<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>IMO - The OIDS should be set based on the section under which validation occurred, not whether the organization field contains the entities name. <a name="_MailEndCompose"><o:p></o:p></a></span></p><p class=MsoNormal><span style='mso-bookmark:_MailEndCompose'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></span></p><p class=MsoNormal><span style='mso-bookmark:_MailEndCompose'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></span></p><span style='mso-bookmark:_MailEndCompose'></span><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Erwann Abalea [mailto:Erwann.Abalea@docusign.com] <br><b>Sent:</b> Friday, August 19, 2016 7:49 AM<br><b>To:</b> Bruce Morton <bruce.morton@entrust.com><br><b>Cc:</b> Jeremy Rowley <jeremy.rowley@digicert.com>; public@cabforum.org<br><b>Subject:</b> Re: [cabfpub] givenName and surname revived<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Bonjour, <o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>If the person’s name information is placed in the organizationName attribute, it doesn’t mean the certificate is « Organization Validated », it’s still « Identity Validated ».<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Placing the person’s name in the O attribute is a bad tradeoff on my opinion, because it brings confusion. This thread also collides with the one about omitting ST/L when there’s a country-level registry of corporations.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>Cordialement,<o:p></o:p></p></div><div><p class=MsoNormal>Erwann Abalea<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>Le 19 août 2016 à 14:41, Bruce Morton <<a href="mailto:bruce.morton@entrust.com">bruce.morton@entrust.com</a>> a écrit :<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Hi Jeremy,</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Would like some clarification. On the call yesterday, it was said that IV certificates were not defined, so this ballot will help resolve this.</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Per 7.1.4.2.2 b, the current BRs allow givenName and surname to be included in the organizationName field. Will this still be allowed? If so, what would the certificate type be? OV or IV? I would prefer that these be OV certificates.</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>If we do make the changes and the CAs have to meet Microsoft’s requirement to put a DV, OV, or IV certificate policy in the certificate, I think we should clearly define each certificate type.</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Also, the stateOrProvinceName field appears to currently have an issue as it does not have any language to address the case where there is no state or province in the address.</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Thanks, Bruce.</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><div><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span class=apple-converted-space><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span></span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]<span class=apple-converted-space> </span><b>On Behalf Of<span class=apple-converted-space> </span></b>Jeremy Rowley<br><b>Sent:</b><span class=apple-converted-space> </span>Thursday, August 18, 2016 12:09 PM<br><b>To:</b><span class=apple-converted-space> </span><a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b><span class=apple-converted-space> </span>[cabfpub] givenName and surname revived<o:p></o:p></span></p></div></div></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Looking for two endorsers for the following revisions the baseline requirements adding support for givenName and surname:<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Insert a new (C) under 7.1.4.2.2, renumbering all subsequent bullets.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>c.<span class=apple-converted-space> </span><b>Certificate Field</b>: subject:givenName (2.5.4.42) and subject:surname (2.5.4.4)</span></u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><b><u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Optional.<span class=apple-converted-space> </span></span></u></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><b><u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Contents: </span></u></b><u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>If present, the subject:givenName field and subject:surname field MUST contain an natural person Subject’s name as verified under Section 3.2.3. A Certificate containing a subject:givenName field or subject:surname field MUST contain the (2.23.140.1.2.3) Certificate Policy OID</span></u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>d.</span></u><span class=apple-converted-space><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span></span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Certificate Field: Number and street: subject:streetAddress (OID: 2.5.4.9)<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Optional if the subject:organizationName field<u>, subject: givenName field, or subject:surname field are</u><span class=apple-converted-space> </span><s>is</s>present. Prohibited if the subject:organizationName field<u>, subject:givenName, and subject:surname field are</u><s>is</s><span class=apple-converted-space> </span>absent.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Contents: If present, the subject:streetAddress field MUST contain the Subject’s street address information as verified under Section 3.2.2.1.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>e</span></u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>. Certificate Field: subject:localityName (OID: 2.5.4.7)<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Required if the subject:organizationName field,<span class=apple-converted-space> </span><u>subject:givenName field, or subject:surname field are</u><span class=apple-converted-space> </span><s>is</s>present and the subject:stateOrProvinceName field is absent. Optional if the<span class=apple-converted-space><u> </u></span><u>subject:stateOrProvinceName field and the subject:organizationName field, subject:givenName field, or subject:surname </u>field are present. Prohibited if the subject:organizationName field,<span class=apple-converted-space> </span><u>subject:givenName, and subject:surname field are<span class=apple-converted-space> </span></u><s>is</s>absent.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Contents: If present, the subject:localityName field MUST contain the Subject’s locality information as verified under Section 3.2.2.1. If the subject:countryName field specifies the ISO 3166‐1 user‐assigned code of XX in accordance with Section 7.1.4.2.2(g), the localityName field MAY contain the Subject’s locality and/or state or province information as verified under Section 3.2.2.1.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>f</span></u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>. Certificate Field: subject:stateOrProvinceName (OID: 2.5.4.8)<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Required if the subject:organizationName field field,<span class=apple-converted-space> </span><u>subject:givenName field, or subject:surname field are</u><span class=apple-converted-space> </span><s>is<span class=apple-converted-space> </span></s>present and<span class=apple-converted-space> </span><u>the<span class=apple-converted-space> </span></u>subject:localityName field is absent. Optional if the<span class=apple-converted-space> </span><u>subject:localityName field and the subject:organizationName field, the subject:givenName field, or subject:surname field</u><span class=apple-converted-space> </span>are present. Prohibited if the subject:organizationName field,<span class=apple-converted-space> </span><u>subject:givenName field , or subject:surname field<span class=apple-converted-space> </span></u>are<span class=apple-converted-space><s> </s></span><s>is</s>absent. Contents: If present, the subject:stateOrProvinceName field MUST contain the Subject’s state or province information as verified under Section 3.2.2.1. If the subject:countryName field specifies the ISO 3166‐1 user‐assigned code of XX in accordance with Section 7.1.4.2.2(g), the subject:stateOrProvinceName field MAY contain the full name of the Subject’s country information as verified under Section 3.2.2.1.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>g</span></u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>. Certificate Field: subject:postalCode (OID: 2.5.4.17)<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Optional if the subject:organizationName,<span class=apple-converted-space> </span><u>subject:givenName field, or subject:surname</u><span class=apple-converted-space> </span>fields<span class=apple-converted-space> </span><u>are</u><span class=apple-converted-space> </span><s>is</s><span class=apple-converted-space> </span>present. Prohibited if the subject:organizationName field,<span class=apple-converted-space> </span><u>subject:givenName field, or subject:surname field are<span class=apple-converted-space> </span></u><s>is</s>absent.<span class=apple-converted-space> </span><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Contents: If present, the subject:postalCode field MUST contain the Subject’s zip or postal information as verified under Section 3.2.2.1.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>h</span></u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>. Certificate Field: subject:countryName (OID: 2.5.4.6)<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Required if the subject:organizationName field,<span class=apple-converted-space> </span><u>subject:givenName , or subject:surname field</u><span class=apple-converted-space> </span>is present. Optional if the subject:organizationName field,<span class=apple-converted-space> </span><u>subject:givenName field</u>, and <u>subject:surname field are</u><span class=apple-converted-space> </span><s>is</s>absent.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Contents: If the subject:organizationName field is present, the subject:countryName MUST contain the two‐letter ISO 3166‐1 country code associated with the location of the Subject verified under Section 3.2.2.1. If the subject:organizationName,<span class=apple-converted-space> </span><u>subject:givenName field, and subject:surname</u><span class=apple-converted-space> </span> field<span class=apple-converted-space> </span><u>are</u><span class=apple-converted-space> </span><s> is<span class=apple-converted-space> </span></s>absent, the subject:countryName field MAY contain the two‐letter ISO 3166‐1 country code associated with the Subject as verified in accordance with Section 3.2.2.3. If a Country is not represented by an official ISO 3166‐1 country code, the CA MAY specify the ISO 3166‐1 user‐assigned code of XX indicating that an official ISO 3166‐1 alpha‐2 code has not been assigned.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>i</span></u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>. Certificate Field: subject:organizationalUnitName<span class=apple-converted-space> </span><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Optional.<span class=apple-converted-space> </span><o:p></o:p></span></p></div><div><p class=MsoNormal><u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Contents:<span class=apple-converted-space> </span></span></u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>The CA SHALL implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section 3.2 and the Certificate also contains subject:organizationName,<span class=apple-converted-space> </span><u>subject:givenName, subject:surname,<span class=apple-converted-space> </span></u>subject:localityName, and subject:countryName attributes, also verified in accordance with Section 3.2.2.1.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>7.1.6.1<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>…<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include organizationName,<span class=apple-converted-space> </span><u>givenName, surname,</u><span class=apple-converted-space> </span>streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>…<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif'>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a></span><o:p></o:p></p></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>