<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><font face="Calibri">But givenName and surname are not sufficient
to specify an identity. How many Robert Smiths exist in UK/US/CA
? (or Mario Rossi in Italy, as to that).<br>
</font></p>
<p><font face="Calibri">If I would like to know who's behind a web
site whose SSL cert contains giveName=John, surname=Doe, I am none
the wiser.<br>
</font></p>
<br>
<div class="moz-cite-prefix">Il 23/08/2016 20:02, Bruce Morton ha
scritto:<br>
</div>
<blockquote
cite="mid:04dc1a6b6f5645d598069c4761f4d42a@PMSPEX04.corporate.datacard.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"MS PGothic";
panose-1:2 11 6 0 7 2 5 8 2 4;}
@font-face
{font-family:"\@MS PGothic";
panose-1:2 11 6 0 7 2 5 8 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:JA;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"MS PGothic",sans-serif;
mso-fareast-language:JA;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">OK, thanks.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Jeremy Rowley
[<a class="moz-txt-link-freetext" href="mailto:jeremy.rowley@digicert.com">mailto:jeremy.rowley@digicert.com</a>] <br>
<b>Sent:</b> Monday, August 22, 2016 6:16 PM<br>
<b>To:</b> Bruce Morton <a class="moz-txt-link-rfc2396E" href="mailto:Bruce.Morton@entrust.com"><Bruce.Morton@entrust.com></a>;
<a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> RE: givenName and surname revived<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">What
do you mean by definition? I consider IV v. OV well defined
because of the meaning associated with the OID inserted into
the cert. Section 7.1.6.1 states “ </span>{joint‐iso‐itu‐t(2)
international‐organizations(23) ca‐browser‐forum(140)
certificate‐policies(1) baseline‐requirements(2)
individual‐validated(3)} (2.23.140.1.2.3), if the Certificate
complies with these Requirements and includes Subject Identity
Information that is verified in accordance with Section
3.2.3.” Section 3.2.3 is verification of an individual whereas
Section 3.2.2 is verification of an organization. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Jeremy<span
style="mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><a moz-do-not-send="true"
name="_MailEndCompose"><span
style="mso-fareast-language:EN-US"><o:p> </o:p></span></a></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Bruce Morton [<a
moz-do-not-send="true"
href="mailto:Bruce.Morton@entrust.com">mailto:Bruce.Morton@entrust.com</a>]
<br>
<b>Sent:</b> Monday, August 22, 2016 6:11 AM<br>
<b>To:</b> Jeremy Rowley <<a moz-do-not-send="true"
href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>>;
<a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> RE: givenName and surname revived<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">Hi Jeremy,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">My
apologies, but can you clarify the section where IV certs
are well defined? I see that “individual-validated” is
stated twice in sections 1.2 and 7.1.6.1 (the same for
domain-validated and organization-validated), but I can’t
find the definition.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">Thanks,
Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Jeremy Rowley [<a
moz-do-not-send="true"
href="mailto:jeremy.rowley@digicert.com">mailto:jeremy.rowley@digicert.com</a>]
<br>
<b>Sent:</b> Saturday, August 20, 2016 10:41 AM<br>
<b>To:</b> Bruce Morton <<a moz-do-not-send="true"
href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>>;
<a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> RE: givenName and surname revived<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hey
Bruce – IV certs are well defined. The goal of the ballot
isn’t to further define IV certs but to permit use of the
givenName and surname fields for IV certs. giveName and
surname in the org field would be allowed. They’d still use
the IV OIDs as they were validated under the IV section of
the CP.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Bruce Morton [<a
moz-do-not-send="true"
href="mailto:Bruce.Morton@entrust.com">mailto:Bruce.Morton@entrust.com</a>]
<br>
<b>Sent:</b> Friday, August 19, 2016 6:41 AM<br>
<b>To:</b> Jeremy Rowley <<a moz-do-not-send="true"
href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>>;
<a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> RE: givenName and surname revived<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">Hi Jeremy,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">Would like
some clarification. On the call yesterday, it was said that
IV certificates were not defined, so this ballot will help
resolve this.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">Per
7.1.4.2.2 b, the current BRs allow givenName and surname to
be included in the organizationName field. Will this still
be allowed? If so, what would the certificate type be? OV or
IV? I would prefer that these be OV certificates.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">If we do
make the changes and the CAs have to meet Microsoft’s
requirement to put a DV, OV, or IV certificate policy in the
certificate, I think we should clearly define each
certificate type.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">Also, the
stateOrProvinceName field appears to currently have an issue
as it does not have any language to address the case where
there is no state or province in the address.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">Thanks,
Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> <a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Jeremy Rowley<br>
<b>Sent:</b> Thursday, August 18, 2016 12:09 PM<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> [cabfpub] givenName and surname revived<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Looking for two endorsers for the following
revisions the baseline requirements adding support for
givenName and surname:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Insert a new (C) under 7.1.4.2.2,
renumbering all subsequent bullets. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>c. <b>Certificate Field</b>:
subject:givenName (2.5.4.42) and subject:surname (2.5.4.4)<o:p></o:p></u></p>
<p class="MsoNormal"><b><u>Optional. <o:p></o:p></u></b></p>
<p class="MsoNormal"><b><u>Contents: </u></b><u>If present, the
subject:givenName field and subject:surname field MUST
contain an natural person Subject’s name as verified under
Section 3.2.3. A Certificate containing a subject:givenName
field or subject:surname field MUST contain the
(2.23.140.1.2.3) Certificate Policy OID</u>.<u><o:p></o:p></u></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>d.</u> Certificate Field: Number and
street: subject:streetAddress (OID: 2.5.4.9) <o:p></o:p></p>
<p class="MsoNormal"> Optional if the
subject:organizationName field<u>, subject: givenName field,
or subject:surname field are</u> <s>is</s> present.
Prohibited if the subject:organizationName field<u>,
subject:givenName, and subject:surname field are</u><s> is</s>
absent.<o:p></o:p></p>
<p class="MsoNormal"> Contents: If present, the
subject:streetAddress field MUST contain the Subject’s street
address information as verified under Section 3.2.2.1. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>e</u>. Certificate Field:
subject:localityName (OID: 2.5.4.7) <o:p></o:p></p>
<p class="MsoNormal">Required if the subject:organizationName
field, <u>subject:givenName field, or subject:surname field
are</u> <s>is</s> present and the
subject:stateOrProvinceName field is absent. Optional if the<u>
subject:stateOrProvinceName field and the
subject:organizationName field, subject:givenName field, or
subject:surname </u>field are present. Prohibited if the
subject:organizationName field, <u>subject:givenName, and
subject:surname field are </u><s>is</s> absent. <o:p></o:p></p>
<p class="MsoNormal">Contents: If present, the
subject:localityName field MUST contain the Subject’s locality
information as verified under Section 3.2.2.1. If the
subject:countryName field specifies the ISO 3166‐1
user‐assigned code of XX in accordance with Section
7.1.4.2.2(g), the localityName field MAY contain the Subject’s
locality and/or state or province information as verified
under Section 3.2.2.1. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>f</u>. Certificate Field:
subject:stateOrProvinceName (OID: 2.5.4.8) <o:p></o:p></p>
<p class="MsoNormal">Required if the subject:organizationName
field field, <u>subject:givenName field, or subject:surname
field are</u> <s>is </s>present and <u>the </u>subject:localityName
field is absent. Optional if the <u>subject:localityName
field and the subject:organizationName field, the
subject:givenName field, or subject:surname field</u> are
present. Prohibited if the subject:organizationName field, <u>subject:givenName
field , or subject:surname field </u>are<s> is</s> absent.
Contents: If present, the subject:stateOrProvinceName field
MUST contain the Subject’s state or province information as
verified under Section 3.2.2.1. If the subject:countryName
field specifies the ISO 3166‐1 user‐assigned code of XX in
accordance with Section 7.1.4.2.2(g), the
subject:stateOrProvinceName field MAY contain the full name of
the Subject’s country information as verified under Section
3.2.2.1.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>g</u>. Certificate Field:
subject:postalCode (OID: 2.5.4.17)<o:p></o:p></p>
<p class="MsoNormal">Optional if the subject:organizationName, <u>subject:givenName
field, or subject:surname</u> fields <u>are</u> <s>is</s>
present. Prohibited if the subject:organizationName field, <u>subject:givenName
field, or subject:surname field are </u><s>is</s> absent. <o:p></o:p></p>
<p class="MsoNormal">Contents: If present, the
subject:postalCode field MUST contain the Subject’s zip or
postal information as verified under Section 3.2.2.1. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>h</u>. Certificate Field:
subject:countryName (OID: 2.5.4.6) <o:p></o:p></p>
<p class="MsoNormal">Required if the subject:organizationName
field, <u>subject:givenName , or subject:surname field</u> is
present. Optional if the subject:organizationName field, <u>subject:givenName
field</u>, and <u>subject:surname field are</u> <s>is</s>
absent. <o:p></o:p></p>
<p class="MsoNormal">Contents: If the subject:organizationName
field is present, the subject:countryName MUST contain the
two‐letter ISO 3166‐1 country code associated with the
location of the Subject verified under Section 3.2.2.1. If the
subject:organizationName, <u>subject:givenName field, and
subject:surname</u> field <u>are</u> <s> is </s>absent,
the subject:countryName field MAY contain the two‐letter ISO
3166‐1 country code associated with the Subject as verified in
accordance with Section 3.2.2.3. If a Country is not
represented by an official ISO 3166‐1 country code, the CA MAY
specify the ISO 3166‐1 user‐assigned code of XX indicating
that an official ISO 3166‐1 alpha‐2 code has not been
assigned.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>i</u>. Certificate Field:
subject:organizationalUnitName <o:p></o:p></p>
<p class="MsoNormal">Optional. <o:p></o:p></p>
<p class="MsoNormal"><u>Contents: </u>The CA SHALL implement a
process that prevents an OU attribute from including a name,
DBA, tradename, trademark, address, location, or other text
that refers to a specific natural person or Legal Entity
unless the CA has verified this information in accordance with
Section 3.2 and the Certificate also contains
subject:organizationName, <u>subject:givenName,
subject:surname, </u>subject:localityName, and
subject:countryName attributes, also verified in accordance
with Section 3.2.2.1.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">7.1.6.1<o:p></o:p></p>
<p class="MsoNormal">…<o:p></o:p></p>
<p class="MsoNormal">If the Certificate asserts the policy
identifier of 2.23.140.1.2.1, then it MUST NOT include
organizationName, <u>givenName, surname,</u> streetAddress,
localityName, stateOrProvinceName, or postalCode in the
Subject field.<o:p></o:p></p>
<p class="MsoNormal">…<o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<p style="font-family: Serif">
Cordiali saluti,<br>
<br>
Adriano Santoni<br>
ACTALIS S.p.A.<br>
(Aruba Group)</p>
</div>
</body>
</html>