<div dir="ltr"><div class="gmail_extra">With the ballot issues corrected below (which I think is correct from intent, but not wording), Google votes YES</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 2, 2015 at 9:14 AM, Doug Beattie <span dir="ltr"><<a href="mailto:doug.beattie@globalsign.com" target="_blank">doug.beattie@globalsign.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div>
<p class="MsoNormal"><br></p><div style="border-style:none none none solid;border-left-color:blue;border-left-width:1.5pt;padding:0in 0in 0in 4pt">
<p class="MsoNormal">1) Replace Section 9.1 with the following: <u></u><u></u></p>
<p class="MsoNormal">"9.1 Issuer Information <u></u><u></u></p>
<p class="MsoNormal">The content of the Certificate Issuer Distinguished Name field MUST match the Subject DN of the Issuing CA to support Name chaining as specified in RFC 5280, section 4.1.2.4."
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">2) Move Section 9.2.2 to 9.2.2(a) and renumber the subsequent sections as b-i.</p></div></div></div></blockquote><div><br></div><div>This should read 9.2.4(a). Though you renumber 9.2.4 as 9.2.2 in Step 4 (below), it's not clear at the time you execute *this* step that you're moving "9.2.2 Subject Common Name Field" to be "9.2.4 Subject Distinguished Name Fields (a) Certificate Field: subject:commonName" before renumbering 9.2.4 as 9.2.2 below.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div><div style="border-style:none none none solid;border-left-color:blue;border-left-width:1.5pt;padding:0in 0in 0in 4pt"><p class="MsoNormal">
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">3) Delete Section 9.2.3. <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">4) Renumber 9.2.4 as 9.2.2. <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">5) In section 9.2, edit section reference “9.2.2” to “9.2.2 (a)”<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">6) Update section references 9.2.4 (f) to 9.2.2.(g) and 9.2.4 to 9.2.2 throughout document.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">7) In Appendix B (Certificate Content and Extensions), Item (1) Root CA Certificates, add
<u></u><u></u></p>
<p class="MsoNormal">F. Subject Information<u></u><u></u></p>
<p class="MsoNormal">The Certificate Subject MUST contain the following<u></u><u></u></p>
<p class="MsoNormal">- countryName (OID 2.5.4.6). This field MUST contain the two-letter ISO 3166-1 country code for the country in which the CA’s place of business is located.
<u></u><u></u></p>
<p class="MsoNormal">- organizationName (OID 2.5.4.10). This field MUST contain the name (or abbreviation thereof), trademark, or other meaningful identifier for the CA, provided that they accurately identify the CA. The field MUST NOT contain exclusively
a generic designation such as “Root 1”.</p></div></div></div></blockquote><div><br></div><div>Should this be E. Subject Information?</div><div><br></div><div>As far as I can tell from <a href="https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf">https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf</a> , D is the last subitem here.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div><div style="border-style:none none none solid;border-left-color:blue;border-left-width:1.5pt;padding:0in 0in 0in 4pt"><p class="MsoNormal"><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">8) In Appendix B (Certificate Content and Extensions), Item (2) Subordinate CA Certificate, add
<u></u><u></u></p>
<p class="MsoNormal">H. The Certificate Subject MUST contain the following<u></u><u></u></p>
<p class="MsoNormal">- countryName (OID 2.5.4.6). This field MUST contain the two-letter ISO 3166-1 country code for the country in which the CA’s place of business is located.
<u></u><u></u></p>
<p class="MsoNormal">- organizationName (OID 2.5.4.10). This field MUST contain the name (or abbreviation thereof), trademark, or other meaningful identifier for the CA, provided that they accurately identify the CA. The field MUST NOT contain exclusively
a generic designation such as “CA1”.<u></u><u></u></p>
<p class="MsoNormal"><u></u> </p></div></div></div></blockquote><div><br></div><div><br></div><div>As ballots go, I think it's weird to split the normative requirements for subject names between Appendix B and Section 9.2, but I'm willing to live with it to correct the obvious issues.</div><div><br></div><div>It seems like you could have structured countryName / organizationName as</div><div>Required if the basicConstraints extension is present and has a value for cA is True [Alternatively, Required if the Certificate is a Root or Subordinate CA Certificate]</div><div>Optional if the basicConstraints extension is absent or if the value for cA is the default value, False [Alternatively, Optional if the Certificate is neither a Root nor Subordinate CA Certificate]</div><div><br></div><div>Along with their normative content</div><div><br></div><div>But that's neither here nor there</div></div></div></div>