[cabf_validation] Other Subject Attributes

Doug Beattie doug.beattie at globalsign.com
Thu Feb 21 15:10:17 MST 2019

Hi Wayne,


I’ll endorse.


I think you should add “only” to this:

*	Subject attributes MUST NOT contain only metadata…


For “j,”, I think you should remove “optional” because, if they are outside of the designated list, by definition they are optional.  Suggest:


Other attributes MAY be present within the subject field. If present, these attributes MUST contain information that has been verified by the CA.


From: Validation <validation-bounces at cabforum.org> On Behalf Of Wayne Thayer via Validation
Sent: Thursday, February 21, 2019 4:59 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: [cabf_validation] Other Subject Attributes


We've recently had discussions about the meaning of EVGL section 9.2.8 in the context of adding Subject:organizationIdentifier for LEIs and the eIDAS/PSD2 identifier. There is also uncertainty if the OU field is currently permitted to be included in EV certificates. I drafted a change that would clarify this by explicitly permitting OU and forbidding any Subject attributes not defined in the EVGLs, but I had been holding off on proposing this because I didn't want to do something that would conflict with any proposal from ETSI on organizationIdentifier.


Today there has been discussion on the Questions and Management lists about BR section and (j). Those sections suffer from a similar problem.


Here is a proposal to fix both issues: https://github.com/wthayer/documents/compare/master...wthayer:EV-Subject-Information


The intent is:

* Subject attributes other than those defined on the BRs are allowed in DV and OV certs, as long as the information is validated

* Metadata is prohibited in any Subject field in any type of cert

* For EV, OU is explicitly permitted, just like DV and OV

* For EV, only Subject fields that are explicitly defined are permitted


Any comments on this?


Would anyone like to endorse?


Do we need a future effective date for these changes? I believe they're already being enforced.







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20190221/32f5c000/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5701 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20190221/32f5c000/attachment-0001.p7s>

More information about the Validation mailing list