[cabf_validation] [EXTERNAL]Re: Other Subject Attributes

Bruce Morton Bruce.Morton at entrustdatacard.com
Wed Feb 27 09:37:23 MST 2019

I think currently CAs verify OUs for EV using the same criteria as the BRs.

My interpretation of your ballot is that OU can no longer be in an EV certificate. If this is the case, then changes will have to be made to prevent OUs in EV certificates.

If EV certificates can have OUs, then a new section could be added to EV 9.2 to address OU for EV certificates. This could either have new criteria or reference the BRs.

An issue with OUs is that some subscribers want to put in a department name or number. This allows for internal identification or internal billing. Neither can be verified, but usually this information is not deemed to be misleading. If it seems to be misleading then it is not allowed.

Thanks, Bruce.

From: Wayne Thayer [mailto:wthayer at mozilla.com]
Sent: February 27, 2019 11:26 AM
To: Bruce Morton <Bruce.Morton at entrustdatacard.com>
Cc: CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: Re: [EXTERNAL]Re: [cabf_validation] Other Subject Attributes

Does anyone know of a CA that needs to make changes based on this ballot? I believe that it just documents our current interpretation of the requirements, so I question the need for an effective date. It would also be good to clarify that EV certs can contain OU fields ASAP given that there are quite a few of those in existence.

On Wed, Feb 27, 2019 at 9:08 AM Bruce Morton <Bruce.Morton at entrustdatacard.com<mailto:Bruce.Morton at entrustdatacard.com>> wrote:
Hi Wayne,

Since this may require CAs to change their systems, can we add in an effective date?  I would suggest 6 months after ballot approval. I’m only choosing 6 months to give most CAs time to implement their changes and stay compliant.

Thanks, Bruce.

From: Validation [mailto:validation-bounces at cabforum.org<mailto:validation-bounces at cabforum.org>] On Behalf Of Wayne Thayer via Validation
Sent: February 27, 2019 10:59 AM
To: CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
Subject: [EXTERNAL]Re: [cabf_validation] Other Subject Attributes

WARNING: This email originated outside of Entrust Datacard.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
I won't be able to attend the Validation call tomorrow, so if anyone has comments on this ballot please send them to me. If I don't hear anything, I'll begin the review period on Friday.



On Mon, Feb 25, 2019 at 5:17 PM Wayne Thayer <wthayer at mozilla.com<mailto:wthayer at mozilla.com>> wrote:
Here is a pre-ballot incorporating feedback from Tim & Doug:

Ballot SC16: Other Subject Attributes

Purpose of Ballot:

This ballot intends to clarify requirements placed on Subject attributes in Subscriber certificates  in BR section and EVGL section 9.2.8. Specifically, Subject fields must contain more than just metadata if they are present in a certificate. OU field are permitted in EV certificates, but no unspecified Subject attributes are permitted.

The following motion has been proposed by Wayne Thayer of Mozilla and endorsed by Doug Beattie of GlobalSign and Tim Hollebeek of DigiCert.


This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” as follows, based on Version 1.6.3:

* Capitalize the heading of Baseline Requirements section 7.1.4 Name Forms

* Add a second paragraph to Baseline Requirements section as follows:

Subject attributes MUST NOT contain metadata such as '.', '-', and ' ' (i.e. space) characters, and/or any other indication that the value is absent, incomplete, or not applicable.

* Replace Baseline Requirements section, in its entirety, with the following text:

j. Other Subject Attributes

Other optional attributes MAY be present within the subject field. If present, other optional attributes MUST contain information that has been verified by the CA.


This ballot modifies the “Guidelines For The Issuance And Management Of Extended Validation Certificates” as follows, based on Version 1.6.8:

* Replace EV Guidelines section 9.2.8, in its entirety, with the following text:

9.2.8. Subject Organizational Unit Name Field

Certificate field: subject:organizationalUnitName (OID

Required/Optional: Optional

Contents: The CA SHALL implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section 11. Metadata such as '.', '-', and ' ' (i.e. space) characters, and/or any other indication that this field is empty, absent or incomplete, MUST NOT be used.

* Add EV Guidelines section 9.2.9, with the following text:

9.2.9. Other Subject Attributes

CAs SHALL NOT include any Subject attributes except as specified in Section 9.2.



A comparison of the changes can be found at: https://github.com/wthayer/documents/compare/master...wthayer:EV-Subject-Information

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: TBD UTC

End Time: TBD UTC

Vote for approval (7 days)

Start Time: TBD

End Time: TBD

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20190227/0baf2bed/attachment-0001.html>

More information about the Validation mailing list