional if the subject:organizationName
field, subject:givenName field, and  subject:surname field are is absent.

Contents: If the subject:organizationName field is present, the
subject:countryName MUST contain the two‐letter ISO 3166‐1 country code
associated with the location of the Subject verified under Section 3.2.2.1.
If the subject:organizationName, subject:givenName field, and
subject:surname  field are  is absent, the subject:countryName field MAY
contain the two‐letter ISO 3166‐1 country code associated with the Subject
as verified in accordance with Section 3.2.2.3. If a Country is not
represented by an official ISO 3166‐1 country code, the CA MAY specify the
ISO 3166‐1 user‐assigned code of XX indicating that an official ISO 3166‐
1 alpha‐2 code has not been assigned.



i. Certificate Field: subject:organizationalUnitName

Optional.

Contents: The CA SHALL implement a process that prevents an OU attribute
from including a name, DBA, tradename, trademark, address, location, or
other text that refers to a specific natural person or Legal Entity unless
the CA has verified this information in accordance with Section 3.2 and the
Certificate also contains subject:organizationName, subject:givenName,
subject:surname, subject:localityName, and subject:countryName attributes,
also verified in accordance with Section 3.2.2.1.



7.1.6.1

…

If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it
MUST NOT include organizationName, givenName, surname, streetAddress,
localityName, stateOrProvinceName, or postalCode in the Subject field.

…

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20160602/3eafb22d/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5725 bytes
Desc: not available
Url : https://cabforum.org/pipermail/validation/attachments/20160602/3eafb22d/attachment-0001.bin 


More information about the Validation mailing list