<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-2022-jp">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:ZH-CN;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma",sans-serif;
mso-fareast-language:ZH-CN;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma",sans-serif;}
p.msochpdefault, li.msochpdefault, div.msochpdefault
{mso-style-name:msochpdefault;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:10.0pt;
font-family:SimSun;
mso-fareast-language:ZH-CN;}
span.balloontextchar0
{mso-style-name:balloontextchar;
font-family:"Tahoma",sans-serif;}
span.emailstyle19
{mso-style-name:emailstyle19;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.emailstyle20
{mso-style-name:emailstyle20;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.emailstyle21
{mso-style-name:emailstyle21;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.emailstyle22
{mso-style-name:emailstyle22;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.emailstyle23
{mso-style-name:emailstyle23;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.emailstyle24
{mso-style-name:emailstyle24;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.emailstyle25
{mso-style-name:emailstyle25;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.emailstyle26
{mso-style-name:emailstyle26;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.emailstyle27
{mso-style-name:emailstyle27;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.emailstyle28
{mso-style-name:emailstyle28;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.emailstyle29
{mso-style-name:emailstyle29;
font-family:"Calibri",sans-serif;
color:#1F497D;
font-weight:normal;
font-style:normal;}
span.emailstyle30
{mso-style-name:emailstyle30;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle33
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle34
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle35
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle36
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle37
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle38
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D;mso-fareast-language:EN-US">Good point. This was an inconsistency before. We should permit the CA to use either the organizationName or the givenName and surname fields for the IV OID.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>Mads Egil Henriksveen<br>
<b>Sent:</b> Thursday, July 9, 2015 1:00 AM<br>
<b>To:</b> Dean Coclin; public@cabforum.org<br>
<b>Subject:</b> Re: [cabfpub] IV OID Ballot 150<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="NO-BOK" style="color:#1F497D">Hi Dean<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="NO-BOK" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="color:#1F497D">Section 7.1.4.2.2. Subject Distinguished Name Fields b) Certificate Field: subject:organizationName (OID 2.5.4.10) says:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><i><span style="color:#1F497D">Because Subject name attributes for individuals (e.g. givenName (2.5.4.42) and surname (2.5.4.4)) are not broadly supported by application software,
<u>the CA MAY use the subject:organizationName</u> field to convey a natural person Subject�$B!G�(Bs name or DBA.<o:p></o:p></span></i></p>
<p class="MsoNormal" style="text-autospace:none"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="color:#1F497D">This is apparently inconsistent with the last sentence in the ballot:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><i><span style="color:#1F497D">If the Certificate asserts the policy identifier of either 2.23.140.1.2.2 or 2.23.140.1.2.3 , then
<u>it MUST also include organizationName</u>, localityName, stateOrProvinceName (if applicable), and countryName in the Subject field</span></i><span style="color:#1F497D">.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="color:#1F497D">I assume it should still be possible to issue certificates to individuals (natural persons) without requiring the use of organizationName for holding the individuals name, but rather
use other subject attributes (?)<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="color:#1F497D">Regards<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="color:#1F497D">Mads<o:p></o:p></span></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">
<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Dean Coclin<br>
<b>Sent:</b> 8. juli 2015 23:12<br>
<b>To:</b> <a href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> [cabfpub] IV OID Ballot 150<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">I�$B!G�(Bm reintroducing this ballot based on the meeting in Zurich. I�$B!G�(Bll write a separate ballot for the EV, and EV Code Signing OIDs.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I have highlighted changes to the existing language so hopefully everyone can see the changes. I�$B!G�(Bve also enclosed a pdf version.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Endorsers: I assume you are still good with this? There are no changes.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thanks,<br>
Dean<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><b>Ballot 150-Addition of Optional OID for Individual Validation<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">The following motion has been proposed by Dean Coclin of Symantec and endorsed by Jeremy Rowley of Digicert and Kirk Hall of Trend Micro<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">-- MOTION BEGINS –<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Modify section 1.2 of Baseline Requirements as follows:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><b>1.2 Document Name and Identification</b><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">This certificate policy (CP) contains the requirements for the issuance and management of publicly�$B!>�(Btrusted SSL certificates, as adopted by the CA/Browser Forum.
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">The following Certificate Policy identifiers are reserved for use by CAs as an optional means of asserting compliance with this CP (OID arc 2.23.140.1.2) as follows:
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">{joint�$B!>�(Biso�$B!>�(Bitu�$B!>�(Bt(2) international�$B!>�(Borganizations(23) ca�$B!>�(Bbrowser�$B!>�(Bforum(140) certificate�$B!>�(Bpolicies(1) baseline�$B!>�(B requirements(2) domain�$B!>�(Bvalidated(1)} (2.23.140.1.2.1);
<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in">{joint�$B!>�(Biso�$B!>�(Bitu�$B!>�(Bt(2) international�$B!>�(Borganizations(23) ca�$B!>�(Bbrowser�$B!>�(Bforum(140) certificate�$B!>�(Bpolicies(1) baseline�$B!>�(B requirements(2)
<span style="background:yellow;mso-highlight:yellow">organization-validated</span>(2)} (2.23.140.1.2.2) and<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="background:yellow;mso-highlight:yellow">{joint�$B!>�(Biso�$B!>�(Bitu�$B!>�(Bt(2) international�$B!>�(Borganizations(23) ca�$B!>�(Bbrowser�$B!>�(Bforum(140) certificate�$B!>�(Bpolicies(1) baseline�$B!>�(B requirements(2) individual-validated(3)} (2.23.140.1.2.3).</span><o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in">Modify section 7.1.6.1 as follows:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><b>7.1.6.1. Reserved Certificate Policy Identifiers
<o:p></o:p></b></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">This section describes the content requirements for the Root CA, Subordinate CA, and Subscriber Certificates, as they relate to the identification of Certificate Policy.
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">The following Certificate Policy identifiers are reserved for use by CAs as an optional means of asserting compliance with these Requirements as follows:
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in">{joint�$B!>�(Biso�$B!>�(Bitu�$B!>�(Bt(2) international�$B!>�(Borganizations(23) ca�$B!>�(Bbrowser�$B!>�(Bforum(140) certificate�$B!>�(Bpolicies(1) baseline�$B!>�(Brequirements(2) domain�$B!>�(Bvalidated(1)} (2.23.140.1.2.1), if the Certificate complies with these Requirements
but lacks Subject Identity Information that is verified in accordance with either Section 3.2.2.1
<span style="background:yellow;mso-highlight:yellow">or Section 3.2.3</span>.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include organizationName, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field.
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in">{joint�$B!>�(Biso�$B!>�(Bitu�$B!>�(Bt(2) international�$B!>�(Borganizations(23) ca�$B!>�(Bbrowser�$B!>�(Bforum(140) certificate�$B!>�(Bpolicies(1) baseline�$B!>�(Brequirements(2)
<span style="background:yellow;mso-highlight:yellow">organization</span>-validated(2)} (2.23.140.1.2.2), if the Certificate complies with these Requirements and includes Subject Identity Information that is verified in accordance with Section 3.2.2.1.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="background:yellow;mso-highlight:yellow">{joint�$B!>�(Biso�$B!>�(Bitu�$B!>�(Bt(2) international�$B!>�(Borganizations(23) ca�$B!>�(Bbrowser�$B!>�(Bforum(140) certificate�$B!>�(Bpolicies(1) baseline�$B!>�(Brequirements(2) individual-validated(3)} (2.23.140.1.2.3),
if the Certificate complies with these Requirements and includes Subject Identity Information that is verified in accordance with Section 3.2.3.</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">If the Certificate asserts the policy identifier of either 2.23.140.1.2.2<span style="color:#1F497D">
</span><span style="background:yellow;mso-highlight:yellow">or 2.23.140.1.2.3</span> , then it MUST also include organizationName, localityName, stateOrProvinceName (if applicable), and countryName in the Subject field.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in">If the ballot passes, the custodian of the Forum OIDs will be instructed to obtain the new OID for IV as indicated above.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">-- MOTION ENDS –<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">The review period for this ballot shall commence at 2200 UTC on Thursday
<span style="color:#1F497D">July</span> <span style="color:#1F497D">9</span>, 2015, and will close at 2200 UTC on Thursday
<span style="color:#1F497D">16</span> Ju<span style="color:#1F497D">ly</span> 2015. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on Thursday, 2<span style="color:#1F497D">3</span>
<span style="color:#1F497D">July</span> 2015. Votes must be cast by posting an on-list reply to this thread.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses
will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: <a href="https://cabforum.org/members/"><span style="color:windowtext">https://cabforum.org/members/</span></a><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Quorum is currently
nine (9) members– at least nine members must participate in the ballot, either by voting in favor, voting against, or abstaining.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
</body>
</html>