[cabf_validation] Other Subject Attributes

Wayne Thayer wthayer at mozilla.com
Thu Feb 21 14:58:51 MST 2019

We've recently had discussions about the meaning of EVGL section 9.2.8 in
the context of adding Subject:organizationIdentifier for LEIs and the
eIDAS/PSD2 identifier. There is also uncertainty if the OU field is
currently permitted to be included in EV certificates. I drafted a change
that would clarify this by explicitly permitting OU and forbidding any
Subject attributes not defined in the EVGLs, but I had been holding off on
proposing this because I didn't want to do something that would conflict
with any proposal from ETSI on organizationIdentifier.

Today there has been discussion on the Questions and Management lists about
BR section and (j). Those sections suffer from a similar

Here is a proposal to fix both issues:

The intent is:
* Subject attributes other than those defined on the BRs are allowed in DV
and OV certs, as long as the information is validated
* Metadata is prohibited in any Subject field in any type of cert
* For EV, OU is explicitly permitted, just like DV and OV
* For EV, only Subject fields that are explicitly defined are permitted

Any comments on this?

Would anyone like to endorse?

Do we need a future effective date for these changes? I believe they're
already being enforced.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20190221/086b0496/attachment.html>

More information about the Validation mailing list