[cabf_validation] Amend BR subsections 7.1.4.2.2 d/e

Thu Jun 16 06:47:40 MST 2016

Dear Doug,

      When the Subject’s country does not have State/Province  political subdivisions, the organization is chartered or operated at the national level, or other similar situations. Examples discussed in F2F Meeting 37 as the minutes included: U.S. Government entities, entities in Singapore, Taiwan, Greece, Vatican City, etc.  

We found a wildcard SSL certificate signed by GlobalSign at https://ebank.cotabank.com.tw/eBank/, 

The Subject DN is 

CN = *.cotabank.com.tw

O = COTA Commercial Bank

OU = ITDs

L = Taichung

S = Taichung

C = TW

But there is No Taichung Province or Taichung State in Taiwan, only Taichung city in Taiwan. 

Sincerely Yours,

             Li-Chun CHEN

From: Doug Beattie [mailto:doug.beattie at globalsign.com] 
Sent: Friday, June 03, 2016 7:12 PM
To: 陳立群; 'Rick Andrews'; 'Jeremy Rowley'; validation at cabforum.org; Peter Bowen; 'Rob Stradling'; policyreview at cabforum.org
Cc: Dean Coclin; 王文正; Kirk Hall
Subject: RE: [cabf_validation] Amend BR subsections 7.1.4.2.2 d/e

To summarize, you’re saying you must have Country and Organization and that you must have stateOrProvinceName and/or localityName unless < you reason>, in which case both stateOrProvinceName and localityName can be omitted.

Where <your reason> is: The country/jurisdiction specified by the subject:countryName field has a centralized registry for that kind of organizations so that the organization name specified by the subject:organizationName field is "unique" in the entire country/jurisdiction

You have one small copy/past issue in your recommendation, but I understand what you meant.

During the call yesterday we also discussed listing all of the countries where this is the case.  You listed about 31 countries with no stateOrProvinceName, but it’s not clear which of these also have no localityName, just the 3 in red?   I still think it would be a good idea to enumerate the entire list of Country codes where both stateOrProvinceName and localityName can be omitted so there is no confusion and compliance can be monitored.

Doug

From: validation-bounces at cabforum.org [mailto:validation-bounces at cabforum.org] On Behalf Of ???
Sent: Friday, June 3, 2016 6:56 AM
To: 'Rick Andrews' <Rick_Andrews at symantec.com>; 'Jeremy Rowley' <jeremy.rowley at digicert.com>; validation at cabforum.org; Peter Bowen <pzb at amzn.com>; 'Rob Stradling' <rob.stradling at comodo.com>; policyreview at cabforum.org
Cc: Dean Coclin <Dean_Coclin at symantec.com>; 王文正 <wcwang at cht.com.tw>; Kirk Hall <Kirk.Hall at entrust.com>
Subject: [cabf_validation] Amend BR subsections 7.1.4.2.2 d/e

Dear All,

     As yesterday’s validation working group phone call discussion about DN in small countries such as Singapore and Taiwan. I resend some discussions after Certificate Policy working group mailing list  phone call, Bugzilla and discussion in 33rd F2F meeting (as attached file) as below.  

After  discussions, we will write a pre-ballot to fix the issue.

     We suggest to amend BR 7.1.4.2.2 d/e. 

 <mailto:lcchen.cissp at gmail.com> Li-Chun CHEN 2016-02-05 01:29:17 MST 

After discussion in Chunghwa Telecom, Dr. Wen-Cheng Wang suggests to amend subsections 7.1.4.2.2 d/e as below: 

d.    Certificate Field: subject:localityName (OID: 2.5.4.7) 

Required if the subject:organizationName field is present and the subject:stateOrProvinceName field is absent.

Optional if: (a) the subject:organizationName and subject:stateOrProvinceName fields are present, or (b) if the

subject:organizationName and subject:countryName fields are present and the country/jurisdiction specified by the

subject:countryName field has a centralized registry for that kind of organizations so that the

organization name specified by the subject:organizationName field is "unique" in the entire country/jurisdiction.

Normally, situation (b) may exist in small countries/jurisdictions such as Singapore (SG), Taiwan (TW), etc.

e.    Certificate Field: subject:stateOrProvinceName (OID: 2.5.4.8) 

Required if the subject:organizationName field is present and subject:localityName field is absent.

Optional if: (a) the subject:organizationName and subject:stateOrProvinceName fields are present, or (b) if the

subject:organizationName and subject:countryName fields are present and the country/jurisdiction specified by the

subject:countryName field has a centralized registry for that kind of organizations so that the

organization name specified by the subject:organizationName field is "unique" in the entire country/jurisdiction.

Normally, situation (b) may exist in small countries/jurisdictions such as Singapore (SG), Taiwan (TW), etc.

      As for Peter, he e-mailed that

I think there is a misunderstanding.  The address represented in the certificate by the plain localityName and stateOrProvinceName attributes is the Applicant’s address of existence or operation, not their jurisdiction of incorporation.  The BRs note that a utility bill or bank statement can be used to verify the address.  

For example, https://crt.sh/?id=11206357 <https://crt.sh/?id=11206357&opt=cablint> &opt=cablint shows that the FQDN is www.fenton.com.tw. The contact information provided on the website (http://www.fenton.com.tw/index.php?route=information/contact) is 高雄市新興區民權一路251號24樓之2.  Assuming you verify that this is the address of the applicant, then you could include 高雄市 (or Kaohsiung) in the localityName or stateOrProvinceName field.

I don’t think there is any need to update the BRs for this case.  

      But I have to say that  高雄市 (or Kaohsiung) should be  in the localityName field. There is no State or Province in Taiwan for高雄市(or Kaohsiung).

     And Dr. Wen-Cheng Wang has replied to Peter as below:

   We know that the current BR tends to interpret the localityName and stateOrProvinceName attributes as identifying the subject’s address of existence or operation. However, to enforce this kind of interpretation and require the Subject DN must at least contain either the localityName and stateOrProvinceName attributes may cause problem in some situations, especially in some small country where organizations are allowed to be registered at country-level. For example, in Taiwan, a corporation can be registered at country-level but can also be register at city/county-level. If there is a country-level corporation named “Farmer’s Association” of which physical address is located in Taipei City, with current Subject DN rule of BR, its Subject DN will be “C=TW, L=Taipei City, O=Farmer’s Association”. However, if there is also a city/county-level “Farmer’s Association” in Taipei City, its Subject DN will also be “C=TW, L=Taipei City, O=Farmer’s Association”. How do you distinguish them by DN?

I do not understand why we need to enforce require the Subject DN must at least contain either the localityName and stateOrProvinceName attributes if the registered organizational name of a country-level corporation/organization is already guaranteed to be unique under the country name?

The following diagram is taken from Annex B of ITU-T X.521 (Suggested name form and Directory information tree structures). Please note path 1 -> 3, it suggests that there is no need to include a Locality attribute in the directory name of a country-level organization.

cid:image001.png at 01D169D3.5ED33150

Sincerely Yours,

        Li-Chun CHEN

        Chunghwa Telecom Co. Ltd.

本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. 

Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.

本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. 
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20160616/f5a47c49/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 30620 bytes
Desc: not available
Url : https://cabforum.org/pipermail/validation/attachments/20160616/f5a47c49/attachment-0001.png 