<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:PMingLiU;
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:"MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Malgun Gothic";
panose-1:2 11 5 3 2 0 0 2 0 4;}
@font-face
{font-family:"\@Malgun Gothic";
panose-1:2 11 5 3 2 0 0 2 0 4;}
@font-face
{font-family:"\@MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:"\@PMingLiU";
panose-1:2 2 5 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"PMingLiU",serif;
mso-fareast-language:ZH-TW;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"PMingLiU",serif;
mso-fareast-language:ZH-TW;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"PMingLiU",serif;
mso-fareast-language:ZH-TW;}
span.shorttext
{mso-style-name:short_text;}
span.trans-verified-button
{mso-style-name:trans-verified-button;}
span.jfk-button-img
{mso-style-name:jfk-button-img;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:2025857148;
mso-list-type:hybrid;
mso-list-template-ids:-274696572 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>Is this a correct summary?<o:p></o:p></span></p><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>Taiwan has a country-level registration<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>Taiwan has a city-level registration<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>The two are not mutually exclusive (ie ABC Company at the country level might be a completely different entity than ABC Company at the city level)<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>You want the BRs to distinguish whether the ABC Company was registered with the country of Taiwan vs. a city registration.<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>If locality is included in a cert, the actions of ABC Company (country) could be falsely attributed to the ABC Company (local)<o:p></o:p></span></li></ol><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>Is that a fair statement?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>Jeremy<o:p></o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></a></p><span style='mso-bookmark:_MailEndCompose'></span><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> realsky(CHT) [mailto:realsky@cht.com.tw] <br><b>Sent:</b> Tuesday, March 21, 2017 11:41 AM<br><b>To:</b> CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Cc:</b> Jeremy Rowley <jeremy.rowley@digicert.com><br><b>Subject:</b> Re: [cabfpub] Naming rules<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Jeremy,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> I suggest to read <a href="https://cabforum.org/pipermail/public/2017-March/010123.html">https://cabforum.org/pipermail/public/2017-March/010123.html</a> first. I q<span class=shorttext><span lang=EN>uote Wen-Cheng's replying in previous URL as follows:</span></span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> " The intrinsic difference between the existing X.500 directory naming conventions and the subject naming rules of the CAB BRs is that the X.500 namespace is hierarchical and therefore the upper and lower entries identified with selected relative distinguished names (RDNs) represent "subordinate" relationship, while the current CAB BRs use the distinguished name (DN) to indicate to the identity and address of the organization and therefore the naming rules require that at least one of the localityName attribute or stateOrProvinceName attribute needs to be included in the subject DN.<br><br>With the X.500 directory naming conventions and the interpretation of "subordinate" relationship between RDNs, the DN of a national-level entity will not contain an RDN with the localityName attribute or stateOrProvinceName attribute. For example, in the naming rules of Taiwan GPKI, the "Executive Yuan" (i.e, the Cabinet of our government) is a national-level entity and therefore the DN "C=TW, O=Executive Yuan" can unambiguously identify it. If as required by the naming rules of the current CAB BRs, we add the RDN "L=Taipei City" to the DN of "Executive Yuan", its DN will become "C=TW, L=Taipei City, O=Executive Yuan" and therefore it will be an entity subordinate to the <span lang=ZH-TW>“</span>Taipei City<span lang=ZH-TW>”</span> in the directory tree and no longer be a national-level entity. This is actually misleading from the perspective of X.500 naming conventions.<br><br>Although there are intrinsic different interpretations between the existing X.500 directory naming conventions and the subject naming rules of the CAB BRs, fortunately the generated naming forms are only slightly different. For a national-level entity, the DN in X.500 directory naming conventions will not contain an RDN with the localityName attribute or stateOrProvinceName attribute. However, for a local-level entity, the naming forms in X.500 naming conventions and the BRs naming rules are identical. "<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> Now I take some example. <o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>The subject DN for a central government entity in Taiwan, for example as below:<o:p></o:p></p></div><div><p class=MsoNormal>C=TW, O=Executive Yuan, OU=National Development Council<o:p></o:p></p></div><div><p class=MsoNormal>So the Subject DN of a NDC<span lang=ZH-TW>’</span>s SSL certificate is<br>C = TW, O = Executive Yuan, OU =National Development Council, CN = <a href="http://www.cp.gov.tw">www.cp.gov.tw</a>, SERIALNUMBER = 0000000010026835<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The subject DN for a local government entity, for example as below:<o:p></o:p></p></div><div><p class=MsoNormal>C = TW, L = Taichung City , O = City Government, OU = Civil Affairs Bureau<o:p></o:p></p></div><div><p class=MsoNormal>the Subject DN of this local government entity's SSL certificate is <o:p></o:p></p></div><div><p class=MsoNormal>C = TW, L = Taichung City , O = City Government, OU = Civil Affairs Bureau, CN = eform.taichung.gov.tw, SERIALNUMBER = 0000000010026435 <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> In Taiwan, according our Company Act, the company name must be unique for the whole country. Please see English version of our Company Act in <br><a href="http://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=J0080001">http://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=J0080001</a><br>Company Act article 18 said<br>"No company may use a corporate name which is identical with that of another company."<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> In Taiwan, according our Company Law, the company name must be unique for the whole country. Furthermore, our Company Law requires the company to register its business location which will be some city or county. <o:p></o:p></p></div><div><p class=MsoNormal> This is an example where the legally naming uniqueness scope for an entity is not the same as where the entity is legally located. <br> In Taiwan, since the company name must be unique for the whole country, the subject DN for a company, such as Chunghwa Telecom, should look like "C=TW, O=Chunghwa Telecom Co., Ltd"<o:p></o:p></p></div><div><p class=MsoNormal><br> This subject DN already uniquely identifies the company. <br><br> If we specify the subject DN as "C=TW, L=Taipei City, O=Chunghwa Telecom Co., Ltd.", that will mean it is a company registered in Taipei City in Taiwan's Goverenment DIT. This will not conform to our Company Law because companies in Taiwan are registered in the country level not in the municipal level.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> On the other hand, in Taiwan, we have small businesses (such as stores,or "business entitiy" in EVGL) that are established and registered according to our Business Registration Law (<a href="http://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=J0080004">http://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=J0080004</a>). <br>In Taiwan, small businesses are registered in municipal level (that will be a city ,a county or a special municipality ). <br>The Business Registration Law requires that the name of the small business must be unique with the municipality ( where it is registered). See Article 28.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> For example, there might be a small business named "ABC Store" registered in New Taipei City, while there might be another "ABC Store" registered in Pingtung county. <br>Therefore, the suitable subject DN for these two small businesses will be <br><span lang=ZH-TW>“</span>C=TW, L=New Taipei City, O=ABC Store" and <br><span lang=ZH-TW>“</span>C=TW, L= Pingtung county, O=ABC Store" respectively.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> So the subject DN of these two small business's SSL servers will be<o:p></o:p></p></div><div><p class=MsoNormal><span lang=ZH-TW>“</span>C=TW, L=New Taipei City, O=ABC Store , Common Name=FQDN of ABC Store regitered in New Taipei city" and <br><span lang=ZH-TW>“</span>C=TW, L= Pingtung county, O=ABC Store, Common Name=FQDN of ABC Store regitered in Pingtung county" respectively.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> In Taiwan, a corporation can be registered at country-level but can also be register at city/county-level. If there is a country-level corporation named <span lang=ZH-TW>“</span>Farmer<span lang=ZH-TW>’</span>s Association<span lang=ZH-TW>”</span> of which physical address is located in Taipei City, with current Subject DN rule of BR, its Subject DN will be <span lang=ZH-TW>“</span>C=TW, L=Taipei City, O=Farmer<span lang=ZH-TW>’</span>s Association<span lang=ZH-TW>”</span>. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> However, if there is also a city/county-level <span lang=ZH-TW>“</span>Farmer<span lang=ZH-TW>’</span>s Association<span lang=ZH-TW>”</span> in Taipei City, its Subject DN will also be <span lang=ZH-TW>“</span>C=TW, L=Taipei City, O=Farmer<span lang=ZH-TW>’</span>s Association<span lang=ZH-TW>”</span>. How do you distinguish them by DN?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> Please see attached image file from Annex B of ITU-T X.521 (Suggested name form and Directory information tree structures), Please note path 1 -> 3, it suggests that there is no need to include a Locality attribute in the directory name. <o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal> I hope above information is helpful. Thank you.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> Li-Chun Chen<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><br>-----Original message-----<br><b>From:</b>Jeremy Rowley via Public<<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br><b>To:</b>CA/Browser Forum Public Discussion List<<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br><b>Cc:</b>Jeremy Rowley<<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>><br><b>Date: </b>Tue, 21 Mar 2017 22:51:41<br><b>Subject:</b> [<span lang=ZH-TW>外部郵件</span>] Re: [cabfpub] Naming rules<span style='font-family:"Times New Roman",serif;mso-fareast-language:EN-US'><o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>Despite the discussion today, I’m still not clear on why the cert can’t include locality information. Although there is a national registry, what prohibits a CA from adding the Locality information based on address? Even if there are multiple localities for an organization, does that matter? Can’t the entity requesting the cert decide which one they want included? </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;border-color:currentColor currentColor;border-image: none'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Public [</span><a href="mailto:public-bounces@cabforum.org"><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>mailto:public-bounces@cabforum.org</span></a><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>] <b>On Behalf Of </b>??? via Public<br><b>Sent:</b> Sunday, March 19, 2017 9:23 AM<br><b>To:</b> CA/Browser Forum Public Discussion List <</span><a href="mailto:public@cabforum.org"><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>public@cabforum.org</span></a><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>><br><b>Cc:</b> </span><span lang=ZH-TW style='font-size:11.0pt'>王文正</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <</span><a href="mailto:wcwang@cht.com.tw"><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>wcwang@cht.com.tw</span></a><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>><br><b>Subject:</b> Re: [cabfpub] Naming rules</span><o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>Peter,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>I have proposed a minimum change to the BRs to accommodate X.500 directory naming rules of existing PKIs in my reply to Gerv’s mail. In that reply, I have made the rationales why the BRs should embrace the existing X.500 naming rules. I also explain it is not proper to add an RDN with the localityName attribute or stateOrProvinceName attribute to the DN of a national-level entity, because doing so will cause misleading under the X.500 namespace. Therefore, I would not repeat my rationales here.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>As for your argument about "there are always localities that can be added into the subject DN", please see my reply inline.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>> On March 10, 2017, at 11:33 PM, Peter Bowen <</span> <a href="mailto:pzb@amzn.com"><span style='font-family:"Courier New"'>pzb@amzn.com</span></a><span style='font-family:"Courier New"'>> wrote:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>> [snip]</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>> Based on everything you have provided so far, there is no </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>> evidence that Taiwan does not have localities (cities, </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>> towns, villages, or similar) or that they are not used in </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>> postal addressing. Much to the contrary, every postal </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>> address example you have provided has included a </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>> locality. Therefore this appears to be a situation where </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>> the PKI does not want to change (possibly for quite valid </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span style='font-family:"Courier New"'>> reasons) rather than cannot change.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>Yes, there are always different levels of "localities" under a jurisdiction or country. We never said Taiwan does not have localities. What we argue is that does it makes sense to force adding an RDN with the localityName attribute or stateOrProvinceName attribute to the DN of a national-level entity?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>I had not participated in the early stage discussions of CAB Forum, therefore I just do not understand why CAB though it is so important to include the applicant's location of existence or operation so that the BRs mandate at least one of the localityName attribute or stateOrProvinceName attribute must exist in the subject DN? I guess it is because the only Subject Identity Information that many commercial CAs can verify is whether the applicant actually exists and is in operation and they have no way to guarantee the uniqueness of the subject DN because they have no link to the official registration database maintained by the government. Therefore, the CAB BRs simply leveraged the naming attributes to indicate the identity and location of the applicant but avoid interpreting RDNs as "subordinate" relationships and do not guarantee the uniqueness of the subject DN.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>However, there are existing PKIs where the X.500 directory naming rules are endorsed by the government and CAs in the PKI have the authority to link to the official registration database maintained by the government. Those PKIs actually provide better quality of subject identity information. I think the purpose of CAB forum is to improve the security of website identities, why not we embrace the subject identity information provided by these existing PKIs if they would not cause any compatibility problems?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>As I mentioned, in the X.500 naming conventions, the DN of a national-level entity will not need to have a RDN with the localityName attribute or stateOrProvinceName attribute. For example, the Executive Yuan (i.e., the Cabinet of our government) in the X.500 naming rules of Taiwan Government PKI (GPKI) will be:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>C=TW, O=Executive Yuan</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>This is unambiguous naming for Taiwan people because everybody knows that there is only one Executive Yuan in Taiwan.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>If you want to enforce adding a localityName in the DN of the Executive Yuan of Taiwan, the DN will looks like:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>C=TW, L=Taipei City, O=Executive Yuan</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>This is not only not suitable for the "subordinate" naming conventions of the X.500 but also misleading to Taiwan people. Besides, the executive yuan is a national-level entity, it has many offices all over the country, and the question is which location should be added into its DN?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>I believe this is the same reason why in the Common Certificate Policy of US FPKI, the naming form of the Device names is defined as follows:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>C=US, o=U.S. Government, [ou=department], [ou=agency], [ou=structural_container], cn=device name</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>With the X.500 naming conventions, the name form will not be:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>C=US, S="Washington, D.C. ", o=U.S. Government, [ou=department], [ou=agency], [ou=structural_container], cn=device name</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>In addition, I have seen some foreign CAs issuing SSL certificates to customers in Taiwan with strange Subject DNs. Their put improper values in the localityName attribute or stateOrProvinceName attribute simply because the want to claim they comply the naming rules of the BRs. However, the values of the localityName attribute or stateOrProvinceName attribute are actually not meaningful or even misleading. For example, a subject DN might looks like this:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>C = TW</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>S = Taichung</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>L = Taichung</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>O = COTA Commercial Bank</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>OU = ITD</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>This naming form comply the BRs, but ironically there is never a state or province name named "Taichung" in Taiwan. Is this the naming that CAB forum wants?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>I hope you can support my suggestion for the BRs to embrace the existing X.500 naming rules. We need just do a little change to the BRs, and then we do not need to enforce the existing PKIs to break the X.500 naming rules and result some strange subject DNs.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>Besides, please note in the beginning of section 3.2.2 of the BRs, it says:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>If the Applicant requests a Certificate that will contain Subject Identity Information comprised <span style='color:red'>only</span> of the countryName field, then the CA SHALL verify the country associated with the Subject using a verification process meeting the requirements of Section 3.2.2.3 and that is described in the CA's Certificate Policy and/or Certification Practice Statement.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>Please not that it says "</span> <span style='font-family:"Courier New"'>Subject Identity Information comprised <span style='color:red'>only </span>of the countryName field " Does not that imply that the subject can be a national-level entity so that it can comprise only the countryName field and without the localityName attribute or stateOrProvinceName attribute? However, the section 7.1.4.2.2 of the BRs mandates at least one of the localityName attribute or stateOrProvinceName attribute must exist in the subject DN. Isn't that a conflict between Section 3.2.2.3 and Section 7.1.4.2.2?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>Best Regards,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>Wen-Cheng Wang</span><o:p></o:p></p><p class=MsoNormal><b><br><br></b><b><span lang=ZH-TW style='font-size:10.0pt'>本信件可能包含中華電信股份有限公司機密資訊</span></b><b><span style='font-size:10.0pt'>,<span lang=ZH-TW>非指定之收件者</span>,<span lang=ZH-TW>請勿蒐集、處理或利用本信件內容</span>,<span lang=ZH-TW>並請銷毀此信件</span>. <span lang=ZH-TW>如為指定收件者</span>,<span lang=ZH-TW>應確實保護郵件中本公司之營業機密及個人資料</span>,<span lang=ZH-TW>不得任意傳佈或揭露</span>,<span lang=ZH-TW>並應自行確認本郵件之附檔與超連結之安全性</span>,<span lang=ZH-TW>以共同善盡資訊安全與個資保護責任</span>. <br>Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.</span></b> <o:p></o:p></p><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-family:"Times New Roman",serif;mso-fareast-language:EN-US'>_______________________________________________<br>Public mailing list<br></span><a href="mailto:Public@cabforum.org"><span style='font-family:"Times New Roman",serif;mso-fareast-language:EN-US'>Public@cabforum.org</span></a><span style='font-family:"Times New Roman",serif;mso-fareast-language:EN-US'><br></span><a href="https://cabforum.org/mailman/listinfo/public" target="new_win"><span style='font-family:"Times New Roman",serif;mso-fareast-language:EN-US'>https://cabforum.org/mailman/listinfo/public</span></a><span style='font-family:"Times New Roman",serif;mso-fareast-language:EN-US'><o:p></o:p></span></p></div><p class=MsoNormal><span style='font-family:"Times New Roman",serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div><p class=MsoNormal><span style='font-family:"MS Gothic";mso-fareast-language:EN-US'>本信件可能包含中華電信股份有限公司機密資訊</span><span style='font-family:"Times New Roman",serif;mso-fareast-language:EN-US'>,</span><span style='font-family:"MS Gothic";mso-fareast-language:EN-US'>非指定之收件者</span><span style='font-family:"Times New Roman",serif;mso-fareast-language:EN-US'>,</span><span style='font-family:"MS Gothic";mso-fareast-language:EN-US'>請勿蒐集、處理或利用本信件</span><span style='font-family:"Malgun Gothic",sans-serif;mso-fareast-language:EN-US'>內容</span><span style='font-family:"Times New Roman",serif;mso-fareast-language:EN-US'>,</span><span style='font-family:"MS Gothic";mso-fareast-language:EN-US'>並請銷毀此信件</span><span style='font-family:"Times New Roman",serif;mso-fareast-language:EN-US'>. </span><span style='font-family:"MS Gothic";mso-fareast-language:EN-US'>如為指定收件者</span><span style='font-family:"Times New Roman",serif;mso-fareast-language:EN-US'>,</span><span style='font-family:"MS Gothic";mso-fareast-language:EN-US'>應確實保護郵件中本公司之營業機密及個人資料</span><span style='font-family:"Times New Roman",serif;mso-fareast-language:EN-US'>,</span><span style='font-family:"MS Gothic";mso-fareast-language:EN-US'>不得任意傳佈或揭露</span><span style='font-family:"Times New Roman",serif;mso-fareast-language:EN-US'>,</span><span style='font-family:"MS Gothic";mso-fareast-language:EN-US'>並應自行確認本郵件之附檔與超連結之安全性</span><span style='font-family:"Times New Roman",serif;mso-fareast-language:EN-US'>,</span><span style='font-family:"MS Gothic";mso-fareast-language:EN-US'>以共同善盡資訊安全與個資保護責任</span><span style='font-family:"Times New Roman",serif;mso-fareast-language:EN-US'>. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Times New Roman",serif;mso-fareast-language:EN-US'>Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.<o:p></o:p></span></p></div></div><div><p class=MsoNormal><span style='font-family:"Times New Roman",serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Times New Roman",serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p></div></div></body></html>