[cabf_validation] [EXTERNAL]Re: Other Subject Attributes

Wayne Thayer wthayer at mozilla.com
Wed Feb 27 09:45:05 MST 2019


The ballot explicitly permits OUs in EV certificates with language cribbed
from the BRs (i.e. unverified information is permitted as long as it's not
misleading):

9.2.8. Subject Organizational Unit Name Field

Certificate field: subject:organizationalUnitName (OID 2.5.4.11)

Required/Optional: Optional

Contents: The CA SHALL implement a process that prevents an OU attribute
from including a name, DBA, tradename, trademark, address, location, or
other text that refers to a specific natural person or Legal Entity unless
the CA has verified this information in accordance with Section 11.
Metadata such as '.', '-', and ' ' (i.e. space) characters, and/or any
other indication that this field is empty, absent or incomplete, MUST NOT
be used.


On Wed, Feb 27, 2019 at 9:37 AM Bruce Morton <
Bruce.Morton at entrustdatacard.com> wrote:

> I think currently CAs verify OUs for EV using the same criteria as the
> BRs.
>
>
>
> My interpretation of your ballot is that OU can no longer be in an EV
> certificate. If this is the case, then changes will have to be made to
> prevent OUs in EV certificates.
>
>
>
> If EV certificates can have OUs, then a new section could be added to EV
> 9.2 to address OU for EV certificates. This could either have new criteria
> or reference the BRs.
>
>
> An issue with OUs is that some subscribers want to put in a department
> name or number. This allows for internal identification or internal
> billing. Neither can be verified, but usually this information is not
> deemed to be misleading. If it seems to be misleading then it is not
> allowed.
>
>
>
> Thanks, Bruce.
>
>
>
> *From:* Wayne Thayer [mailto:wthayer at mozilla.com]
> *Sent:* February 27, 2019 11:26 AM
> *To:* Bruce Morton <Bruce.Morton at entrustdatacard.com>
> *Cc:* CA/Browser Forum Validation WG List <validation at cabforum.org>
> *Subject:* Re: [EXTERNAL]Re: [cabf_validation] Other Subject Attributes
>
>
>
> Does anyone know of a CA that needs to make changes based on this ballot?
> I believe that it just documents our current interpretation of the
> requirements, so I question the need for an effective date. It would also
> be good to clarify that EV certs can contain OU fields ASAP given that
> there are quite a few of those in existence.
>
>
>
> On Wed, Feb 27, 2019 at 9:08 AM Bruce Morton <
> Bruce.Morton at entrustdatacard.com> wrote:
>
> Hi Wayne,
>
>
>
> Since this may require CAs to change their systems, can we add in an
> effective date?  I would suggest 6 months after ballot approval. I’m only
> choosing 6 months to give most CAs time to implement their changes and stay
> compliant.
>
>
>
> Thanks, Bruce.
>
>
>
> *From:* Validation [mailto:validation-bounces at cabforum.org] *On Behalf Of
> *Wayne Thayer via Validation
> *Sent:* February 27, 2019 10:59 AM
> *To:* CA/Browser Forum Validation WG List <validation at cabforum.org>
> *Subject:* [EXTERNAL]Re: [cabf_validation] Other Subject Attributes
>
>
>
> *WARNING:* This email originated outside of Entrust Datacard.
> *DO NOT CLICK* links or attachments unless you trust the sender and know
> the content is safe.
> ------------------------------
>
> I won't be able to attend the Validation call tomorrow, so if anyone has
> comments on this ballot please send them to me. If I don't hear anything,
> I'll begin the review period on Friday.
>
>
>
> Thanks,
>
>
>
> Wayne
>
>
>
> On Mon, Feb 25, 2019 at 5:17 PM Wayne Thayer <wthayer at mozilla.com> wrote:
>
> Here is a pre-ballot incorporating feedback from Tim & Doug:
>
>
>
> Ballot SC16: Other Subject Attributes
>
> Purpose of Ballot:
>
> This ballot intends to clarify requirements placed on Subject attributes
> in Subscriber certificates  in BR section 7.1.4.2 and EVGL section 9.2.8.
> Specifically, Subject fields must contain more than just metadata if they
> are present in a certificate. OU field are permitted in EV certificates,
> but no unspecified Subject attributes are permitted.
>
>
> The following motion has been proposed by Wayne Thayer of Mozilla and
> endorsed by Doug Beattie of GlobalSign and Tim Hollebeek of DigiCert.
>
>
> -- MOTION BEGINS --
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” as follows, based on Version
> 1.6.3:
>
> * Capitalize the heading of Baseline Requirements section 7.1.4 Name Forms
>
> * Add a second paragraph to Baseline Requirements section 7.1.4.2 as
> follows:
>
> Subject attributes MUST NOT contain metadata such as '.', '-', and ' '
> (i.e. space) characters, and/or any other indication that the value is
> absent, incomplete, or not applicable.
>
> * Replace Baseline Requirements section 7.1.4.2.1(j.), in its entirety,
> with the following text:
>
> j. Other Subject Attributes
>
> Other optional attributes MAY be present within the subject field. If
> present, other optional attributes MUST contain information that has been
> verified by the CA.
>
> ----
>
> This ballot modifies the “Guidelines For The Issuance And Management Of
> Extended Validation Certificates” as follows, based on Version 1.6.8:
>
> * Replace EV Guidelines section 9.2.8, in its entirety, with the following
> text:
>
> 9.2.8. Subject Organizational Unit Name Field
>
> Certificate field: subject:organizationalUnitName (OID 2.5.4.11)
>
> Required/Optional: Optional
>
> Contents: The CA SHALL implement a process that prevents an OU attribute
> from including a name, DBA, tradename, trademark, address, location, or
> other text that refers to a specific natural person or Legal Entity unless
> the CA has verified this information in accordance with Section 11.
> Metadata such as '.', '-', and ' ' (i.e. space) characters, and/or any
> other indication that this field is empty, absent or incomplete, MUST NOT
> be used.
>
> * Add EV Guidelines section 9.2.9, with the following text:
>
> 9.2.9. Other Subject Attributes
>
> CAs SHALL NOT include any Subject attributes except as specified in
> Section 9.2.
>
>
> -- MOTION ENDS --
>
>
> *** WARNING ***: USE AT YOUR OWN RISK.  THE REDLINE BELOW IS NOT THE
> OFFICIAL VERSION OF THE CHANGES (CABF Bylaws, Section 2.4(a)):
>
> A comparison of the changes can be found at:
> https://github.com/wthayer/documents/compare/master...wthayer:EV-Subject-Information
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: TBD UTC
>
> End Time: TBD UTC
>
> Vote for approval (7 days)
>
> Start Time: TBD
>
> End Time: TBD
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20190227/8c3bc75b/attachment-0001.html>


More information about the Validation mailing list