<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Right, the question is whether the Subject field value, presented
in accordance with id-etsi-qcs-SemanticsId, remains BR/EVG
compliant.</p>
Thanks,<br>
M.D.<br>
<br>
<div class="moz-cite-prefix">On 8/29/2016 10:10 PM, Erwann Abalea
wrote:<br>
</div>
<blockquote
cite="mid:CA+i=0E4aC1PPvPz3TKqXFbs7H5dKJbvC1hjDShHc1pKdW+1KWg@mail.gmail.com"
type="cite">
<div dir="ltr">(sent from home, this will not go to public, unless
you forward it)
<div><br>
</div>
<div>It depends.</div>
<div><br>
</div>
<div>If the QCStatement extension declares the
id-etsi-qcs-SemanticsId-Natural semantics identifier, then
yes, the serialNumber will contain the passport number, IDcard
number, or other (there's a list in EN 319412-1). The data
contained in this attribute is structured. For example, for
me, this serialNumber will be "PASFR-07CL42154" if I present
my french passport. This information is not sensitive.<br>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">If there's no semantics identifier
declared in the QCStatements extension, or if this extension
is missing, the serialNumber is local to the CA. And of
course, a relying party would have to ask the CA to point to
the right "Robert Smith" individual.</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">That doesn't fit well with web server
certificates... Even if the serialNumber contains a global
identifier (such as passport), the probability that as a
user I can compare the passport number found in the
certificate to the real passport number of Robert Smith is
hardly higher than zero.</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-08-29 20:36 GMT+02:00 Kirk
Hall <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:Kirk.Hall@entrust.com" target="_blank">Kirk.Hall@entrust.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Erwann,
you mention the serialNumber attribute for a
natural person – I assume this is not a Social
Security number or other sensitive information?
</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">But
if each CA assigns its own serialNumber for the
same (or different) “Robert Smith,” I don’t see
how a user can figure out which Robert Smith it
is dealing with…</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span></p>
<div>
<div style="border:none;border-top:solid #e1e1e1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <a
moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"
target="_blank">public-bounces@cabforum.org</a>
[mailto:<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"
target="_blank">public-bounces@<wbr>cabforum.org</a>]
<b>On Behalf Of </b>Erwann Abalea<br>
<b>Sent:</b> Friday, August 26, 2016 1:47 AM<br>
<b>To:</b> Moudrick M. Dadashov <<a
moz-do-not-send="true"
href="mailto:md@ssc.lt" target="_blank">md@ssc.lt</a>><br>
<b>Cc:</b> <a moz-do-not-send="true"
href="mailto:public@cabforum.org"
target="_blank">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] givenName and
surname revived</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">That’s easily done for a
certificate issued to a legal person if you
really need it:</p>
</div>
<div>
<p class="MsoNormal"> - EN 319412-4 asks you to
follow CABF BR or EVG, which don’t prevent you
from adding other attributes or extensions</p>
</div>
<div>
<p class="MsoNormal"> - add the
organizationIdentifier attribute formatted as
described in EN 319412-1 section 5.1.4</p>
</div>
<div>
<p class="MsoNormal"> - add a QCStatements
extension containing the qcStatement-2
QC-STATEMENT (as defined in RFC3739), and
populate the semanticsIdentifier element with
the id-etsi-qcs-SemanticsId-Legal OID</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Same goes for a certificate
issued to a natural person, just use the
serialNumber attribute instead of the
organizationIdentifier, fill it according to EN
319412-1 section 5.1.3, use
id-etsi-qcs-SemanticsId-<wbr>Natural OID as the
semantics identifier.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Of course, you’re not
REQUIRED to produce eIDAS compliant
certificates.</p>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">Cordialement,</p>
</div>
<div>
<p class="MsoNormal">Erwann Abalea</p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Le 24 août 2016 à 15:05,
Moudrick M. Dadashov <<a
moz-do-not-send="true"
href="mailto:md@ssc.lt" target="_blank">md@ssc.lt</a>>
a écrit :</p>
</div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal"
style="background:white;text-align:start;word-spacing:0px">
<span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif">eIDAS
Article 3 (38):</span></p>
<p class="MsoNormal"
style="background:white;text-align:start;word-spacing:0px">
<span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif">‘certificate
for website authentication’ means an
attestation that makes it possible to
authenticate a website and links the
website to the natural or legal person to
whom the certificate is issued;</span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif;background:white">Thanks,</span><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><br>
<span style="background:white">M.D.</span><br
style="text-align:start;word-spacing:0px">
<br>
</span></p>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif">On
8/24/2016 1:08 PM, Adriano Santoni
wrote:</span></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt;text-align:start;word-spacing:0px">
<p class="MsoNormal"
style="background:white">
<span
style="font-size:9.0pt;font-family:"Calibri",sans-serif">But
givenName and surname are not sufficient
to specify an identity. How many Robert
Smiths exist in UK/US/CA ? (or Mario
Rossi in Italy, as to that).</span><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif"></span></p>
<p class="MsoNormal"
style="background:white">
<span
style="font-size:9.0pt;font-family:"Calibri",sans-serif">If
I would like to know who's behind a web
site whose SSL cert contains
giveName=John, surname=Doe, I am none
the wiser.</span><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif"></span></p>
<p class="MsoNormal"
style="background:white"><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif"> </span></p>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Il
23/08/2016 20:02, Bruce Morton ha
scritto:</span></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">OK,
thanks.</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Bruce.</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<div style="border:none;border-top:solid
#e1e1e1 1.0pt;padding:3.0pt 0in 0in
0in">
<div>
<p class="MsoNormal"
style="background:white"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Jeremy
Rowley [<a
moz-do-not-send="true"
href="mailto:jeremy.rowley@digicert.com"
target="_blank"><span
style="color:#954f72">mailto:jeremy.rowley@<wbr>digicert.com</span></a>]<span> </span><br>
<b>Sent:</b><span> </span>Monday,
August 22, 2016 6:16 PM<br>
<b>To:</b><span> </span>Bruce
Morton<span> </span><a
moz-do-not-send="true"
href="mailto:Bruce.Morton@entrust.com"
target="_blank"><span
style="color:#954f72"><Bruce.Morton@entrust.<wbr>com></span></a>;<span> </span><a
moz-do-not-send="true"
href="mailto:public@cabforum.org"
target="_blank"><span
style="color:#954f72">public@cabforum.org</span></a><br>
<b>Subject:</b><span> </span>RE:
givenName and surname revived</span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">What
do you mean by definition? I
consider IV v. OV well defined
because of the meaning associated
with the OID inserted into the cert.
Section 7.1.6.1 states “<span> </span>{joint‐iso‐itu‐t(2)
international‐organizations(<wbr>23)
ca‐browser‐forum(140)
certificate‐policies(1)
baseline‐requirements(2)
individual‐validated(3)}
(2.23.140.1.2.3), if the Certificate
complies with these Requirements and
includes Subject Identity
Information that is verified in
accordance with Section 3.2.3.”
Section 3.2.3 is verification of an
individual whereas Section 3.2.2 is
verification of an organization. </span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Jeremy</span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><a
moz-do-not-send="true"
name="m_-5588693150224251403__MailEndCompose"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></a><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<div style="border:none;border-top:solid
#e1e1e1 1.0pt;padding:3.0pt 0in 0in
0in">
<div>
<p class="MsoNormal"
style="background:white"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Bruce
Morton [<a
moz-do-not-send="true"
href="mailto:Bruce.Morton@entrust.com"
target="_blank"><span
style="color:#954f72">mailto:Bruce.Morton@entrust.<wbr>com</span></a>]<span> </span><br>
<b>Sent:</b><span> </span>Monday,
August 22, 2016 6:11 AM<br>
<b>To:</b><span> </span>Jeremy
Rowley <<a
moz-do-not-send="true"
href="mailto:jeremy.rowley@digicert.com"
target="_blank"><span
style="color:#954f72">jeremy.rowley@digicert.com</span></a>>;<span> </span><a
moz-do-not-send="true"
href="mailto:public@cabforum.org"
target="_blank"><span
style="color:#954f72"><wbr>public@cabforum.org</span></a><br>
<b>Subject:</b><span> </span>RE:
givenName and surname revived</span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Hi
Jeremy,</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">My
apologies, but can you clarify the
section where IV certs are well
defined? I see that
“individual-validated” is stated
twice in sections 1.2 and 7.1.6.1
(the same for domain-validated and
organization-validated), but I can’t
find the definition.</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thanks,
Bruce.</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<div style="border:none;border-top:solid
#e1e1e1 1.0pt;padding:3.0pt 0in 0in
0in">
<div>
<p class="MsoNormal"
style="background:white"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Jeremy
Rowley [<a
moz-do-not-send="true"
href="mailto:jeremy.rowley@digicert.com"
target="_blank"><span
style="color:#954f72">mailto:jeremy.rowley@<wbr>digicert.com</span></a>]<span> </span><br>
<b>Sent:</b><span> </span>Saturday,
August 20, 2016 10:41 AM<br>
<b>To:</b><span> </span>Bruce
Morton <<a
moz-do-not-send="true"
href="mailto:Bruce.Morton@entrust.com"
target="_blank"><span
style="color:#954f72">Bruce.Morton@entrust.com</span></a>>;<span> </span><a
moz-do-not-send="true"
href="mailto:public@cabforum.org"
target="_blank"><span
style="color:#954f72">pu<wbr>blic@cabforum.org</span></a><br>
<b>Subject:</b><span> </span>RE:
givenName and surname revived</span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Hey
Bruce – IV certs are well defined.
The goal of the ballot isn’t to
further define IV certs but to
permit use of the givenName and
surname fields for IV certs.
giveName and surname in the org
field would be allowed. They’d still
use the IV OIDs as they were
validated under the IV section of
the CP.</span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
</div>
<div>
<div style="border:none;border-top:solid
#e1e1e1 1.0pt;padding:3.0pt 0in 0in
0in">
<div>
<p class="MsoNormal"
style="background:white"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Bruce
Morton [<a
moz-do-not-send="true"
href="mailto:Bruce.Morton@entrust.com"
target="_blank"><span
style="color:#954f72">mailto:Bruce.Morton@entrust.<wbr>com</span></a>]<span> </span><br>
<b>Sent:</b><span> </span>Friday,
August 19, 2016 6:41 AM<br>
<b>To:</b><span> </span>Jeremy
Rowley <<a
moz-do-not-send="true"
href="mailto:jeremy.rowley@digicert.com"
target="_blank"><span
style="color:#954f72">jeremy.rowley@digicert.com</span></a>>;<span> </span><a
moz-do-not-send="true"
href="mailto:public@cabforum.org"
target="_blank"><span
style="color:#954f72"><wbr>public@cabforum.org</span></a><br>
<b>Subject:</b><span> </span>RE:
givenName and surname revived</span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Hi
Jeremy,</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Would
like some clarification. On the call
yesterday, it was said that IV
certificates were not defined, so
this ballot will help resolve this.</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Per
7.1.4.2.2 b, the current BRs allow
givenName and surname to be included
in the organizationName field. Will
this still be allowed? If so, what
would the certificate type be? OV or
IV? I would prefer that these be OV
certificates.</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">If
we do make the changes and the CAs
have to meet Microsoft’s requirement
to put a DV, OV, or IV certificate
policy in the certificate, I think
we should clearly define each
certificate type.</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Also,
the stateOrProvinceName field
appears to currently have an issue
as it does not have any language to
address the case where there is no
state or province in the address.</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thanks,
Bruce.</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<div style="border:none;border-top:solid
#e1e1e1 1.0pt;padding:3.0pt 0in 0in
0in">
<div>
<p class="MsoNormal"
style="background:white"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><a
moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"
target="_blank"><span
style="color:#954f72">public-bounces@cabforum.<wbr>org</span></a><span> </span>[<a
moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"
target="_blank"><span
style="color:#954f72">mailto:public-bounces@<wbr>cabforum.org</span></a>]<span> </span><b>On
Behalf Of<span> </span></b>Jeremy
Rowley<br>
<b>Sent:</b><span> </span>Thursday,
August 18, 2016 12:09 PM<br>
<b>To:</b><span> </span><a
moz-do-not-send="true"
href="mailto:public@cabforum.org"
target="_blank"><span
style="color:#954f72">public@cabforum.org</span></a><br>
<b>Subject:</b><span> </span>[cabfpub]
givenName and surname revived</span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Looking
for two endorsers for the following
revisions the baseline requirements
adding support for givenName and
surname:</span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Insert
a new (C) under 7.1.4.2.2,
renumbering all subsequent bullets.<span> </span></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><u><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">c.<span> </span><b>Certificate
Field</b>: subject:givenName
(2.5.4.42) and subject:surname
(2.5.4.4)</span></u><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><b><u><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Optional.<span> </span></span></u></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><b><u><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Contents:
</span></u></b><u><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">If
present, the subject:givenName
field and subject:surname field
MUST contain an natural person
Subject’s name as verified under
Section 3.2.3. A Certificate
containing a subject:givenName
field or subject:surname field
MUST contain the (2.23.140.1.2.3)
Certificate Policy OID</span></u><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">.</span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><u><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">d.</span></u><span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Certificate
Field: Number and street:
subject:streetAddress (OID: 2.5.4.9)<span> </span></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Optional
if the subject:organizationName
field<u>, subject: givenName field,
or subject:surname field are</u><s>is</s><span> </span>present.
Prohibited if the
subject:organizationName field<u>,
subject:givenName, and
subject:surname field are</u><span><s> </s></span><s>is</s><span> </span>absent.</span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
Contents: If present, the
subject:streetAddress field MUST
contain the Subject’s street address
information as verified under
Section 3.2.2.1.<span> </span></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><u><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">e</span></u><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">.
Certificate Field:
subject:localityName (OID: 2.5.4.7)<span> </span></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Required
if the subject:organizationName
field,<span> </span><u>subject:givenName
field, or subject:surname field
are</u><span> </span><s>is</s>present
and the subject:stateOrProvinceName
field is absent. Optional if the<u>subject:stateOrProvinceName
field and the
subject:organizationName field,
subject:givenName field, or
subject:surname </u>field are
present. Prohibited if the
subject:organizationName field,<span> </span><u>subject:givenName,
and subject:surname field are<span> </span></u><s>is</s><span> </span>absent.<span> </span></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Contents:
If present, the subject:localityName
field MUST contain the Subject’s
locality information as verified
under Section 3.2.2.1. If the
subject:countryName field specifies
the ISO 3166‐1 user‐assigned code of
XX in accordance with Section
7.1.4.2.2(g), the localityName field
MAY contain the Subject’s locality
and/or state or province information
as verified under Section 3.2.2.1.<span> </span></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><u><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">f</span></u><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">.
Certificate Field:
subject:stateOrProvinceName (OID:
2.5.4.8)<span> </span></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Required
if the subject:organizationName
field field,<span> </span><u>subject:givenName
field, or subject:surname field
are</u><span> </span><s>is<span> </span></s>present
and<span> </span><u>the<span> </span></u>subject:localityName
field is absent. Optional if the<span> </span><u>subject:localityName
field and the
subject:organizationName field,
the subject:givenName field, or
subject:surname field</u><span> </span>are
present. Prohibited if the
subject:organizationName field,<span> </span><u>subject:givenName
field , or subject:surname field<span> </span></u>are<span><s> </s></span><s>is</s>absent.
Contents: If present, the
subject:stateOrProvinceName field
MUST contain the Subject’s state or
province information as verified
under Section 3.2.2.1. If the
subject:countryName field specifies
the ISO 3166‐1 user‐assigned code of
XX in accordance with Section
7.1.4.2.2(g), the
subject:stateOrProvinceName field
MAY contain the full name of the
Subject’s country information as
verified under Section 3.2.2.1.</span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><u><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">g</span></u><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">.
Certificate Field:
subject:postalCode (OID: 2.5.4.17)</span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Optional
if the subject:organizationName,<span> </span><u>subj<wbr>ect:givenName
field, or subject:surname</u><span> </span>fields<span> </span><u>are</u><span> </span><s>is</s>p<wbr>resent.
Prohibited if the
subject:organizationName field,<span> </span><u>subject:givenName
field, or subject:surname field
are<span> </span></u><s>is</s><span> </span>absent.<span> </span></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Contents:
If present, the subject:postalCode
field MUST contain the Subject’s zip
or postal information as verified
under Section 3.2.2.1.<span> </span></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><u><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">h</span></u><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">.
Certificate Field:
subject:countryName (OID: 2.5.4.6)<span> </span></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Required
if the subject:organizationName
field,<span> </span><u>subject:givenName
, or subject:surname field</u><span> </span>is
present. Optional if the
subject:organizationName field,<span> </span><u>subject:givenName
field</u>, and <u>subject:surname
field are</u><span> </span><s>is</s>absent.<span> </span></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Contents:
If the subject:organizationName
field is present, the
subject:countryName MUST contain the
two‐letter ISO 3166‐1 country code
associated with the location of the
Subject verified under Section
3.2.2.1. If the
subject:organizationName,<span> </span><u>subj<wbr>ect:givenName
field, and subject:surname</u><span> </span> field<span> </span><u>are</u><span> </span><s> is<span><wbr> </span></s>absent,
the subject:countryName field MAY
contain the two‐letter ISO 3166‐1
country code associated with the
Subject as verified in accordance
with Section 3.2.2.3. If a Country
is not represented by an official
ISO 3166‐1 country code, the CA MAY
specify the ISO 3166‐1 user‐assigned
code of XX indicating that an
official ISO 3166‐1 alpha‐2 code has
not been assigned.</span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><u><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">i</span></u><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">.
Certificate Field:
subject:organizationalUnitName<span><wbr> </span></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Optional.<span> </span></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><u><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Contents:<span> </span></span></u><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">The
CA SHALL implement a process that
prevents an OU attribute from
including a name, DBA, tradename,
trademark, address, location, or
other text that refers to a specific
natural person or Legal Entity
unless the CA has verified this
information in accordance with
Section 3.2 and the Certificate also
contains subject:organizationName,<span> </span><u>subj<wbr>ect:givenName,
subject:surname,<span> </span></u>subject:<wbr>localityName,
and subject:countryName attributes,
also verified in accordance with
Section 3.2.2.1.</span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">7.1.6.1</span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">…</span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">If
the Certificate asserts the policy
identifier of 2.23.140.1.2.1, then
it MUST NOT include
organizationName,<span> </span><u>givenName,
surname,</u><span> </span>streetAddress,
localityName, stateOrProvinceName,
or postalCode in the Subject field.</span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">…</span></p>
</div>
<div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
</div>
<p class="MsoNormal"
style="background:white"><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><br>
<br>
<br>
</span></p>
<pre style="background:white">______________________________<wbr>_________________</pre>
<pre style="background:white">Public mailing list</pre>
<pre style="background:white"><a moz-do-not-send="true" href="mailto:Public@cabforum.org" target="_blank"><span style="color:#954f72">Public@cabforum.org</span></a></pre>
<pre style="background:white"><a moz-do-not-send="true" href="https://cabforum.org/mailman/listinfo/public" target="_blank"><span style="color:#954f72">https://cabforum.org/mailman/<wbr>listinfo/public</span></a></pre>
</blockquote>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"> </span></p>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">--<span> </span></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:9.0pt">Cordiali saluti,
Adriano Santoni
ACTALIS S.p.A.
(Aruba Group)</span></p>
</div>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">
</span></p>
<pre style="background:white">______________________________<wbr>_________________</pre>
<pre style="background:white">Public mailing list</pre>
<pre style="background:white"><a moz-do-not-send="true" href="mailto:Public@cabforum.org" target="_blank"><span style="color:#954f72">Public@cabforum.org</span></a></pre>
<pre style="background:white"><a moz-do-not-send="true" href="https://cabforum.org/mailman/listinfo/public" target="_blank"><span style="color:#954f72">https://cabforum.org/mailman/<wbr>listinfo/public</span></a></pre>
</blockquote>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">
<span style="background:white">______________________________<wbr>_________________</span>
<span style="background:white">Public mailing list</span>
</span><a moz-do-not-send="true" href="mailto:Public@cabforum.org" target="_blank"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#954f72;background:white">Public@cabforum.org</span></a><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">
</span><a moz-do-not-send="true" href="https://cabforum.org/mailman/listinfo/public" target="_blank"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#954f72;background:white">https://cabforum.org/mailman/<wbr>listinfo/public</span></a></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
______________________________<wbr>_________________
Public mailing list
<a moz-do-not-send="true" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a moz-do-not-send="true" href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a>
</blockquote></div>
<div>
</div>--
<div class="gmail_signature" data-smartmail="gmail_signature">Erwann.</div>
</div></div></div>
</blockquote>
</body></html>