<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font face="Calibri">I am also in favour of only allowing DV
certificates for CDNs.</font><br>
<br>
<div class="moz-cite-prefix">Il 18/02/2016 10:12, LeaderTelecom B.V.
ha scritto:<br>
</div>
<blockquote
cite="mid:1455786749.791421.72708702.1090557.2@otrs.hostingconsult.ru"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Dear Wen-Cheng Wang,<br>
<br>
<span style="color:rgb(31, 73, 125);
font-family:calibri,sans-serif; font-size:medium">> One
exception is the CDN SSL certificate, which is supposed to be a
single certificate shared by many CDN customers which has their
own domain names to be include the SAN field of the certificate.
Since the CDN SSL certificate contains multiple domains owned by
different organizations/entities, the value of the “O” field
should be the official registered name of the CDN operator</span><br>
<br>
It can confuse end customers while they don't know who is CDN and
who is not CDN. I suggest to use only DV-certificates for CDN.<br>
<br>
<br>
Please feel free to contact the undersigned any time with
any questions or concerns that you may have.<br>
<br>
--<br>
Kind regards,<br>
Aleksei Ivanov<br>
Managing Director<br>
LeaderTelecom B.V.<br>
<br>
18.02.2016 05:43 - 王文正 wrote:
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm
0cm 0cm 4.0pt" type="cite">
<div><span style="color:#1F497D; font-family:calibri,sans-serif">Chunghwa
Telecom will not attend this F2F meeting, so here I would
like to express our comments on this topic.</span><br>
<span style="color:#1F497D; font-family:calibri,sans-serif"> </span><br>
<span style="color:#1F497D; font-family:calibri,sans-serif">I
think that the value of the “O” field SHALL be the official
registered name of the domain owner for OV and EV
certificate since the owner is the only entity that is
accountable and responsible for the certificate issued to
its domain. Therefore, only the domain owner has the right
to apply SSL certificates for its domains. If we allow OV
and EV certificates to be issued without the notification of
the domain owner, there might be some risk of
man-in-the-middle attacks.</span><br>
<span style="color:#1F497D; font-family:calibri,sans-serif"> </span><br>
<span style="color:#1F497D; font-family:calibri,sans-serif">One
exception is the CDN SSL certificate, which is supposed to
be a single certificate shared by many CDN customers which
has their own domain names to be include the SAN field of
the certificate. Since the CDN SSL certificate contains
multiple domains owned by different organizations/entities,
the value of the “O” field should be the official registered
name of the CDN operator.</span><br>
<span style="color:#1F497D; font-family:calibri,sans-serif"> </span><br>
<span style="color:#1F497D; font-family:calibri,sans-serif">In
practice, the Applicant might not be the domain owner
itself. However, in such kind of situation we always require
that the Applicant to proof that the Domain Owner really
delegate the Applicant to apply for SSL certificate on
behalf of the owner. For example, a non-IT company might
outsource the operation of its web site to an IT company and
delegate the IT company to apply for SSL certificates on its
behalf. In such situation, we always ask for the IT company
to show the delegation of the non-IT company (the domain
owner).</span><br>
<span style="color:#1F497D; font-family:calibri,sans-serif"> </span><br>
<span style="color:#1F497D; font-family:calibri,sans-serif">For
CDN SSL certificate, it is similar to the situation that the
Domain Owners delegate the CDN operator to apply for SSL
certificate for them. Therefore, we will always ask the CDN
operator to show delegation of its CDN customers (the domain
owners).</span><br>
<span style="color:#1F497D; font-family:calibri,sans-serif"> </span><br>
<span style="color:#1F497D; font-family:calibri,sans-serif">For
DV SSL certificate, there should be no “O” field. The reason
is all the subject identity information present in the
certificate must be validated by CA but the domain
validation process does not actually validate whether it’s
the domain owner who apply for the SSL certificate.</span><br>
<span style="color:#1F497D; font-family:calibri,sans-serif"> </span>
<div><span style="color:#1F497D;
font-family:calibri,sans-serif">Wen-Cheng Wang</span></div>
<span style="color:#1F497D; font-family:calibri,sans-serif"> </span>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm"><strong><span
style="font-family:tahoma,sans-serif;
font-size:10.0pt">From:</span></strong><span
style="font-family:tahoma,sans-serif; font-size:10.0pt">
<a class="moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <strong>On Behalf
Of </strong>Dean Coclin<br>
<strong>Sent:</strong> Tuesday, February 16, 2016 8:25
AM<br>
<strong>To:</strong> Peter Bowen; Doug Beattie<br>
<strong>Cc:</strong> CABFPub<br>
<strong>Subject:</strong> Re: [cabfpub] F2F Topic
details: What should be represented in the "O" field?</span></div>
</div>
<br>
<span style="color:#1F497D; font-family:calibri,sans-serif;
font-size:11.0pt">And here is a summary of the discussions
up to now on this topic. For our discussion Thursday. Peter
will also be presenting remotely.</span><br>
<br>
<span style="color:#1F497D; font-family:calibri,sans-serif;
font-size:11.0pt">Dean</span><br>
<span style="color:#1F497D; font-family:calibri,sans-serif;
font-size:11.0pt"> </span>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm"><strong><span
style="font-family:calibri,sans-serif;
font-size:11.0pt">From:</span></strong><span
style="font-family:calibri,sans-serif; font-size:11.0pt">
Peter Bowen [<a moz-do-not-send="true"
href="mailto:pzb@amzn.com" target="_blank">mailto:pzb@amzn.com</a>]<br>
<strong>Sent:</strong> Monday, February 15, 2016 2:49 PM<br>
<strong>To:</strong> Doug Beattie <<a
moz-do-not-send="true"
href="mailto:doug.beattie@globalsign.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:doug.beattie@globalsign.com">doug.beattie@globalsign.com</a></a>><br>
<strong>Cc:</strong> Dean Coclin <<a
moz-do-not-send="true"
href="mailto:Dean_Coclin@symantec.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:Dean_Coclin@symantec.com">Dean_Coclin@symantec.com</a></a>>;
CABFPub <<a moz-do-not-send="true"
href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br>
<strong>Subject:</strong> Re: [cabfpub] F2F Topic
details: What should be represented in the "O" field?</span></div>
</div>
<div>Doug,</div>
<div> </div>
<div>I think those are both relevant questions. The
relationship between applicant and FQDN and subject and FQDN
are related by separate topics. See the attached summary of
some of the dependencies.</div>
<div> </div>
</div>
<br>
<br>
<strong>本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件.
如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個
資保護責任.<br>
Please be advised that this email message (including any
attachments) contains confidential information and may be
legally privileged. If you are not the intended recipient,
please destroy this message and all attachments from your
system and do not further collect, process, or use them.
Chunghwa Telecom and all its subsidiaries and associated
companies shall not be liable for the improper or incomplete
transmission of the information contained in this email nor
for any delay in its receipt or damage to your system. If you
are the intended recipient, please protect the confidential
and/or personal information contained in this email with due
care. Any unauthorized use, disclosure or distribution of this
message in whole or in part is strictly prohibited. Also,
please self-inspect attachments and hyperlinks contained in
this email to ensure the information security and to protect
personal information.</strong></div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<i><span style="font-family: Serif">Adriano Santoni</span></i>
</div>
</body>
</html>