<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><font face="Calibri">I not very fond of the proposal of allowing
email addresses in SSL Server certificates, but if it is to be
allowed it should be done in keeping with RFC 5280:</font></p>
<p><<Conforming implementations generating new certificates
with electronic mail addresses MUST use the rfc822Name in the
subject alternative name extension>><br>
</p>
Adriano<br>
<br>
<br>
<div class="moz-cite-prefix">Il 05/01/2017 16:01, Bruce Morton via
Public ha scritto:<br>
</div>
<blockquote
cite="mid:b0ddf260301141ae871300558099a92e@PMSPEX03.corporate.datacard.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.m-3178879151159413396m-3045134859279020391msolistparagraph, li.m-3178879151159413396m-3045134859279020391msolistparagraph, div.m-3178879151159413396m-3045134859279020391msolistparagraph
{mso-style-name:m_-3178879151159413396m-3045134859279020391msolistparagraph;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.m-3178879151159413396default, li.m-3178879151159413396default, div.m-3178879151159413396default
{mso-style-name:m_-3178879151159413396default;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I’m
not sure why we want an email address for a SAN either. If
there is a case for an email address, would it be an
alternative put it in the subject name instead of the SAN? I
think that this can be done per BR 7.1.4.2.2.j.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
Public [<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Ryan Sleevi via Public<br>
<b>Sent:</b> Wednesday, January 4, 2017 8:20 PM<br>
<b>To:</b> CA/Browser Forum Public Discussion List
<a class="moz-txt-link-rfc2396E" href="mailto:public@cabforum.org"><public@cabforum.org></a><br>
<b>Cc:</b> Ryan Sleevi <a class="moz-txt-link-rfc2396E" href="mailto:sleevi@google.com"><sleevi@google.com></a><br>
<b>Subject:</b> Re: [cabfpub] Ballot 184: rfc822Names and
otherNames<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">How tied are you to allowing rfc822Name?
"Reasonable measures" feels very much like the "any
equivalent method", and it also feels very much like it will
open up the gates of S/MIME, for which the GovReform is
still working through.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">For example, can you incorporate
language such as 3.2.2.4.2 / 3.2.2.4.4 to specify more
explicitly what 'reasonable' means? Can you remove it
entirely?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I'm still very uncertain about the
value proposition of 7.1.4.2.1.3 / 7.1.4.2.1.5 and why
it's desirable, at all, to use BR-compliant CAs for that.
I'm hoping you can make a compelling case here.<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Wed, Jan 4, 2017 at 5:03 PM, Jeremy
Rowley via Public <<a moz-do-not-send="true"
href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>>
wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="color:black">Thank you everyone for the
feedback so far. Attached is an updated draft
based on the comments provided. Apologies for the
lack of redlining, but I reformatted the entire
section into various permitted entries (thanks
Gerv) which made the entire thing more readable.
Let me know what you think.</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="color:black">Jeremy</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="color:black">7.1.4.2.1. Subject
Alternative Name Extension
</span></b><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="color:black">Certificate Field:
<a class="moz-txt-link-freetext" href="extensions:subjectAltName">extensions:subjectAltName</a>
</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="color:black">Required/Optional: Required
</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="color:black">Contents: This extension MUST
contain at least one entry where each included
entry is one of the following:</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="color:black">7.1.4.2.1.1. dNSName
</span></b><o:p></o:p></p>
<p
class="m-3178879151159413396m-3045134859279020391msolistparagraph"><span
style="color:black">The subjectAltName extension
MAY include one or more dNSName entries provided
each entry is either a Fully</span><span
style="font-family:"Cambria
Math",serif;color:black">‐</span><span
style="color:black">Qualified Domain Name or a
Wildcard Domain Name. The CA MUST verify each
Fully-Qualified Domain Name and Wildcard Domain
Name entry in accordance with Section 3.2.2.4.
</span><o:p></o:p></p>
<p
class="m-3178879151159413396m-3045134859279020391msolistparagraph"><span
style="color:black">Except where the entry is an
Internal Name using onion as the right</span><span
style="font-family:"Cambria
Math",serif;color:black">‐</span><span
style="color:black">most label in an entry in the
subjectAltName Extension or commonName field in
accordance with Appendix F of the EV Guidelines, a
dNSName entry MUST NOT contain an Internal Name.</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="color:black">7.1.4.2.1.2. iPAddress</span></b><o:p></o:p></p>
<p
class="m-3178879151159413396m-3045134859279020391msolistparagraph"><span
style="color:black">The subjectAltName MAY include
one or more iPAddress entries provided each entry
is an IP address verified in accordance with
Section 3.2.2.5. The entry MUST NOT contain a
Reserved IP Address.</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="color:black">7.1.4.2.1.3. rfc822Name</span></b><o:p></o:p></p>
<p
class="m-3178879151159413396m-3045134859279020391msolistparagraph"><span
style="color:black">The subjectAltName MAY include
one or more rfc822Name entries provided each entry
is an email address compliant with RFC5280. Prior
to including an email address, the CA MUST take
reasonable measures to verify that the entity
submitting the request controls the email account
associated with the email address referenced in
the certificate
<em><span style="font-style:normal">or</span></em><i>
</i>has been authorized by the email account
holder to act on the account holder’s behalf.</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="color:black">7.1.4.2.1.4. otherName with
SRVName { 1.3.6.1.5.5.7.0.18.8.7 } type-id</span></b><o:p></o:p></p>
<p
class="m-3178879151159413396m-3045134859279020391msolistparagraph"><span
style="color:black">The subjectAltName MAY include
one or more SRVNames (as defined in RFC4986) as an
otherName entry with the SRVName type-id. The CA
MUST verify the name portion of the entry in
accordance with Section 3.2.2.4. SRVName entries
MUST NOT contain Wildcard Domain Names. If a
Technically Constrained Subordinate CA Certificate
includes a dNSName constraint but does not have a
technical constraint for SRVNames, the CA MUST NOT
issue certificates containing SRVNames from the
Technically Constrained Subordinate CA
Certificate. A Technically Constrained Subordinate
CA Certificate that includes a technical
constraint for SRVNames MUST include permitted
name subtrees and MAY include excluded name
subtrees.</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="color:black">7.1.4.2.1.5. otherName with
id-wfa-hotspot-friendlyName {
1.3.6.1.4.1.40808.1.1.1 } type-id</span></b><o:p></o:p></p>
<p
class="m-3178879151159413396m-3045134859279020391msolistparagraph"><span
style="color:black">The subjectAltName MAY include
one or more entries of the
id-wfa-hotspot-friendlyName type-id. The CA MAY
only include id-wfa-hotpost-friendlyName entries
compliant with the Hotspot OSU Certificate Policy
as officially published by the Wi-Fi Alliance at
</span><a moz-do-not-send="true"
href="https://www.wi-fi.org/discover-wi-fi/wi-fi-certified-passpoint"
target="_blank"><span style="color:black">https://www.wi-fi.org</span></a><span
style="color:black">. Prior to including a
id-wfa-hotpost-friendlyName entry, the CA MUST:</span><o:p></o:p></p>
<p class="m-3178879151159413396default"
style="margin-left:.5in"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">A)</span><span
style="font-size:7.0pt;color:black">
</span><span style="color:black">Authenticate the
authority of the certificate requester in
accordance with Section 3.2.5;</span><o:p></o:p></p>
<p class="m-3178879151159413396default"
style="margin-left:.5in"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">B)</span><span
style="font-size:7.0pt;color:black">
</span><span style="color:black">Authenticate the
Subject Identity information in accordance with
Section 3.2.2.1; and</span><o:p></o:p></p>
<p class="m-3178879151159413396default"
style="margin-left:.5in"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">C)</span><span
style="font-size:7.0pt;color:black">
</span><span style="color:black">Conduct a trademark
search for the entry with the U.S. Patent and
Trademark Office and equivalent international
trademark office such as the WIPO ROMARIN.
</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:11.4pt"><span
style="color:black"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="color:black"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Public mailing list<br>
<a moz-do-not-send="true"
href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a moz-do-not-send="true"
href="https://cabforum.org/mailman/listinfo/public"
target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<p style="font-family: Serif">
Cordiali saluti,<br>
<br>
Adriano Santoni<br>
ACTALIS S.p.A.<br>
(Aruba Group)</p>
</div>
</body>
</html>