[cabf_validation] Proposed Update to EV to include OrganisationIdentifier as per ETSI standard
Adriano Santoni
adriano.santoni at staff.aruba.it
Tue Jun 12 00:00:36 MST 2018
I appreciate your interpretation, but then it seems to me that the
current EVGL wording in §9.2 (Other Subject Attributes) is not
crystal-clear.
What are those "all other optional attributes", and when can they be
present (as §9.2.8 seems to allow them to be present: "when present...") ?
If no other attributes can ever be present, then the first sentence of
§9.2.8 is misleading.
Besides, the sentence "[CAs]... SHALL NOT include any Subject
Organization Information except as specified in Section 9.2." leads to
an infinite loop :) when one starts reading from the beginning of §9.2
and arrives at the first sentence of §9.2.8 ("All other optional
attributes, when present within the subject field, ...")
Il 11/06/2018 16:43, Ryan Sleevi ha scritto:
> https://cabforum.org/pipermail/public/2018-May/013531.html covers this.
>
> All other optional attributes, when present within the subject field,
> MUST contain information that has been verified by the
> CA. CAs SHALL NOT include Fully-Qualified Domain Names in Subject
> attributes except as specified in Sections 9.2.1
> and SHALL NOT include any Subject Organization Information except as
> specified in Section 9.2.
>
> organizationIdentifier is Subject Organization Information.
> Section 9.2 does not specify that organizationIdentifier is permitted.
> Ergo, organizationIdentifier is not permitted.
>
> This is the correct read of the section, as it aligns with the intent,
> especially of browsers, to ensure that information presented to users
> has a consistent validation standard applied to it.
>
> On Mon, Jun 11, 2018 at 9:56 AM, Adriano Santoni via Validation
> <validation at cabforum.org <mailto:validation at cabforum.org>> wrote:
>
> All,
>
> do not the current EVGLs already allow the inclusion of extra
> attributes (such as, for instance, the organizationIdentifier) in
> the Subject, provided that they contain "information that has been
> verified by the CA" ?
>
> Adriano
>
>
>
> Il 11/06/2018 15:37, Ryan Sleevi via Validation ha scritto:
>>
>>
>> On Mon, Jun 11, 2018 at 9:25 AM, Dimitris Zacharopoulos
>> <jimmy at it.auth.gr <mailto:jimmy at it.auth.gr>> wrote:
>>
>>
>>
>> On 11/6/2018 4:00 μμ, Ryan Sleevi wrote:
>>> That seems like a strictly worse proposal, because it does
>>> not define any validation requirements. Also, the
>>> interpretation of BRs 7.1.4.2.2 wasn't aligned with the
>>> discussion.
>>>
>>
>> My proposal tried to address specific concerns about the
>> "exclusive" use of the organizationIdentifier by ETSI. If you
>> are concerned about the validation requirements, we should
>> address those but I wouldn't expect them to be materially
>> different than the validation of the "Registration Number".
>>
>>
>> I'm afraid it may not have been explained well, then, because the
>> core of the issue was that
>> 1) It restricts this field to exclusive use of ETSI without
>> defining the context for where it's identified as such
>> 2) For the ETSI case, it doesn't prevent other organizations for
>> issuing in this in a way that can be seen as confusing/misleading
>>
>> So as I said, this is explicitly worse, because it removes
>> validation requirements and does not address the CA needs to
>> disambiguate between ETSI and non-ETSI certs. The entire value
>> proposition of using this field is to that it's validated
>> information - but as mentioned, we can avoid this whole problem
>> by not sticking it in the subject.
>>
>>> As discussed during the F2F, it seems that there's a far
>>> more viable option that's aligned with publicly trusted
>>> certificates, namely, that of aligning in the QcStatements.
>>> We spent quite some time trying to understand the rationale
>>> and necessity of encoding in the subject, as it seemed like
>>> it was based on both a misunderstanding of the value
>>> proposition and of the technical necessity.
>>>
>>> I would again reiterate those concerns, to ask why this
>>> information cannot be encoded within the qcStatements.
>>
>> As you said, both would be "viable" options so there is no
>> misunderstanding about the technical necessity. They should
>> both work. I believe that since this identifier is very
>> specific information directly-coupled with the Subject of the
>> Certificate, it should be in the designated extension which
>> is the Subject DN. For me, it doesn't make sense to include
>> information related uniquely to the Subject, in the
>> qcStatements. All the existing ETSI TS or EN documents
>> related to the qcStatements extensions do not contain
>> identifiable information related to the Subject. Mr. Pope can
>> correct me if I'm wrong here.
>>
>>
>> Are those concerns shared with subjectAltName? There's no
>> technical need to stuff that information in the subject, and
>> ample and compelling reason not to.
>>
>>
>> _______________________________________________
>> Validation mailing list
>> Validation at cabforum.org <mailto:Validation at cabforum.org>
>> https://cabforum.org/mailman/listinfo/validation
>> <https://cabforum.org/mailman/listinfo/validation>
>
>
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org <mailto:Validation at cabforum.org>
> https://cabforum.org/mailman/listinfo/validation
> <https://cabforum.org/mailman/listinfo/validation>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180612/a91a4e7e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4025 bytes
Desc: Firma crittografica S/MIME
URL: <http://cabforum.org/pipermail/validation/attachments/20180612/a91a4e7e/attachment.p7s>
More information about the Validation
mailing list