<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>eIDAS Article 3 (38):</p>
<p>‘certificate for website authentication’ means an attestation
that makes it possible to authenticate a website and links the
website to the natural or legal person to whom the certificate is
issued;<br>
</p>
Thanks,<br>
M.D.<br>
<br>
<div class="moz-cite-prefix">On 8/24/2016 1:08 PM, Adriano Santoni
wrote:<br>
</div>
<blockquote
cite="mid:b6381f37-3edf-ffd7-56af-cb6855c843c7@staff.aruba.it"
type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<p><font face="Calibri">But givenName and surname are not
sufficient to specify an identity. How many Robert Smiths
exist in UK/US/CA ? (or Mario Rossi in Italy, as to that).<br>
</font></p>
<p><font face="Calibri">If I would like to know who's behind a web
site whose SSL cert contains giveName=John, surname=Doe, I am
none the wiser.<br>
</font></p>
<br>
<div class="moz-cite-prefix">Il 23/08/2016 20:02, Bruce Morton ha
scritto:<br>
</div>
<blockquote
cite="mid:04dc1a6b6f5645d598069c4761f4d42a@PMSPEX04.corporate.datacard.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"MS PGothic";
panose-1:2 11 6 0 7 2 5 8 2 4;}
@font-face
{font-family:"\@MS PGothic";
panose-1:2 11 6 0 7 2 5 8 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:JA;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"MS PGothic",sans-serif;
mso-fareast-language:JA;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">OK,
thanks.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Jeremy Rowley [<a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="mailto:jeremy.rowley@digicert.com">mailto:jeremy.rowley@digicert.com</a>]
<br>
<b>Sent:</b> Monday, August 22, 2016 6:16 PM<br>
<b>To:</b> Bruce Morton <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:Bruce.Morton@entrust.com"><Bruce.Morton@entrust.com></a>;
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> RE: givenName and surname revived<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">What
do you mean by definition? I consider IV v. OV well
defined because of the meaning associated with the OID
inserted into the cert. Section 7.1.6.1 states “ </span>{joint‐iso‐itu‐t(2)
international‐organizations(23) ca‐browser‐forum(140)
certificate‐policies(1) baseline‐requirements(2)
individual‐validated(3)} (2.23.140.1.2.3), if the
Certificate complies with these Requirements and includes
Subject Identity Information that is verified in accordance
with Section 3.2.3.” Section 3.2.3 is verification of an
individual whereas Section 3.2.2 is verification of an
organization. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Jeremy<span
style="mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><a moz-do-not-send="true"
name="_MailEndCompose"><span
style="mso-fareast-language:EN-US"><o:p> </o:p></span></a></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Bruce Morton [<a
moz-do-not-send="true"
href="mailto:Bruce.Morton@entrust.com">mailto:Bruce.Morton@entrust.com</a>]
<br>
<b>Sent:</b> Monday, August 22, 2016 6:11 AM<br>
<b>To:</b> Jeremy Rowley <<a moz-do-not-send="true"
href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>>;
<a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> RE: givenName and surname revived<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">Hi
Jeremy,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">My
apologies, but can you clarify the section where IV certs
are well defined? I see that “individual-validated” is
stated twice in sections 1.2 and 7.1.6.1 (the same for
domain-validated and organization-validated), but I can’t
find the definition.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">Thanks,
Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Jeremy Rowley [<a
moz-do-not-send="true"
href="mailto:jeremy.rowley@digicert.com">mailto:jeremy.rowley@digicert.com</a>]
<br>
<b>Sent:</b> Saturday, August 20, 2016 10:41 AM<br>
<b>To:</b> Bruce Morton <<a moz-do-not-send="true"
href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>>;
<a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> RE: givenName and surname revived<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hey
Bruce – IV certs are well defined. The goal of the ballot
isn’t to further define IV certs but to permit use of the
givenName and surname fields for IV certs. giveName and
surname in the org field would be allowed. They’d still
use the IV OIDs as they were validated under the IV
section of the CP.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Bruce Morton [<a
moz-do-not-send="true"
href="mailto:Bruce.Morton@entrust.com">mailto:Bruce.Morton@entrust.com</a>]
<br>
<b>Sent:</b> Friday, August 19, 2016 6:41 AM<br>
<b>To:</b> Jeremy Rowley <<a moz-do-not-send="true"
href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>>;
<a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> RE: givenName and surname revived<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">Hi
Jeremy,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">Would
like some clarification. On the call yesterday, it was
said that IV certificates were not defined, so this ballot
will help resolve this.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">Per
7.1.4.2.2 b, the current BRs allow givenName and surname
to be included in the organizationName field. Will this
still be allowed? If so, what would the certificate type
be? OV or IV? I would prefer that these be OV
certificates.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">If we do
make the changes and the CAs have to meet Microsoft’s
requirement to put a DV, OV, or IV certificate policy in
the certificate, I think we should clearly define each
certificate type.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">Also, the
stateOrProvinceName field appears to currently have an
issue as it does not have any language to address the case
where there is no state or province in the address.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">Thanks,
Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> <a
moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Jeremy Rowley<br>
<b>Sent:</b> Thursday, August 18, 2016 12:09 PM<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> [cabfpub] givenName and surname revived<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Looking for two endorsers for the
following revisions the baseline requirements adding support
for givenName and surname:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Insert a new (C) under 7.1.4.2.2,
renumbering all subsequent bullets. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>c. <b>Certificate Field</b>:
subject:givenName (2.5.4.42) and subject:surname (2.5.4.4)<o:p></o:p></u></p>
<p class="MsoNormal"><b><u>Optional. <o:p></o:p></u></b></p>
<p class="MsoNormal"><b><u>Contents: </u></b><u>If present,
the subject:givenName field and subject:surname field MUST
contain an natural person Subject’s name as verified under
Section 3.2.3. A Certificate containing a
subject:givenName field or subject:surname field MUST
contain the (2.23.140.1.2.3) Certificate Policy OID</u>.<u><o:p></o:p></u></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>d.</u> Certificate Field: Number and
street: subject:streetAddress (OID: 2.5.4.9) <o:p></o:p></p>
<p class="MsoNormal"> Optional if the
subject:organizationName field<u>, subject: givenName field,
or subject:surname field are</u> <s>is</s> present.
Prohibited if the subject:organizationName field<u>,
subject:givenName, and subject:surname field are</u><s> is</s>
absent.<o:p></o:p></p>
<p class="MsoNormal"> Contents: If present, the
subject:streetAddress field MUST contain the Subject’s
street address information as verified under Section
3.2.2.1. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>e</u>. Certificate Field:
subject:localityName (OID: 2.5.4.7) <o:p></o:p></p>
<p class="MsoNormal">Required if the subject:organizationName
field, <u>subject:givenName field, or subject:surname field
are</u> <s>is</s> present and the
subject:stateOrProvinceName field is absent. Optional if the<u>
subject:stateOrProvinceName field and the
subject:organizationName field, subject:givenName field,
or subject:surname </u>field are present. Prohibited if
the subject:organizationName field, <u>subject:givenName,
and subject:surname field are </u><s>is</s> absent. <o:p></o:p></p>
<p class="MsoNormal">Contents: If present, the
subject:localityName field MUST contain the Subject’s
locality information as verified under Section 3.2.2.1. If
the subject:countryName field specifies the ISO 3166‐1
user‐assigned code of XX in accordance with Section
7.1.4.2.2(g), the localityName field MAY contain the
Subject’s locality and/or state or province information as
verified under Section 3.2.2.1. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>f</u>. Certificate Field:
subject:stateOrProvinceName (OID: 2.5.4.8) <o:p></o:p></p>
<p class="MsoNormal">Required if the subject:organizationName
field field, <u>subject:givenName field, or subject:surname
field are</u> <s>is </s>present and <u>the </u>subject:localityName
field is absent. Optional if the <u>subject:localityName
field and the subject:organizationName field, the
subject:givenName field, or subject:surname field</u> are
present. Prohibited if the subject:organizationName field, <u>subject:givenName
field , or subject:surname field </u>are<s> is</s>
absent. Contents: If present, the
subject:stateOrProvinceName field MUST contain the Subject’s
state or province information as verified under Section
3.2.2.1. If the subject:countryName field specifies the ISO
3166‐1 user‐assigned code of XX in accordance with Section
7.1.4.2.2(g), the subject:stateOrProvinceName field MAY
contain the full name of the Subject’s country information
as verified under Section 3.2.2.1.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>g</u>. Certificate Field:
subject:postalCode (OID: 2.5.4.17)<o:p></o:p></p>
<p class="MsoNormal">Optional if the subject:organizationName,
<u>subject:givenName field, or subject:surname</u> fields <u>are</u>
<s>is</s> present. Prohibited if the
subject:organizationName field, <u>subject:givenName field,
or subject:surname field are </u><s>is</s> absent. <o:p></o:p></p>
<p class="MsoNormal">Contents: If present, the
subject:postalCode field MUST contain the Subject’s zip or
postal information as verified under Section 3.2.2.1. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>h</u>. Certificate Field:
subject:countryName (OID: 2.5.4.6) <o:p></o:p></p>
<p class="MsoNormal">Required if the subject:organizationName
field, <u>subject:givenName , or subject:surname field</u>
is present. Optional if the subject:organizationName field,
<u>subject:givenName field</u>, and <u>subject:surname
field are</u> <s>is</s> absent. <o:p></o:p></p>
<p class="MsoNormal">Contents: If the subject:organizationName
field is present, the subject:countryName MUST contain the
two‐letter ISO 3166‐1 country code associated with the
location of the Subject verified under Section 3.2.2.1. If
the subject:organizationName, <u>subject:givenName field,
and subject:surname</u> field <u>are</u> <s> is </s>absent,
the subject:countryName field MAY contain the two‐letter ISO
3166‐1 country code associated with the Subject as verified
in accordance with Section 3.2.2.3. If a Country is not
represented by an official ISO 3166‐1 country code, the CA
MAY specify the ISO 3166‐1 user‐assigned code of XX
indicating that an official ISO 3166‐1 alpha‐2 code has not
been assigned.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>i</u>. Certificate Field:
subject:organizationalUnitName <o:p></o:p></p>
<p class="MsoNormal">Optional. <o:p></o:p></p>
<p class="MsoNormal"><u>Contents: </u>The CA SHALL implement
a process that prevents an OU attribute from including a
name, DBA, tradename, trademark, address, location, or other
text that refers to a specific natural person or Legal
Entity unless the CA has verified this information in
accordance with Section 3.2 and the Certificate also
contains subject:organizationName, <u>subject:givenName,
subject:surname, </u>subject:localityName, and
subject:countryName attributes, also verified in accordance
with Section 3.2.2.1.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">7.1.6.1<o:p></o:p></p>
<p class="MsoNormal">…<o:p></o:p></p>
<p class="MsoNormal">If the Certificate asserts the policy
identifier of 2.23.140.1.2.1, then it MUST NOT include
organizationName, <u>givenName, surname,</u> streetAddress,
localityName, stateOrProvinceName, or postalCode in the
Subject field.<o:p></o:p></p>
<p class="MsoNormal">…<o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<p style="font-family: Serif"> Cordiali saluti,<br>
<br>
Adriano Santoni<br>
ACTALIS S.p.A.<br>
(Aruba Group)</p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>