<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Dean,</div><div class=""><br class=""></div><div class="">Thanks for this background. I would like to confirm a couple of things are correct as a precursor to the discussion.</div><div class=""><br class=""></div><div class="">1) BR Section 7.1.4.2.2 requires that the organizationName and other Subject attributes contain information verified as per 3.2.2.1</div><div class=""><br class=""></div><div class="">2) BR Section 3.2.2.1 says "If the Subject Identity Information is to include the name or address of an organization, the CA SHALL verify
the identity and address of the organization and that the address is the Applicant’s address of existence or
operation. The CA SHALL verify the identity and address of the Applicant[…]”</div><div class=""><br class=""></div><div class="">3) BR Section 1.6.1 has three definitions that are relevant:</div><div class=""><br class=""></div><div class="">"Applicant: The natural person or Legal Entity that applies for (or seeks renewal of) a Certificate. Once the
Certificate issues, the Applicant is referred to as the Subscriber.”</div><div class=""><br class=""></div><div class="">"Subject Identity Information: Information that identifies the Certificate Subject. Subject Identity
Information does not include a domain name listed in the subjectAltName extension or the Subject
commonName field."</div><div class=""><br class=""></div><div class="">"Subscriber: A natural person or Legal Entity to whom a Certificate is issued and who is legally bound by a Subscriber or Terms of Use Agreement.”</div><div class=""><br class=""></div><div class="">4) BR Section 9.6.3 lays out obligations of the Subscriber</div><div class=""><br class=""></div><div class="">So, based on this, I think it is accurate that the Subject Identify Information, including the organizationName attribute, MUST identify the natural person or Legal Entity that is the Applicant and is required to meet the obligations of the Subscriber Agreement or Terms of Use.</div><div class=""><br class=""></div><div class="">Does this flow? Is there a situation where the person or entity named in the certificate subject is not the Applicant and/or not the Subscriber?</div><div class=""><br class=""></div><div class="">Thanks,</div><div class="">Peter</div><br class=""><div><blockquote type="cite" class=""><div class="">On Feb 4, 2016, at 2:26 PM, Dean Coclin <<a href="mailto:Dean_Coclin@symantec.com" class="">Dean_Coclin@symantec.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="WordSection1" style="page: WordSection1; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><b class="">As requested on today’s call, please publish ahead of time any background reading material for a topic which has your name next to it.<o:p class=""></o:p></b></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">On Day 2 the subject topic is scheduled. Here is some background:<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">At the last F2F meeting we discussed what should go in the certificate “O” field and what the definition of “applicant” should be. Ryan succinctly summarized it and I transformed into the following example:<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Who can request a cert for<span class="Apple-converted-space"> </span><a href="http://dean.example.com/" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">dean.example.com</a>:<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><ol start="1" type="1" style="margin-bottom: 0in; margin-top: 0in;" class=""><li class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">Dean Coclin, author of the content and logical operator of the<span class="Apple-converted-space"> </span><u class=""><a href="http://dean.example.com/" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">dean.example.com</a></u><span class="Apple-converted-space"> </span>origin<o:p class=""></o:p></li><li class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><a href="http://example.com/" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">Example.com</a>, provider of hosting services for Dean Coclin<o:p class=""></o:p></li><li class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">CDN Corp, a CDN that provides SSL/TLS front-end services for<span class="Apple-converted-space"> </span><u class=""><a href="http://example.com/" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">example.com</a></u>, which does not offer them directly<o:p class=""></o:p></li><li class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">Marketing Inc, the firm responsible for designing and maintaining the website on behalf of Dean Coclin<o:p class=""></o:p></li><li class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">Payments LLC, the payment processing firm responsible for handling orders and financial details on<span class="Apple-converted-space"> </span><u class=""><a href="http://dean.example.com/" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">dean.example.com</a></u><o:p class=""></o:p></li><li class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">DNS Org, the company who operates the DNS services on behalf of Dean Coclin<o:p class=""></o:p></li><li class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">Mail Corp, the organization who handles the MX records that<span class="Apple-converted-space"> </span><a href="http://dean.example.com/" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">dean.example.com</a><span class="Apple-converted-space"> </span>responds to<o:p class=""></o:p></li></ol><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">At the last meeting, there was a debate between some who thought it should be #1 and those that thought it should be whoever holds the private key.<span class="Apple-converted-space"> </span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">My position (and those of some others at the meeting) is that it should be #1. The rationale is that this is what is of interest to relying parties. I don’t believe relying parties care who holds the private key nor who the site’s payment processor or DNS operator are. Relying parties want to know who is responsible for the site content and, in case of problems, who they should contact.<span class="Apple-converted-space"> </span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">I would like to open and continue a discussion of this topic (at the meeting, not here)so that we can try and come to some consensus on this issue. Of course, if you have a viewpoint that you’d like to elaborate ahead of time, please feel free to do so.<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Thanks<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Dean<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">_______________________________________________</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Public mailing list</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="mailto:Public@cabforum.org" style="color: rgb(149, 79, 114); text-decoration: underline; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Public@cabforum.org</a><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="https://cabforum.org/mailman/listinfo/public" style="color: rgb(149, 79, 114); text-decoration: underline; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">https://cabforum.org/mailman/listinfo/public</a></div></blockquote></div><br class=""></body></html>