<div dir="ltr">Ben,<div><br></div><div>On a technical level: How do you quantify, audit, and ensure uniquely identifiable? Given that we do not have an X.500 Directory Information Tree, it is easily possible for two such directories to exist, which within their DIT are uniquely identifiable, but in their totality are not.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 24, 2017 at 5:46 PM, Ben Wilson via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div class="m_2557727925781743003WordSection1">
<p class="MsoNormal"><a name="m_2557727925781743003__MailEndCompose"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">Attached is a redlined snippet from the Baseline Requirements. It proposes adding the following sentence(s) to sections on localityName and stateOrProvinceName:<u></u><u></u></span></a></p>
<p class="MsoNormal"><span><span style="font-size:11.0pt;font-family:"Arial",sans-serif"><u></u> <u></u></span></span></p>
<p class="MsoNormal" style="margin-right:.5in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt">
<span>This field is also optional if the organization is uniquely identifiable by registration in a national-government-adopted X.500 directory that does not contain the [localityName/<wbr>stateOrProvinceName] attribute.</span><span><span style="font-size:10.0pt"><u></u><u></u></span></span></p>
<p class="MsoNormal"><span><span style="font-size:11.0pt;font-family:"Arial",sans-serif"><u></u> <u></u></span></span></p>
<p class="MsoNormal"><span><span style="font-size:11.0pt;font-family:"Arial",sans-serif">Feel free to modify and debate as necessary.<span style="color:#0174c3">
<u></u><u></u></span></span></span></p>
<p class="MsoNormal"><span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> <u></u></span></span></p>
<span></span>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Public [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@<wbr>cabforum.org</a>]
<b>On Behalf Of </b>Moudrick M. Dadashov via Public<br>
<b>Sent:</b> Wednesday, March 22, 2017 1:51 PM<span class=""><br>
<b>To:</b> CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br>
</span><b>Cc:</b> Moudrick M. Dadashov <<a href="mailto:md@ssc.lt" target="_blank">md@ssc.lt</a>></span></p><div><div class="h5"><br>
<b>Subject:</b> Re: [cabfpub] Naming rules<u></u><u></u></div></div><p></p>
</div>
</div><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">Good question, the problem is that the entity requesting the cert has no idea what locality/state means.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">M.D.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div id="m_2557727925781743003composer_signature">
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#575757">Sent from Samsung tablet.<u></u><u></u></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="color:black">-------- Original message --------<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">From: Jeremy Rowley via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>>
<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">Date: 3/21/17 15:51 (GMT+01:00) <u></u>
<u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">To: CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>>
<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">Cc: Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>>
<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">Subject: Re: [cabfpub] Naming rules
<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"><u></u> <u></u></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Despite the discussion today, I’m still not clear on why the cert can’t include locality information. Although there
is a national registry, what prohibits a CA from adding the Locality information based on address? Even if there are multiple localities for an organization, does that matter? Can’t the entity requesting the cert decide which one they want included?
</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span><u></u><u></u></p>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Public [<a href="mailto:public-bounces@cabforum.org" target="_blank">mailto:public-bounces@<wbr>cabforum.org</a>]
<b>On Behalf Of </b>??? via Public<br>
<b>Sent:</b> Sunday, March 19, 2017 9:23 AM<br>
<b>To:</b> CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br>
<b>Cc:</b> </span><span lang="ZH-TW" style="font-size:11.0pt;font-family:"MS Gothic"">王文正</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <<a href="mailto:wcwang@cht.com.tw" target="_blank">wcwang@cht.com.tw</a>><br>
<b>Subject:</b> Re: [cabfpub] Naming rules</span><u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">Peter,</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">I have proposed a minimum change to the BRs to accommodate X.500 directory naming rules of existing PKIs in my reply to Gerv’s mail. In that
reply, I have made the rationales why the BRs should embrace the existing X.500 naming rules. I also explain it is not proper to add an RDN with the localityName attribute or stateOrProvinceName attribute to the DN of a national-level entity, because doing
so will cause misleading under the X.500 namespace. Therefore, I would not repeat my rationales here.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">As for your argument about "there are always localities that can be added into the subject DN", please see my reply inline.</span><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">> On March 10, 2017, at 11:33 PM, Peter Bowen <</span>
<span style="font-family:"Courier New""><a href="mailto:pzb@amzn.com" target="_blank">pzb@amzn.com</a>> wrote:</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">> [snip]</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">> Based on everything you have provided so far, there is no
</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">> evidence that Taiwan does not have localities (cities,
</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">> towns, villages, or similar) or that they are not used in
</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">> postal addressing. Much to the contrary, every postal
</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">> address example you have provided has included a
</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">> locality. Therefore this appears to be a situation where
</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">> the PKI does not want to change (possibly for quite valid
</span><u></u><u></u></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-family:"Courier New"">> reasons) rather than cannot change.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">Yes, there are always different levels of "localities" under a jurisdiction or country. We never said Taiwan does not have localities. What
we argue is that does it makes sense to force adding an RDN with the localityName attribute or stateOrProvinceName attribute to the DN of a national-level entity?</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">I had not participated in the early stage discussions of CAB Forum, therefore I just do not understand why CAB though it is so important
to include the applicant's location of existence or operation so that the BRs mandate at least one of the localityName attribute or stateOrProvinceName attribute must exist in the subject DN? I guess it is because the only Subject Identity Information that
many commercial CAs can verify is whether the applicant actually exists and is in operation and they have no way to guarantee the uniqueness of the subject DN because they have no link to the official registration database maintained by the government. Therefore,
the CAB BRs simply leveraged the naming attributes to indicate the identity and location of the applicant but avoid interpreting RDNs as "subordinate" relationships and do not guarantee the uniqueness of the subject DN.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">However, there are existing PKIs where the X.500 directory naming rules are endorsed by the government and CAs in the PKI have the authority
to link to the official registration database maintained by the government. Those PKIs actually provide better quality of subject identity information. I think the purpose of CAB forum is to improve the security of website identities, why not we embrace the
subject identity information provided by these existing PKIs if they would not cause any compatibility problems?</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">As I mentioned, in the X.500 naming conventions, the DN of a national-level entity will not need to have a RDN with the localityName attribute
or stateOrProvinceName attribute. For example, the Executive Yuan (i.e., the Cabinet of our government) in the X.500 naming rules of Taiwan Government PKI (GPKI) will be:</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">C=TW, O=Executive Yuan</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">This is unambiguous naming for Taiwan people because everybody knows that there is only one Executive Yuan in Taiwan.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">If you want to enforce adding a localityName in the DN of the Executive Yuan of Taiwan, the DN will looks like:</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">C=TW, L=Taipei City, O=Executive Yuan</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">This is not only not suitable for the "subordinate" naming conventions of the X.500 but also misleading to Taiwan people. Besides, the executive
yuan is a national-level entity, it has many offices all over the country, and the question is which location should be added into its DN?</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">I believe this is the same reason why in the Common Certificate Policy of US FPKI, the naming form of the Device names is defined as follows:</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">C=US, o=U.S. Government, [ou=department], [ou=agency], [ou=structural_container], cn=device name</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">With the X.500 naming conventions, the name form will not be:</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">C=US, S="Washington, D.C. ", o=U.S. Government, [ou=department], [ou=agency], [ou=structural_container], cn=device name</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">In addition, I have seen some foreign CAs issuing SSL certificates to customers in Taiwan with strange Subject DNs. Their put improper values
in the localityName attribute or stateOrProvinceName attribute simply because the want to claim they comply the naming rules of the BRs. However, the values of the localityName attribute or stateOrProvinceName attribute are actually not meaningful or even
misleading. For example, a subject DN might looks like this:</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">C = TW</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">S = Taichung</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">L = Taichung</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">O = COTA Commercial Bank</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">OU = ITD</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">This naming form comply the BRs, but ironically there is never a state or province name named "Taichung" in Taiwan. Is this the naming that
CAB forum wants?</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">I hope you can support my suggestion for the BRs to embrace the existing X.500 naming rules. We need just do a little change to the BRs,
and then we do not need to enforce the existing PKIs to break the X.500 naming rules and result some strange subject DNs.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">Besides, please note in the beginning of section 3.2.2 of the BRs, it says:</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">If the Applicant requests a Certificate that will contain Subject Identity Information comprised
<span style="color:red">only</span> of the countryName field, then the CA SHALL verify the country associated with the Subject using a verification process meeting the requirements of Section 3.2.2.3 and that is described in the CA's Certificate Policy and/or
Certification Practice Statement.</span><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">Please not that it says "</span>
<span style="font-family:"Courier New"">Subject Identity Information comprised <span style="color:red">
only </span>of the countryName field " Does not that imply that the subject can be a national-level entity so that it can comprise only the countryName field and without the localityName attribute or stateOrProvinceName attribute? However, the section 7.1.4.2.2
of the BRs mandates at least one of the localityName attribute or stateOrProvinceName attribute must exist in the subject DN. Isn't that a conflict between Section 3.2.2.3 and Section 7.1.4.2.2?</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">Best Regards,</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">Wen-Cheng Wang</span><u></u><u></u></p>
<p class="MsoNormal"><b><br>
<br>
</b><b><span lang="ZH-TW" style="font-size:10.0pt;font-family:"MS Gothic"">本信件可能包含中華電信股份有限公司機密資訊</span></b><b><span style="font-size:10.0pt">,</span></b><b><span lang="ZH-TW" style="font-size:10.0pt;font-family:"MS Gothic"">非指定之收件者</span></b><b><span style="font-size:10.0pt">,</span></b><b><span lang="ZH-TW" style="font-size:10.0pt;font-family:"MS Gothic""><wbr>請勿蒐集、處理或利用本信件</span></b><b><span lang="ZH-TW" style="font-size:10.0pt;font-family:"Malgun Gothic",sans-serif">內容</span></b><b><span style="font-size:10.0pt">,</span></b><b><span lang="ZH-TW" style="font-size:10.0pt;font-family:"MS Gothic"">並請銷毀此信件</span></b><b><span style="font-size:10.0pt">.
</span></b><b><span lang="ZH-TW" style="font-size:10.0pt;font-family:"MS Gothic"">如為指定收件者</span></b><b><span style="font-size:10.0pt">,</span></b><b><span lang="ZH-TW" style="font-size:10.0pt;font-family:"MS Gothic"">應確實保護郵件中本公司之營業機密及個人資料</span></b><b><span style="font-size:10.0pt">,</span></b><b><span lang="ZH-TW" style="font-size:10.0pt;font-family:"MS Gothic""><wbr>不得任意傳佈或揭露</span></b><b><span style="font-size:10.0pt">,</span></b><b><span lang="ZH-TW" style="font-size:10.0pt;font-family:"MS Gothic"">並應自行確認本郵件之附檔與超連結之安全性</span></b><b><span style="font-size:10.0pt"><wbr>,</span></b><b><span lang="ZH-TW" style="font-size:10.0pt;font-family:"MS Gothic"">以共同善盡資訊安全與個資保護責任</span></b><b><span style="font-size:10.0pt">.
<br>
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further
collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your
system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also,
please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.</span></b>
<u></u><u></u></p>
</div>
</div></div></div>
</div>
<br>______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
<br></blockquote></div><br></div>