<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class="">Bonjour,</div>
<div class=""><br class="">
</div>
<div class="">My reading is that 319412-1 lists the different certificate profiles and defines semantic identifiers to be used for natural (in serialNumber) and legal (in organizationIdentifier) persons in other 319412-x profiles when necessary; 319412-2 and
-3 are <b class="">NOT</b> suited to website certificates, 319412-4 is the one to use for websites, 319412-5 specifies requirements for the QCStatements extension.</div>
<div class=""><br class="">
</div>
<div class="">319412-4 basically says « follow CABF BR for website certificates issued to legal or natural persons, or CABF EVG for website certificates issued to legal persons, and if the certificate is Qualified, add the QCStatements extension as described
in 319412-5 » (you can also add the QCStatements extension in a non Qualified certificate).</div>
<div class=""><br class="">
</div>
<div class="">BR in section 7.1.4.2.2 lists the attributes found in the subject name, and its item (i) allows for other attributes. So you can add a serialNumber or organizationIdentifier attribute, it’s BR-compliant. Ballot 175 (if/when adopted) will clarify
the givenName/surName presence, which should be fine.</div>
<div class=""><br class="">
</div>
<div class="">EVG in section 9.2 does the same for EV certificates, and section 9.2.8 also allows other attributes to be filled in. You’re then allowed to add the organizationIdentifier attribute, in addition to the already present serialNumber. See them as
duplicate information (organizationIdentifier contains jurisdiction*Name and serialNumber altogether, in a sense).</div>
<div class=""><br class="">
</div>
<div class="">BR in section 7.1.2 sets requirements on certificate extensions, and section 7.1.2.4 allows for other extensions to be added. So the QCStatements extension can be added if you want, considering that you (as a CA) are « aware of a reason for including
the data in the Certificate », and that this extension will not « mislead a Relying Party about the Certificate information verified by the CA ».</div>
<div class=""><br class="">
</div>
<br class="">
<div class="">
<div class="">Cordialement,</div>
<div class="">Erwann Abalea</div>
</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">Le 30 août 2016 à 02:30, Moudrick M. Dadashov <<a href="mailto:md@ssc.lt" class="">md@ssc.lt</a>> a écrit :</div>
<br class="Apple-interchange-newline">
<div class="">
<div bgcolor="#FFFFFF" text="#000000" class="">
<p class="">Right, the question is whether the Subject field value, presented in accordance with id-etsi-qcs-SemanticsId, remains BR/EVG compliant.</p>
Thanks,<br class="">
M.D.<br class="">
<br class="">
<div class="moz-cite-prefix">On 8/29/2016 10:10 PM, Erwann Abalea wrote:<br class="">
</div>
<blockquote cite="mid:CA+i=0E4aC1PPvPz3TKqXFbs7H5dKJbvC1hjDShHc1pKdW+1KWg@mail.gmail.com" type="cite" class="">
<div dir="ltr" class="">(sent from home, this will not go to public, unless you forward it)
<div class=""><br class="">
</div>
<div class="">It depends.</div>
<div class=""><br class="">
</div>
<div class="">If the QCStatement extension declares the id-etsi-qcs-SemanticsId-Natural semantics identifier, then yes, the serialNumber will contain the passport number, IDcard number, or other (there's a list in EN 319412-1). The data contained in this attribute
is structured. For example, for me, this serialNumber will be "PASFR-07CL42154" if I present my french passport. This information is not sensitive.<br class="">
<div class="gmail_extra"><br class="">
</div>
<div class="gmail_extra">If there's no semantics identifier declared in the QCStatements extension, or if this extension is missing, the serialNumber is local to the CA. And of course, a relying party would have to ask the CA to point to the right "Robert Smith"
individual.</div>
<div class="gmail_extra"><br class="">
</div>
<div class="gmail_extra">That doesn't fit well with web server certificates... Even if the serialNumber contains a global identifier (such as passport), the probability that as a user I can compare the passport number found in the certificate to the real passport
number of Robert Smith is hardly higher than zero.</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">2016-08-29 20:36 GMT+02:00 Kirk Hall <span dir="ltr" class="">
<<a moz-do-not-send="true" href="mailto:Kirk.Hall@entrust.com" target="_blank" class="">Kirk.Hall@entrust.com</a>></span>:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US" class="">
<div class="">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class="">Erwann, you mention the serialNumber attribute for a natural person – I assume this is not a Social Security number or other sensitive information?
</span></p>
<div class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class=""> </span><br class="webkit-block-placeholder">
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class="">But if each CA assigns its own serialNumber for the same (or different) “Robert Smith,” I don’t see how a user can figure out which Robert Smith it is
dealing with…</span></p>
<div class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class=""> </span><br class="webkit-block-placeholder">
</div>
<div class="">
<div style="border:none;border-top:solid #e1e1e1
1.0pt;padding:3.0pt 0in 0in 0in" class="">
<p class="MsoNormal"><b class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">
<a moz-do-not-send="true" href="mailto:public-bounces@cabforum.org" target="_blank" class="">
public-bounces@cabforum.org</a> [mailto:<a moz-do-not-send="true" href="mailto:public-bounces@cabforum.org" target="_blank" class="">public-bounces@<wbr class="">cabforum.org</a>]
<b class="">On Behalf Of </b>Erwann Abalea<br class="">
<b class="">Sent:</b> Friday, August 26, 2016 1:47 AM<br class="">
<b class="">To:</b> Moudrick M. Dadashov <<a moz-do-not-send="true" href="mailto:md@ssc.lt" target="_blank" class="">md@ssc.lt</a>><br class="">
<b class="">Cc:</b> <a moz-do-not-send="true" href="mailto:public@cabforum.org" target="_blank" class="">
public@cabforum.org</a><br class="">
<b class="">Subject:</b> Re: [cabfpub] givenName and surname revived</span></p>
</div>
</div>
<div class=""> <br class="webkit-block-placeholder">
</div>
<div class="">
<p class="MsoNormal">That’s easily done for a certificate issued to a legal person if you really need it:</p>
</div>
<div class="">
<p class="MsoNormal"> - EN 319412-4 asks you to follow CABF BR or EVG, which don’t prevent you from adding other attributes or extensions</p>
</div>
<div class="">
<p class="MsoNormal"> - add the organizationIdentifier attribute formatted as described in EN 319412-1 section 5.1.4</p>
</div>
<div class="">
<p class="MsoNormal"> - add a QCStatements extension containing the qcStatement-2 QC-STATEMENT (as defined in RFC3739), and populate the semanticsIdentifier element with the id-etsi-qcs-SemanticsId-Legal OID</p>
</div>
<div class="">
<div class=""> <br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal">Same goes for a certificate issued to a natural person, just use the serialNumber attribute instead of the organizationIdentifier, fill it according to EN 319412-1 section 5.1.3, use id-etsi-qcs-SemanticsId-<wbr class="">Natural OID as
the semantics identifier.</p>
</div>
<div class="">
<div class=""> <br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal">Of course, you’re not REQUIRED to produce eIDAS compliant certificates.</p>
</div>
<div class=""> <br class="webkit-block-placeholder">
</div>
<div class="">
<div class="">
<p class="MsoNormal">Cordialement,</p>
</div>
<div class="">
<p class="MsoNormal">Erwann Abalea</p>
</div>
</div>
<div class=""> <br class="webkit-block-placeholder">
</div>
<div class="">
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" class="">
<div class="">
<p class="MsoNormal">Le 24 août 2016 à 15:05, Moudrick M. Dadashov <<a moz-do-not-send="true" href="mailto:md@ssc.lt" target="_blank" class="">md@ssc.lt</a>> a écrit :</p>
</div>
<div class=""> <br class="webkit-block-placeholder">
</div>
<div class="">
<p class="MsoNormal" style="background:white;text-align:start;word-spacing:0px"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif" class="">eIDAS Article 3 (38):</span></p>
<p class="MsoNormal" style="background:white;text-align:start;word-spacing:0px"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif" class="">‘certificate for website authentication’ means an attestation that makes it possible to authenticate a
website and links the website to the natural or legal person to whom the certificate is issued;</span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;background:white" class="">Thanks,</span><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif" class=""><br class="">
<span style="background:white" class="">M.D.</span><br style="text-align:start;word-spacing:0px" class="">
<br class="">
</span></p>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif" class="">On 8/24/2016 1:08 PM, Adriano Santoni wrote:</span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt;text-align:start;word-spacing:0px" class="">
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif" class="">But givenName and surname are not sufficient to specify an identity. How many Robert Smiths exist in UK/US/CA ? (or Mario Rossi in Italy, as
to that).</span><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif" class=""></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif" class="">If I would like to know who's behind a web site whose SSL cert contains giveName=John, surname=Doe, I am none the wiser.</span><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif" class=""></span></p>
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif" class="">Il 23/08/2016 20:02, Bruce Morton ha scritto:</span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" class="">
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class="">OK, thanks.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class=""> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class="">Bruce.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class=""> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<div style="border:none;border-top:solid
#e1e1e1 1.0pt;padding:3.0pt 0in 0in
0in" class="">
<div class="">
<p class="MsoNormal" style="background:white"><b class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">From:</span></b><span class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span></span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">Jeremy
Rowley [<a moz-do-not-send="true" href="mailto:jeremy.rowley@digicert.com" target="_blank" class=""><span style="color:#954f72" class="">mailto:jeremy.rowley@<wbr class="">digicert.com</span></a>]<span class=""> </span><br class="">
<b class="">Sent:</b><span class=""> </span>Monday, August 22, 2016 6:16 PM<br class="">
<b class="">To:</b><span class=""> </span>Bruce Morton<span class=""> </span><a moz-do-not-send="true" href="mailto:Bruce.Morton@entrust.com" target="_blank" class=""><span style="color:#954f72" class=""><Bruce.Morton@entrust.<wbr class="">com></span></a>;<span class=""> </span><a moz-do-not-send="true" href="mailto:public@cabforum.org" target="_blank" class=""><span style="color:#954f72" class="">public@cabforum.org</span></a><br class="">
<b class="">Subject:</b><span class=""> </span>RE: givenName and surname revived</span></p>
</div>
</div>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">What do you mean by definition? I consider IV v. OV well defined because of the meaning associated with the OID inserted into the cert. Section
7.1.6.1 states “<span class=""> </span>{joint‐iso‐itu‐t(2) international‐organizations(<wbr class="">23) ca‐browser‐forum(140) certificate‐policies(1) baseline‐requirements(2) individual‐validated(3)} (2.23.140.1.2.3), if the Certificate complies with these
Requirements and includes Subject Identity Information that is verified in accordance with Section 3.2.3.” Section 3.2.3 is verification of an individual whereas Section 3.2.2 is verification of an organization. </span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">Jeremy</span></p>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><a moz-do-not-send="true" name="m_-5588693150224251403__MailEndCompose" class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span></p>
</div>
<div class="">
<div style="border:none;border-top:solid
#e1e1e1 1.0pt;padding:3.0pt 0in 0in
0in" class="">
<div class="">
<p class="MsoNormal" style="background:white"><b class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">From:</span></b><span class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span></span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">Bruce
Morton [<a moz-do-not-send="true" href="mailto:Bruce.Morton@entrust.com" target="_blank" class=""><span style="color:#954f72" class="">mailto:Bruce.Morton@entrust.<wbr class="">com</span></a>]<span class=""> </span><br class="">
<b class="">Sent:</b><span class=""> </span>Monday, August 22, 2016 6:11 AM<br class="">
<b class="">To:</b><span class=""> </span>Jeremy Rowley <<a moz-do-not-send="true" href="mailto:jeremy.rowley@digicert.com" target="_blank" class=""><span style="color:#954f72" class="">jeremy.rowley@digicert.com</span></a>>;<span class=""> </span><a moz-do-not-send="true" href="mailto:public@cabforum.org" target="_blank" class=""><span style="color:#954f72" class=""><wbr class="">public@cabforum.org</span></a><br class="">
<b class="">Subject:</b><span class=""> </span>RE: givenName and surname revived</span></p>
</div>
</div>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class="">Hi Jeremy,</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class=""> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class="">My apologies, but can you clarify the section where IV certs are well defined? I see that “individual-validated” is stated twice
in sections 1.2 and 7.1.6.1 (the same for domain-validated and organization-validated), but I can’t find the definition.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class=""> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class="">Thanks, Bruce.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class=""> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<div style="border:none;border-top:solid
#e1e1e1 1.0pt;padding:3.0pt 0in 0in
0in" class="">
<div class="">
<p class="MsoNormal" style="background:white"><b class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">From:</span></b><span class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span></span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">Jeremy
Rowley [<a moz-do-not-send="true" href="mailto:jeremy.rowley@digicert.com" target="_blank" class=""><span style="color:#954f72" class="">mailto:jeremy.rowley@<wbr class="">digicert.com</span></a>]<span class=""> </span><br class="">
<b class="">Sent:</b><span class=""> </span>Saturday, August 20, 2016 10:41 AM<br class="">
<b class="">To:</b><span class=""> </span>Bruce Morton <<a moz-do-not-send="true" href="mailto:Bruce.Morton@entrust.com" target="_blank" class=""><span style="color:#954f72" class="">Bruce.Morton@entrust.com</span></a>>;<span class=""> </span><a moz-do-not-send="true" href="mailto:public@cabforum.org" target="_blank" class=""><span style="color:#954f72" class="">pu<wbr class="">blic@cabforum.org</span></a><br class="">
<b class="">Subject:</b><span class=""> </span>RE: givenName and surname revived</span></p>
</div>
</div>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">Hey Bruce – IV certs are well defined. The goal of the ballot isn’t to further define IV certs but to permit use of the givenName and surname
fields for IV certs. giveName and surname in the org field would be allowed. They’d still use the IV OIDs as they were validated under the IV section of the CP.</span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<div style="border:none;border-top:solid
#e1e1e1 1.0pt;padding:3.0pt 0in 0in
0in" class="">
<div class="">
<p class="MsoNormal" style="background:white"><b class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">From:</span></b><span class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span></span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">Bruce
Morton [<a moz-do-not-send="true" href="mailto:Bruce.Morton@entrust.com" target="_blank" class=""><span style="color:#954f72" class="">mailto:Bruce.Morton@entrust.<wbr class="">com</span></a>]<span class=""> </span><br class="">
<b class="">Sent:</b><span class=""> </span>Friday, August 19, 2016 6:41 AM<br class="">
<b class="">To:</b><span class=""> </span>Jeremy Rowley <<a moz-do-not-send="true" href="mailto:jeremy.rowley@digicert.com" target="_blank" class=""><span style="color:#954f72" class="">jeremy.rowley@digicert.com</span></a>>;<span class=""> </span><a moz-do-not-send="true" href="mailto:public@cabforum.org" target="_blank" class=""><span style="color:#954f72" class=""><wbr class="">public@cabforum.org</span></a><br class="">
<b class="">Subject:</b><span class=""> </span>RE: givenName and surname revived</span></p>
</div>
</div>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class="">Hi Jeremy,</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class=""> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class="">Would like some clarification. On the call yesterday, it was said that IV certificates were not defined, so this ballot will
help resolve this.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class=""> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class="">Per 7.1.4.2.2 b, the current BRs allow givenName and surname to be included in the organizationName field. Will this still be
allowed? If so, what would the certificate type be? OV or IV? I would prefer that these be OV certificates.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class=""> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class="">If we do make the changes and the CAs have to meet Microsoft’s requirement to put a DV, OV, or IV certificate policy in the
certificate, I think we should clearly define each certificate type.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class=""> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class="">Also, the stateOrProvinceName field appears to currently have an issue as it does not have any language to address the case
where there is no state or province in the address.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class=""> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class="">Thanks, Bruce.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d" class=""> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<div style="border:none;border-top:solid
#e1e1e1 1.0pt;padding:3.0pt 0in 0in
0in" class="">
<div class="">
<p class="MsoNormal" style="background:white"><b class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">From:</span></b><span class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span></span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""><a moz-do-not-send="true" href="mailto:public-bounces@cabforum.org" target="_blank" class=""><span style="color:#954f72" class="">public-bounces@cabforum.<wbr class="">org</span></a><span class=""> </span>[<a moz-do-not-send="true" href="mailto:public-bounces@cabforum.org" target="_blank" class=""><span style="color:#954f72" class="">mailto:public-bounces@<wbr class="">cabforum.org</span></a>]<span class=""> </span><b class="">On
Behalf Of<span class=""> </span></b>Jeremy Rowley<br class="">
<b class="">Sent:</b><span class=""> </span>Thursday, August 18, 2016 12:09 PM<br class="">
<b class="">To:</b><span class=""> </span><a moz-do-not-send="true" href="mailto:public@cabforum.org" target="_blank" class=""><span style="color:#954f72" class="">public@cabforum.org</span></a><br class="">
<b class="">Subject:</b><span class=""> </span>[cabfpub] givenName and surname revived</span></p>
</div>
</div>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">Looking for two endorsers for the following revisions the baseline requirements adding support for givenName and surname:</span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">Insert a new (C) under 7.1.4.2.2, renumbering all subsequent bullets.<span class=""> </span></span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><u class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">c.<span class=""> </span><b class="">Certificate Field</b>: subject:givenName (2.5.4.42) and subject:surname (2.5.4.4)</span></u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span></p>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><b class=""><u class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">Optional.<span class=""> </span></span></u></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""></span></p>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><b class=""><u class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">Contents: </span></u></b><u class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">If
present, the subject:givenName field and subject:surname field MUST contain an natural person Subject’s name as verified under Section 3.2.3. A Certificate containing a subject:givenName field or subject:surname field MUST contain the (2.23.140.1.2.3) Certificate
Policy OID</span></u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">.</span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><u class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">d.</span></u><span class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span></span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">Certificate
Field: Number and street: subject:streetAddress (OID: 2.5.4.9)<span class=""> </span></span></p>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> Optional if the subject:organizationName field<u class="">, subject: givenName field, or subject:surname field are</u><s class="">is</s><span class=""> </span>present.
Prohibited if the subject:organizationName field<u class="">, subject:givenName, and subject:surname field are</u><span class=""><s class=""> </s></span><s class="">is</s><span class=""> </span>absent.</span></p>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> Contents: If present, the subject:streetAddress field MUST contain the Subject’s street address information as verified under Section 3.2.2.1.<span class=""> </span></span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><u class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">e</span></u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">. Certificate Field: subject:localityName
(OID: 2.5.4.7)<span class=""> </span></span></p>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">Required if the subject:organizationName field,<span class=""> </span><u class="">subject:givenName field, or subject:surname field are</u><span class=""> </span><s class="">is</s>present
and the subject:stateOrProvinceName field is absent. Optional if the<u class="">subject:stateOrProvinceName field and the subject:organizationName field, subject:givenName field, or subject:surname </u>field are present. Prohibited if the subject:organizationName
field,<span class=""> </span><u class="">subject:givenName, and subject:surname field are<span class=""> </span></u><s class="">is</s><span class=""> </span>absent.<span class=""> </span></span></p>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">Contents: If present, the subject:localityName field MUST contain the Subject’s locality information as verified under Section 3.2.2.1. If
the subject:countryName field specifies the ISO 3166‐1 user‐assigned code of XX in accordance with Section 7.1.4.2.2(g), the localityName field MAY contain the Subject’s locality and/or state or province information as verified under Section 3.2.2.1.<span class=""> </span></span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><u class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">f</span></u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">. Certificate Field: subject:stateOrProvinceName
(OID: 2.5.4.8)<span class=""> </span></span></p>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">Required if the subject:organizationName field field,<span class=""> </span><u class="">subject:givenName field, or subject:surname field
are</u><span class=""> </span><s class="">is<span class=""> </span></s>present and<span class=""> </span><u class="">the<span class=""> </span></u>subject:localityName field is absent. Optional if the<span class=""> </span><u class="">subject:localityName
field and the subject:organizationName field, the subject:givenName field, or subject:surname field</u><span class=""> </span>are present. Prohibited if the subject:organizationName field,<span class=""> </span><u class="">subject:givenName field , or subject:surname
field<span class=""> </span></u>are<span class=""><s class=""> </s></span><s class="">is</s>absent. Contents: If present, the subject:stateOrProvinceName field MUST contain the Subject’s state or province information as verified under Section 3.2.2.1. If the
subject:countryName field specifies the ISO 3166‐1 user‐assigned code of XX in accordance with Section 7.1.4.2.2(g), the subject:stateOrProvinceName field MAY contain the full name of the Subject’s country information as verified under Section 3.2.2.1.</span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><u class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">g</span></u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">. Certificate Field: subject:postalCode (OID:
2.5.4.17)</span></p>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">Optional if the subject:organizationName,<span class=""> </span><u class="">subj<wbr class="">ect:givenName field, or subject:surname</u><span class=""> </span>fields<span class=""> </span><u class="">are</u><span class=""> </span><s class="">is</s>p<wbr class="">resent.
Prohibited if the subject:organizationName field,<span class=""> </span><u class="">subject:givenName field, or subject:surname field are<span class=""> </span></u><s class="">is</s><span class=""> </span>absent.<span class=""> </span></span></p>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">Contents: If present, the subject:postalCode field MUST contain the Subject’s zip or postal information as verified under Section 3.2.2.1.<span class=""> </span></span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><u class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">h</span></u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">. Certificate Field: subject:countryName
(OID: 2.5.4.6)<span class=""> </span></span></p>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">Required if the subject:organizationName field,<span class=""> </span><u class="">subject:givenName , or subject:surname field</u><span class=""> </span>is
present. Optional if the subject:organizationName field,<span class=""> </span><u class="">subject:givenName field</u>, and <u class="">subject:surname field are</u><span class=""> </span><s class="">is</s>absent.<span class=""> </span></span></p>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">Contents: If the subject:organizationName field is present, the subject:countryName MUST contain the two‐letter ISO 3166‐1 country code associated
with the location of the Subject verified under Section 3.2.2.1. If the subject:organizationName,<span class=""> </span><u class="">subj<wbr class="">ect:givenName field, and subject:surname</u><span class=""> </span> field<span class=""> </span><u class="">are</u><span class=""> </span><s class=""> is<span class=""><wbr class=""> </span></s>absent,
the subject:countryName field MAY contain the two‐letter ISO 3166‐1 country code associated with the Subject as verified in accordance with Section 3.2.2.3. If a Country is not represented by an official ISO 3166‐1 country code, the CA MAY specify the ISO
3166‐1 user‐assigned code of XX indicating that an official ISO 3166‐1 alpha‐2 code has not been assigned.</span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><u class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">i</span></u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">. Certificate Field: subject:organizationalUnitName<span class=""><wbr class=""> </span></span></p>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">Optional.<span class=""> </span></span></p>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><u class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">Contents:<span class=""> </span></span></u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">The CA SHALL
implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section
3.2 and the Certificate also contains subject:organizationName,<span class=""> </span><u class="">subj<wbr class="">ect:givenName, subject:surname,<span class=""> </span></u>subject:<wbr class="">localityName, and subject:countryName attributes, also verified
in accordance with Section 3.2.2.1.</span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">7.1.6.1</span></p>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">…</span></p>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include organizationName,<span class=""> </span><u class="">givenName,
surname,</u><span class=""> </span>streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field.</span></p>
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">…</span></p>
</div>
<div class="">
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif" class=""><br class="">
<br class="">
<br class="">
</span></p>
<pre style="background:white" class="">______________________________<wbr class="">_________________</pre>
<pre style="background:white" class="">Public mailing list</pre>
<pre style="background:white" class=""><a moz-do-not-send="true" href="mailto:Public@cabforum.org" target="_blank" class=""><span style="color:#954f72" class="">Public@cabforum.org</span></a></pre>
<pre style="background:white" class=""><a moz-do-not-send="true" href="https://cabforum.org/mailman/listinfo/public" target="_blank" class=""><span style="color:#954f72" class="">https://cabforum.org/mailman/<wbr class="">listinfo/public</span></a></pre>
</blockquote>
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
<div class="">
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif" class="">--<span class=""> </span></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt" class="">Cordiali saluti, Adriano Santoni ACTALIS S.p.A. (Aruba Group)</span></p>
</div>
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif" class=""></span><br class="webkit-block-placeholder">
</div>
<pre style="background:white" class="">______________________________<wbr class="">_________________</pre>
<pre style="background:white" class="">Public mailing list</pre>
<pre style="background:white" class=""><a moz-do-not-send="true" href="mailto:Public@cabforum.org" target="_blank" class=""><span style="color:#954f72" class="">Public@cabforum.org</span></a></pre>
<pre style="background:white" class=""><a moz-do-not-send="true" href="https://cabforum.org/mailman/listinfo/public" target="_blank" class=""><span style="color:#954f72" class="">https://cabforum.org/mailman/<wbr class="">listinfo/public</span></a></pre>
</blockquote>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif" class=""><span style="background:white" class="">______________________________<wbr class="">_________________</span>
<span style="background:white" class="">Public mailing list</span> </span><a moz-do-not-send="true" href="mailto:Public@cabforum.org" target="_blank" class=""><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#954f72;background:white" class="">Public@cabforum.org</span></a><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif" class="">
</span><a moz-do-not-send="true" href="https://cabforum.org/mailman/listinfo/public" target="_blank" class=""><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#954f72;background:white" class="">https://cabforum.org/mailman/<wbr class="">listinfo/public</span></a></p>
</div>
</blockquote>
</div>
<div class=""> <br class="webkit-block-placeholder">
</div>
</div>
</div>
______________________________<wbr class="">_________________ Public mailing list
<a moz-do-not-send="true" href="mailto:Public@cabforum.org" class="">Public@cabforum.org</a>
<a moz-do-not-send="true" href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank" class="">
https://cabforum.org/mailman/<wbr class="">listinfo/public</a> </blockquote>
</div>
<div class=""></div>
--
<div class="gmail_signature" data-smartmail="gmail_signature">Erwann.</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
<br class="">
</body>
</html>