[cabf_validation] Other Subject Attributes

Kirk Hall Kirk.Hall at entrustdatacard.com
Thu Feb 21 17:41:43 MST 2019

Wayne – your ballot has this distinction between the BRs and the EVGL (this is the text as you would amend it):

BR Other Subject Attributes
Other optional attributes MAY be present within the subject field.  If present, other optional attributes MUST contain information that has been verified by the CA.

EVGL 9.2.9. Other Subject Attributes
CAs SHALL NOT include any Subject attributes except as specified in Section 9.2.

Why the difference?  Many of us think that the word “other” in EVGL 9.2.8 today means that other subject attributes *are* permitted (the word “other” means other than 9.2.1 through 9.2.7), so long as they are verified (i.e., many of us believe that the current EVGL allow other subject attributes beyond 9.2.1 through 9.2.7).

If we simply adopt your change to BR in BOTH the BRs AND the EVGL, that would be consistent with what (I believe) was originally intended in EVGL 9.2.8, and would clarify the matter completely.  Why should verified Subject DN in EV certs be more restricted than in DV and OV certs?

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Wayne Thayer via Validation
Sent: Thursday, February 21, 2019 1:59 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: [EXTERNAL][cabf_validation] Other Subject Attributes

We've recently had discussions about the meaning of EVGL section 9.2.8 in the context of adding Subject:organizationIdentifier for LEIs and the eIDAS/PSD2 identifier. There is also uncertainty if the OU field is currently permitted to be included in EV certificates. I drafted a change that would clarify this by explicitly permitting OU and forbidding any Subject attributes not defined in the EVGLs, but I had been holding off on proposing this because I didn't want to do something that would conflict with any proposal from ETSI on organizationIdentifier.

Today there has been discussion on the Questions and Management lists about BR section and (j). Those sections suffer from a similar problem.

Here is a proposal to fix both issues: https://github.com/wthayer/documents/compare/master...wthayer:EV-Subject-Information

The intent is:
* Subject attributes other than those defined on the BRs are allowed in DV and OV certs, as long as the information is validated
* Metadata is prohibited in any Subject field in any type of cert
* For EV, OU is explicitly permitted, just like DV and OV
* For EV, only Subject fields that are explicitly defined are permitted

Any comments on this?

Would anyone like to endorse?

Do we need a future effective date for these changes? I believe they're already being enforced.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20190222/748131b8/attachment-0001.html>

More information about the Validation mailing list