<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-2022-jp">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Cambria-BoldItalic;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Cambria-Bold;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">On our recent teleconference, the Forum discussed what happens when there is a conflict between the naming requirements of the Baseline Requirements (generally at BR 7.1.4) and a conflicting local or national requirement. The current issue
will be discussed in the Minutes for the August 18 teleconference once approved, but it did occur to some of us that this kind of issue will arise again in the future.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">One place where if could arise is with the EU�$B!G�(Bs eIDAS requirements. See
<a href="https://en.wikipedia.org/wiki/EIDAS">https://en.wikipedia.org/wiki/EIDAS</a>
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This email is not about eIDAS, but is intended to pose a simple question (mainly to the browsers): if a CA wants to include a new OID of its choosing in a certificate (such as a specified eIDAS OID that means �$B!H�(BThis certificate complies
with eIDAS regulations�$B!I�(B), is there any reason not to allow that? I understand that the browsers may choose to ignore such a new OID (for example, the browsers may decide �$B!H�(Bwe will not give this eIDAS OID cert any special UI in the browser), but is there any
technical reason for prohibiting CAs from including such extra OIDs in their certificates if they want to? Do we need to limit what OIDs can be included in an end-entity certificate – and if so, why?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I think Jody gave me an explanation of why extra OIDs could be problematic for Windows, but I can�$B!G�(Bt remember what it was.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">What about Apple, Mozilla, Google? Any problems with CAs including an extra OID in a certificate?
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If there are no problems, I think we should perhaps amend the BRs to make it clear extra OIDs are permitted.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><i><span style="font-size:12.0pt;font-family:"Cambria-BoldItalic",serif">BR 1.2. DOCUMENT NAME AND IDENTIFICATION<o:p></o:p></span></i></b></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">This certificate policy (CP) contains the requirements for the issuance and management of publicly�$B!>�(Btrusted<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">SSL certificates, as adopted by the CA/Browser Forum.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">The following Certificate Policy identifiers are reserved for use by CAs as an optional means of asserting<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">compliance with this CP (OID arc 2.23.140.1.2) as follows:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">{joint�$B!>�(Biso�$B!>�(Bitu�$B!>�(Bt(2) international�$B!>�(Borganizations(23) ca�$B!>�(Bbrowser�$B!>�(Bforum(140) certificate�$B!>�(Bpolicies(1) baselinerequirements(<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">2) domain�$B!>�(Bvalidated(1)} (2.23.140.1.2.1);<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">{joint�$B!>�(Biso�$B!>�(Bitu�$B!>�(Bt(2) international�$B!>�(Borganizations(23) ca�$B!>�(Bbrowser�$B!>�(Bforum(140) certificate�$B!>�(Bpolicies(1) baselinerequirements(<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">2) organization�$B!>�(Bvalidated(2)} (2.23.140.1.2.2); and<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">{joint�$B!>�(Biso�$B!>�(Bitu�$B!>�(Bt(2) international�$B!>�(Borganizations(23) ca�$B!>�(Bbrowser�$B!>�(Bforum(140) certificate�$B!>�(Bpolicies(1) baselinerequirements(<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">2) individual�$B!>�(Bvalidated(3)} (2.23.140.1.2.3).<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><i><span style="font-size:12.0pt;font-family:"Cambria-BoldItalic",serif"><o:p> </o:p></span></i></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><i><span style="font-size:12.0pt;font-family:"Cambria-BoldItalic",serif">7.1.2.4. All Certificates<o:p></o:p></span></i></b></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">All other fields and extensions MUST be set in accordance with RFC 5280. The CA SHALL NOT issue a<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">Certificate that contains a keyUsage flag, extendedKeyUsage value, Certificate extension, or other data not<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">specified in section 7.1.2.1, 7.1.2.2, or 7.1.2.3 unless the CA is aware of a reason for including the data in the<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">Certificate.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">CAs SHALL NOT issue a Certificate with:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">a. Extensions that do not apply in the context of the public Internet (such as an extendedKeyUsage<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">value for a service that is only valid in the context of a privately managed network), unless:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">i. such value falls within an OID arc for which the Applicant demonstrates ownership, or<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">ii. the Applicant can otherwise demonstrate the right to assert the data in a public context; or<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">b. semantics that, if included, will mislead a Relying Party about the certificate information verified by<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">the CA (such as including extendedKeyUsage value for a smart card, where the CA is not able to verify<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Cambria",serif">that the corresponding Private Key is confined to such hardware due to remote issuance).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Cambria",serif"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:12.0pt;font-family:"Cambria-Bold",serif">7.1.6. Certificate Policy Object Identifier<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><i><span style="font-size:12.0pt;font-family:"Cambria-BoldItalic",serif">7.1.6.1. Reserved Certificate Policy Identifiers<o:p></o:p></span></i></b></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">This section describes the content requirements for the Root CA, Subordinate CA, and Subscriber Certificates,<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">as they relate to the identification of Certificate Policy.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">The following Certificate Policy identifiers are reserved for use by CAs as an optional means of asserting<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">compliance with these Requirements as follows:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">{joint�$B!>�(Biso�$B!>�(Bitu�$B!>�(Bt(2) international�$B!>�(Borganizations(23) ca�$B!>�(Bbrowser�$B!>�(Bforum(140) certificate�$B!>�(Bpolicies(1)<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">baseline�$B!>�(Brequirements(2) domain�$B!>�(Bvalidated(1)} (2.23.140.1.2.1), if the Certificate complies with<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">these Requirements but lacks Subject Identity Information that is verified in accordance with Section<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">3.2.2.1 or Section 3.2.3.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include organizationName,<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">{joint�$B!>�(Biso�$B!>�(Bitu�$B!>�(Bt(2) international�$B!>�(Borganizations(23) ca�$B!>�(Bbrowser�$B!>�(Bforum(140) certificate�$B!>�(Bpolicies(1)<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">baseline�$B!>�(Brequirements(2) organization�$B!>�(Bvalidated(2)} (2.23.140.1.2.2), if the Certificate complies with<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">these Requirements and includes Subject Identity Information that is verified in accordance with<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">Section 3.2.2.1.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">{joint�$B!>�(Biso�$B!>�(Bitu�$B!>�(Bt(2) international�$B!>�(Borganizations(23) ca�$B!>�(Bbrowser�$B!>�(Bforum(140) certificate�$B!>�(Bpolicies(1)<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">baseline�$B!>�(Brequirements(2) individual�$B!>�(Bvalidated(3)} (2.23.140.1.2.3), if the Certificate complies with<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">these Requirements and includes Subject Identity Information that is verified in accordance with<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">Section 3.2.3.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">If the Certificate asserts the policy identifier of 2.23.140.1.2.2, then it MUST also include organizationName,<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">localityName (to the extent such field is required under Section 7.1.4.2.2), stateOrProvinceName (to the<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">extent such field is required under Section 7.1.4.2.2), and countryName in the Subject field. If the Certificate<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">asserts the policy identifier of 2.23.140.1.2.3, then it MUST also include (i) either organizationName or<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">givenName and surname, (ii) localityName (to the extent such field is required under Section 7.1.4.2.2), (iii)<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">stateOrProvinceName (to the extent required under Section 7.1.4.2.2), and (iv) countryName in the Subject<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">field.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><i><span style="font-size:12.0pt;font-family:"Cambria-BoldItalic",serif"><o:p> </o:p></span></i></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><i><span style="font-size:12.0pt;font-family:"Cambria-BoldItalic",serif">7.1.6.4. Subscriber Certificates<o:p></o:p></span></i></b></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">A Certificate issued to a Subscriber MUST contain one or more policy identifier(s), defined by the Issuing CA,<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">in the Certificate�$B!G�(Bs certificatePolicies extension that indicates adherence to and compliance with these<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">Requirements. CAs complying with these Requirements MAY also assert one of the reserved policy OIDs in<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">such Certificates.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">The issuing CA SHALL document in its Certificate Policy or Certification Practice Statement that the<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">Certificates it issues containing the specified policy identifier(s) are managed in accordance with these<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Cambria",serif">Requirements.</span><o:p></o:p></p>
</div>
</body>
</html>