[cabf_validation] OrganisationIdentifier mandated by ETSI TSt119 495
Ryan Sleevi
sleevi at google.com
Tue Nov 20 22:33:46 MST 2018
Is there any rule that prohibits issuing an OV cert verified to the same
level as EV? If not, why would a CA not simply do that?
As Wayne mentioned, the value proposition of an EV certificate has been
that the Subject for such certificates is consistent among industry, and
verified to the same level of rigor. Adding arbitrary information -
including that verified using arbitrary standards - seems to remove that
value proposition. This is especially relevant for those CAs that suggest
the certificate viewer should be made more prominent, or display more of
the Subject, in order to deal with the messiness of the real world (such as
two entities incorporated in the same country sharing the same name, but
different jurisdictions of incorporation - the "Stripe, Inc" problem).
If a user inspects this certificate in a viewer, as suggested by some
members' CP/CPS, are they likely to be mislead by this information? If not,
why not?
If the user is expected to be capable of recognizing which fields are
relevant to EV, and the validation standards the CA is specifically
applying to those other fields, would they also be capable of recognizing
the CA's OV++ OID? If not, why not?
I don't believe the burden of proof for "it wouldn't hurt anyone" has been
demonstrated. Users that are required to inspect the certificate - e.g. by
CA's CP/CPSes - seem most at risk for such certificates.
On Tue, Nov 20, 2018 at 7:24 PM Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:
> If it's not necessarily for browser use, does that matter? If it is for
> browser use, then we can define standards for it. For example, gleif has an
> oid for lei. Only thing stopping its use is the cab forum because of the
> odd rule regarding inclusion. Wouldn't hurt anyone if it was included and
> the lack of permission to include it hinders adoption by browsers who may
> want to use it. If the browsers or CAs care about the validation of a
> particular field, defining criteria is easy.
> ------------------------------
> *From:* Wayne Thayer <wthayer at mozilla.com>
> *Sent:* Tuesday, November 20, 2018 4:13:12 PM
> *To:* Jeremy Rowley
> *Cc:* CA/Browser Forum Validation WG List; Ryan Sleevi; Doug Beattie
> *Subject:* Re: [cabf_validation] OrganisationIdentifier mandated by ETSI
> TSt119 495
>
> There are no standards for verifying arbitrary subject attributes, so each
> CA will make up their own policies and the information in those fields will
> be inconsistent, at best.
>
> On Tue, Nov 20, 2018 at 5:04 PM Jeremy Rowley <jeremy.rowley at digicert.com>
> wrote:
>
>> The level of verification is different. As long as all information is
>> verified to the relevant standard, what's the risk of including additional
>> subject fields?
>> ------------------------------
>> *From:* Wayne Thayer <wthayer at mozilla.com>
>> *Sent:* Tuesday, November 20, 2018 4:02:54 PM
>> *To:* Jeremy Rowley
>> *Cc:* CA/Browser Forum Validation WG List; Ryan Sleevi; Doug Beattie
>> *Subject:* Re: [cabf_validation] OrganisationIdentifier mandated by ETSI
>> TSt119 495
>>
>> By that logic, OV certs are as good as EV - the information is all
>> verified.
>>
>> On Tue, Nov 20, 2018 at 3:49 PM Jeremy Rowley <jeremy.rowley at digicert.com>
>> wrote:
>>
>>> Why is it dangerous? These are subject fields. What's the risk in
>>> permitting them of they are verified?
>>> ------------------------------
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20181121/19da4720/attachment.html>
More information about the Validation
mailing list