[cabf_validation] Pre-Ballot Registration Agencies / Incorporating Agencies

Tue May 19 14:28:07 MST 2020

Yeah, this was already incorporated, although slightly rephrased, based on
some of the GitHub discussion

"If the CA restricts the form or syntax of the Registration Number used by
the Incorporating Agency or Registration Agency, then the acceptable forms
or Syntax of such numbers"

This reduces the scope of disclosure further, to only CAs that actively
restrict. The reason I ended up with this more restrictive form is that I
imagine CAs won't actually restrict until they have high-confidence in the
rule (or in their process to adjust the rule, as necessary). This minimizes
disclosures that might cause us to think the syntax is "simple", but it's
not, by only requiring disclosure when the issuing CA are themselves
confident.

On Tue, May 19, 2020 at 4:15 PM Tim Hollebeek <tim.hollebeek at digicert.com>
wrote:

> I think that’s a useful improvement.  What precisely it means for a large
> organization to “know” something has caused problems in the past.
>
>
>
> -Tim
>
>
>
> *From:* Validation <validation-bounces at cabforum.org> *On Behalf Of *Doug
> Beattie via Validation
> *Sent:* Thursday, May 14, 2020 3:57 PM
> *To:* Ryan Sleevi <sleevi at google.com>
> *Cc:* CABforum3 <validation at cabforum.org>
> *Subject:* Re: [cabf_validation] Pre-Ballot Registration Agencies /
> Incorporating Agencies
>
>
>
> If you change “if known” to Optional, then I’m ok.
>
>
>
> The accepted or allowed form or syntax of the Registration Number used by
> the Incorporating Agency or Registration Agency (optional)
>
>
>
> *From:* Ryan Sleevi <sleevi at google.com>
> *Sent:* Thursday, May 14, 2020 3:52 PM
> *To:* Doug Beattie <doug.beattie at globalsign.com>
> *Cc:* CA/Browser Forum Validation SC List <validation at cabforum.org>
> *Subject:* Re: [cabf_validation] Pre-Ballot Registration Agencies /
> Incorporating Agencies
>
>
>
> Doug,
>
>
>
> Thanks for doing this. As I mentioned on GitHub, I think there's some
> misunderstanding, below.
>
>
>
> On Thu, May 14, 2020 at 3:32 PM Doug Beattie <doug.beattie at globalsign.com>
> wrote:
>
> Ryan,
>
>
>
> I posted a couple of comments in GitHub, but wanted to provide them here
> as well for those that may not be following this thread.
>
>
>
> I’m OK with providing a list of Registration Agencies / Incorporating
> Agencies by name, but this ballot also requires CAs to define and document
> (in the list of disclosed Agencies) all of the following information:
>
>
>
>    1. The accepted values for the `subject:jurisdictionLocalityName`
>    (OID: 1.3.6.1.4.1.311.60.2.1.1), `subject:jurisdictionStateOrProvinceName`
>    (OID: 1.3.6.1.4.1.311.60.2.1.2), and `subject:jursidictionCountryName`
>    (OID: 1.3.6.1.4.1.311.60.2.1.3) fields when a certificate is issued using
>    information from that Incorporating Agency or Registration Agency,
>    indicating the jurisidction(s) that the Agency is appropriate for; and,
>
>
>
> I'm not sure why this is difficult? This is already a requirement of the
> EV Guidelines (that is, the values in a cert MUST be linked to the
> Registration Agency / Agency of Incorporation). So you're already supposed
> to be managing this and there should be exactly 1 value for each of these.
>
>
>
>
>    1. The accepted or allowed form or syntax of the Registration Number
>    used by the Incorporating Agency or Registration Agency, if known; and,
>
> "If known". This is optional, but it's listed so people know it's
> useful/important and look to collect, which a number are.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20200519/5ccc626d/attachment-0001.html>