<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p><font face="Calibri">But givenName and surname are not sufficient
        to specify an identity. How many Robert Smiths exist in UK/US/CA
        ? (or Mario Rossi in Italy, as to that).<br>
      </font></p>
    <p><font face="Calibri">If I would like to know who's behind a web
        site whose SSL cert contains giveName=John, surname=Doe, I am none
        the wiser.<br>
      </font></p>
    <br>
    <div class="moz-cite-prefix">Il 23/08/2016 20:02, Bruce Morton ha
      scritto:<br>
    </div>
    <blockquote
cite="mid:04dc1a6b6f5645d598069c4761f4d42a@PMSPEX04.corporate.datacard.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:"MS PGothic";
        panose-1:2 11 6 0 7 2 5 8 2 4;}
@font-face
        {font-family:"\@MS PGothic";
        panose-1:2 11 6 0 7 2 5 8 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;
        mso-fareast-language:JA;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
        {mso-style-name:msonormal;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"MS PGothic",sans-serif;
        mso-fareast-language:JA;}
span.EmailStyle18
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
span.EmailStyle19
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
span.EmailStyle20
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
span.EmailStyle21
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
span.EmailStyle22
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
span.EmailStyle23
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
span.EmailStyle24
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US">OK, thanks.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US">Bruce.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #E1E1E1
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b>From:</b> Jeremy Rowley
              [<a class="moz-txt-link-freetext" href="mailto:jeremy.rowley@digicert.com">mailto:jeremy.rowley@digicert.com</a>] <br>
              <b>Sent:</b> Monday, August 22, 2016 6:16 PM<br>
              <b>To:</b> Bruce Morton <a class="moz-txt-link-rfc2396E" href="mailto:Bruce.Morton@entrust.com"><Bruce.Morton@entrust.com></a>;
              <a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a><br>
              <b>Subject:</b> RE: givenName and surname revived<o:p></o:p></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><span style="mso-fareast-language:EN-US">What
            do you mean by definition? I consider IV v. OV well defined
            because of the meaning associated with the OID inserted into
            the cert. Section 7.1.6.1 states “ </span>{joint‐iso‐itu‐t(2)
          international‐organizations(23) ca‐browser‐forum(140)
          certificate‐policies(1) baseline‐requirements(2)
          individual‐validated(3)} (2.23.140.1.2.3), if the Certificate
          complies with these Requirements and includes Subject Identity
          Information that is verified in accordance with Section
          3.2.3.” Section 3.2.3 is verification of an individual whereas
          Section 3.2.2 is verification of an organization.  <o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal">Jeremy<span
            style="mso-fareast-language:EN-US"><o:p></o:p></span></p>
        <p class="MsoNormal"><a moz-do-not-send="true"
            name="_MailEndCompose"><span
              style="mso-fareast-language:EN-US"><o:p> </o:p></span></a></p>
        <div>
          <div style="border:none;border-top:solid #E1E1E1
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b>From:</b> Bruce Morton [<a
                moz-do-not-send="true"
                href="mailto:Bruce.Morton@entrust.com">mailto:Bruce.Morton@entrust.com</a>]
              <br>
              <b>Sent:</b> Monday, August 22, 2016 6:11 AM<br>
              <b>To:</b> Jeremy Rowley <<a moz-do-not-send="true"
                href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>>;
              <a moz-do-not-send="true"
                href="mailto:public@cabforum.org">public@cabforum.org</a><br>
              <b>Subject:</b> RE: givenName and surname revived<o:p></o:p></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US">Hi Jeremy,<o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US">My
            apologies, but can you clarify the section where IV certs
            are well defined? I see that “individual-validated” is
            stated twice in sections 1.2 and 7.1.6.1 (the same for
            domain-validated and organization-validated), but I can’t
            find the definition.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US">Thanks,
            Bruce.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #E1E1E1
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b>From:</b> Jeremy Rowley [<a
                moz-do-not-send="true"
                href="mailto:jeremy.rowley@digicert.com">mailto:jeremy.rowley@digicert.com</a>]
              <br>
              <b>Sent:</b> Saturday, August 20, 2016 10:41 AM<br>
              <b>To:</b> Bruce Morton <<a moz-do-not-send="true"
                href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>>;
              <a moz-do-not-send="true"
                href="mailto:public@cabforum.org">public@cabforum.org</a><br>
              <b>Subject:</b> RE: givenName and surname revived<o:p></o:p></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hey
            Bruce – IV certs are well defined. The goal of the ballot
            isn’t to further define IV certs but to permit use of the
            givenName and surname fields for IV certs. giveName and
            surname in the org field would be allowed. They’d still use
            the IV OIDs as they were validated under the IV section of
            the CP.<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #E1E1E1
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b>From:</b> Bruce Morton [<a
                moz-do-not-send="true"
                href="mailto:Bruce.Morton@entrust.com">mailto:Bruce.Morton@entrust.com</a>]
              <br>
              <b>Sent:</b> Friday, August 19, 2016 6:41 AM<br>
              <b>To:</b> Jeremy Rowley <<a moz-do-not-send="true"
                href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>>;
              <a moz-do-not-send="true"
                href="mailto:public@cabforum.org">public@cabforum.org</a><br>
              <b>Subject:</b> RE: givenName and surname revived<o:p></o:p></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US">Hi Jeremy,<o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US">Would like
            some clarification. On the call yesterday, it was said that
            IV certificates were not defined, so this ballot will help
            resolve this.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US">Per
            7.1.4.2.2 b, the current BRs allow givenName and surname to
            be included in the organizationName field. Will this still
            be allowed? If so, what would the certificate type be? OV or
            IV? I would prefer that these be OV certificates.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US">If we do
            make the changes and the CAs have to meet Microsoft’s
            requirement to put a DV, OV, or IV certificate policy in the
            certificate, I think we should clearly define each
            certificate type.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US">Also, the
            stateOrProvinceName field appears to currently have an issue
            as it does not have any language to address the case where
            there is no state or province in the address.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US">Thanks,
            Bruce.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #E1E1E1
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b>From:</b> <a moz-do-not-send="true"
                href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
              [<a moz-do-not-send="true"
                href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
              <b>On Behalf Of </b>Jeremy Rowley<br>
              <b>Sent:</b> Thursday, August 18, 2016 12:09 PM<br>
              <b>To:</b> <a moz-do-not-send="true"
                href="mailto:public@cabforum.org">public@cabforum.org</a><br>
              <b>Subject:</b> [cabfpub] givenName and surname revived<o:p></o:p></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal">Looking for two endorsers for the following
          revisions the baseline requirements adding support for
          givenName and surname:<o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal">Insert a new (C) under 7.1.4.2.2,
          renumbering all subsequent bullets. <o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><u>c. <b>Certificate Field</b>:
            subject:givenName (2.5.4.42) and subject:surname (2.5.4.4)<o:p></o:p></u></p>
        <p class="MsoNormal"><b><u>Optional. <o:p></o:p></u></b></p>
        <p class="MsoNormal"><b><u>Contents:  </u></b><u>If present, the
            subject:givenName field and subject:surname field MUST
            contain an natural person Subject’s name as verified under
            Section 3.2.3. A Certificate containing a subject:givenName
            field or subject:surname field MUST contain the
            (2.23.140.1.2.3) Certificate Policy OID</u>.<u><o:p></o:p></u></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><u>d.</u> Certificate Field: Number and
          street: subject:streetAddress (OID: 2.5.4.9) <o:p></o:p></p>
        <p class="MsoNormal">    Optional if the
          subject:organizationName field<u>, subject: givenName field,
            or subject:surname field are</u> <s>is</s> present.
          Prohibited if the subject:organizationName field<u>,
            subject:givenName, and subject:surname field are</u><s> is</s>
          absent.<o:p></o:p></p>
        <p class="MsoNormal">   Contents: If present, the
          subject:streetAddress field MUST contain the Subject’s street
          address information as verified under Section 3.2.2.1. <o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><u>e</u>. Certificate Field:
          subject:localityName (OID: 2.5.4.7) <o:p></o:p></p>
        <p class="MsoNormal">Required if the subject:organizationName
          field, <u>subject:givenName field, or subject:surname field
            are</u> <s>is</s> present and the
          subject:stateOrProvinceName field is absent. Optional if the<u>
            subject:stateOrProvinceName field and the
            subject:organizationName field, subject:givenName field, or
            subject:surname  </u>field are present. Prohibited if the
          subject:organizationName field, <u>subject:givenName, and
            subject:surname field are </u><s>is</s> absent. <o:p></o:p></p>
        <p class="MsoNormal">Contents: If present, the
          subject:localityName field MUST contain the Subject’s locality
          information as verified under Section 3.2.2.1. If the
          subject:countryName field specifies the ISO 3166‐1
          user‐assigned code of XX in accordance with Section
          7.1.4.2.2(g), the localityName field MAY contain the Subject’s
          locality and/or state or province information as verified
          under Section 3.2.2.1. <o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><u>f</u>. Certificate Field:
          subject:stateOrProvinceName (OID: 2.5.4.8) <o:p></o:p></p>
        <p class="MsoNormal">Required if the subject:organizationName
          field field, <u>subject:givenName field, or subject:surname
            field are</u> <s>is </s>present and <u>the </u>subject:localityName
          field is absent. Optional if the <u>subject:localityName
            field and the subject:organizationName field, the
            subject:givenName field, or subject:surname field</u> are
          present. Prohibited if the subject:organizationName field, <u>subject:givenName
            field , or subject:surname field </u>are<s> is</s> absent.
          Contents: If present, the subject:stateOrProvinceName field
          MUST contain the Subject’s state or province information as
          verified under Section 3.2.2.1. If the subject:countryName
          field specifies the ISO 3166‐1 user‐assigned code of XX in
          accordance with Section 7.1.4.2.2(g), the
          subject:stateOrProvinceName field MAY contain the full name of
          the Subject’s country information as verified under Section
          3.2.2.1.<o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><u>g</u>. Certificate Field:
          subject:postalCode (OID: 2.5.4.17)<o:p></o:p></p>
        <p class="MsoNormal">Optional if the subject:organizationName, <u>subject:givenName
            field, or subject:surname</u> fields <u>are</u> <s>is</s>
          present. Prohibited if the subject:organizationName field, <u>subject:givenName
            field, or subject:surname field are </u><s>is</s> absent. <o:p></o:p></p>
        <p class="MsoNormal">Contents: If present, the
          subject:postalCode field MUST contain the Subject’s zip or
          postal information as verified under Section 3.2.2.1. <o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><u>h</u>. Certificate Field:
          subject:countryName (OID: 2.5.4.6) <o:p></o:p></p>
        <p class="MsoNormal">Required if the subject:organizationName
          field, <u>subject:givenName , or subject:surname field</u> is
          present. Optional if the subject:organizationName field, <u>subject:givenName
            field</u>, and  <u>subject:surname field are</u> <s>is</s>
          absent. <o:p></o:p></p>
        <p class="MsoNormal">Contents: If the subject:organizationName
          field is present, the subject:countryName MUST contain the
          two‐letter ISO 3166‐1 country code associated with the
          location of the Subject verified under Section 3.2.2.1. If the
          subject:organizationName, <u>subject:givenName field, and
            subject:surname</u>  field <u>are</u> <s> is </s>absent,
          the subject:countryName field MAY contain the two‐letter ISO
          3166‐1 country code associated with the Subject as verified in
          accordance with Section 3.2.2.3. If a Country is not
          represented by an official ISO 3166‐1 country code, the CA MAY
          specify the ISO 3166‐1 user‐assigned code of XX indicating
          that an official ISO 3166‐1 alpha‐2 code has not been
          assigned.<o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><u>i</u>. Certificate Field:
          subject:organizationalUnitName <o:p></o:p></p>
        <p class="MsoNormal">Optional. <o:p></o:p></p>
        <p class="MsoNormal"><u>Contents: </u>The CA SHALL implement a
          process that prevents an OU attribute from including a name,
          DBA, tradename, trademark, address, location, or other text
          that refers to a specific natural person or Legal Entity
          unless the CA has verified this information in accordance with
          Section 3.2 and the Certificate also contains
          subject:organizationName, <u>subject:givenName,
            subject:surname, </u>subject:localityName, and
          subject:countryName attributes, also verified in accordance
          with Section 3.2.2.1.<o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal">7.1.6.1<o:p></o:p></p>
        <p class="MsoNormal">…<o:p></o:p></p>
        <p class="MsoNormal">If the Certificate asserts the policy
          identifier of 2.23.140.1.2.1, then it MUST NOT include
          organizationName, <u>givenName, surname,</u> streetAddress,
          localityName, stateOrProvinceName, or postalCode in the
          Subject field.<o:p></o:p></p>
        <p class="MsoNormal">…<o:p></o:p></p>
        <p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <p style="font-family: Serif">
        Cordiali saluti,<br>
        <br>
        Adriano Santoni<br>
        ACTALIS S.p.A.<br>
        (Aruba Group)</p>
    </div>
  </body>
</html>