<div dir="ltr">Hi Kirk,<div><br></div><div>Your email may be confusing somethings. This is related to Entrust's issuance of non-BR compliant certificates, <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1390996">https://bugzilla.mozilla.org/show_bug.cgi?id=1390996</a> , correct? Hopefully you'll have a chance to reply there, even if to only acknowledge receipt and that Entrust is investigating.</div><div><br></div><div>The short answer is this language came from the Forum, because it makes sense. As CAs have liked to suggest that the additional subject information afforded by an EV and OV certificate is meaningful, and as both the Baseline Requirements and the EV Guidelines exist to create a common profile of fields, this language prohibits a practice that was previously common, of CAs explicitly including certain attributes in fields and putting the contents such as "n/a" or "-"</div><div><br></div><div>This is undesirable for many reasons, which the Forum recognized when prohibiting.</div><div>1) One goal of our requirements is to ensure certificates from different CAs follow a consistent profile and representation. One CA's "n/a" could be encoded as another CA's "-", and one CAs "NA" could mean "not applicable" could mean another CA's "North America". The current requirement helps ensure consistency.</div><div>2) For optional fields, there's a defined way in X.509 (and, by proxy, RFC 5280) to how to represent that an optional field was not applicable or not verified - and that's simply to not include it. There is no technical requirement that a CA include a subject Attribute Type with an empty or symbolic Attribute Value; if it's not applicable, the correct approach, in all the relevant standards, is to simply omit this field.</div><div>3) Omitting this field, rather than filling it with 'junk' data (such as '-', ' ', or other indicators of no applicability) helps keep certificates smaller, and by doing so, ensures TLS remains accessible for a broad spectrum of users and site operators.</div><div>4) In particular for browsers, the contents of Subject fields are displayed. Even in cases where a localized name for the associated Attribute Type is not included in the UI (e.g. Li-Chun's remarks about the EV OIDs in the context of Firefox and, previously, Chrome), the Attribute Value, by being an appropriate universal ASN.1 type, can and is displayed. That is, in the UI, you might see something like "<a href="http://1.2.3.4">1.2.3.4</a>: N/A" in the UI for an attribute type of OID 1.2.3.4 and an attribute value of IA5String. In order to ensure that UI behaviour is consistent, and that CAs do not introduce additional information that confuses or misleads relying parties, such prohibitions are useful.</div><div><br></div><div><br></div><div>As such, (j) serves a very important purpose, and while I appreciate your questions to understand its usage as well, would be very inappropriate to remove. More importantly, that suggestion seems to miss the first section of that requirement (j) - namely, that the content actually be verified by the CA. Were we to adopt your suggestion - fully removing (j) - then CAs would be fully permitted to introduce invalid, misleading information, which would be contained within the certificate and displayed to users, without violating the Baseline Requirements.</div><div><br></div><div>Even if we were to scope your request more narrowly, and remove simply that section of (j), we would be returning to the wild west of arbitrary CA contents, and that's undesirable.</div><div><br></div><div>So no, I do not believe any changes to this section are necessary, and hope that all CA participants are reviewing their systems to ensure compliance.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 17, 2017 at 8:54 PM, Kirk Hall via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="m_-155593644471316204WordSection1">
<p class="MsoNormal">There has been a discussion on a Mozilla list <span class="m_-155593644471316204f0xo1gc-mb-y2">
<span style="color:#222222">Certificates with Metadata-Only Subject Fields, <a href="https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/Sae5lpT02Ng" target="_blank">
https://groups.google.com/<wbr>forum/#!topic/mozilla.dev.<wbr>security.policy/Sae5lpT02Ng</a></span></span><span class="m_-155593644471316204f0xo1gc-mb-y2">, that concerns BR
</span><span>7.1.4.2.2. Subject Distinguished Name Fields:<u></u><u></u></span></p>
<p class="MsoNormal"><span><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><b><span>j. Other Subject Attributes<u></u><u></u></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><span>All other optional attributes, when present within the subject field, MUST contain information that has<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><span>been verified by the CA.
<span style="background:yellow">Optional attributes MUST NOT contain metadata such as ‘.’, ‘‐‘, and ‘ ‘ (i.e. space)<u></u><u></u></span></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="background:yellow">characters, and/or any other indication that the value is absent, incomplete, or not applicable</span><span>.</span><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">My question to the Forum is – where did this language come from? An RFC? Some other standard? Does this prohibition actually make sense (especially for the OU field, which is optional but must be verified by the CA if it includes identity-type
information)? Can we consider deleting sub (j) or clarifying it only applies to certain fields?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><b>Ballot 33 – Subject attribute requirements (4 August 2009)<u></u><u></u></b></p>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Vote<u></u><u></u></span></p>
<p class="m_-155593644471316204line862" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Yes: Entrust, <span style="border:none windowtext 1.0pt;padding:0in">VeriSign</span>, <span style="border:none windowtext 1.0pt;padding:0in">GlobalSign</span>,<wbr> <span style="border:none windowtext 1.0pt;padding:0in">DigiCert</span>,
T-Systems, <span style="border:none windowtext 1.0pt;padding:0in">QuoVadis</span>, <span style="border:none windowtext 1.0pt;padding:0in">StartCom</span>, Buypass, Trustwave, Comodo, SSC and Microsoft.<u></u><u></u></span></p>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">No: None.<u></u><u></u></span></p>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Abstain: None.<u></u><u></u></span></p>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Result: Accepted.<u></u><u></u></span></p>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Motion:<u></u><u></u></span></p>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Steve Roylance made the following motion, and Johnathan Nightingale and Jay Schiavo endorsed it:<u></u><u></u></span></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" noshade style="color:black" align="center">
</div>
<p class="m_-155593644471316204line862" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Motion begins<u></u><u></u></span></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" noshade style="color:black" align="center">
</div>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">The Guidelines should be amended by the following erratum.<u></u><u></u></span></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" noshade style="color:black" align="center">
</div>
<p class="m_-155593644471316204line862" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Erratum begins<u></u><u></u></span></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" noshade style="color:black" align="center">
</div>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Delete the following paragraph from Section 6.<u></u><u></u></span></p>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
<p class="m_-155593644471316204line874" style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">6. EV Certificate Content Requirements This section sets forth minimum requirements for the content of the EV Certificate as they relate to the identity of the CA and the Subject of
the EV Certificate.<u></u><u></u></span></p>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Insert the following paragraph:<u></u><u></u></span></p>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
<p class="m_-155593644471316204line874" style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">6. EV Certificate Content Requirements This section sets forth minimum requirements for the content of the EV Certificate as they relate to the identity of the CA and the Subject of
the EV Certificate. Optional data fields within the subject DN should contain either information verified by the CA or be left empty.
<span style="background:yellow">Meta data such as ‘.’, ‘-‘ and ‘ ‘ characters and or any other indication that the field is not applicable should not be used.</span><u></u><u></u></span></p>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Delete the following paragraph from Section 6(a)(4).<u></u><u></u></span></p>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Contents These fields MUST contain information only at and above the level of the Incorporating Agency or Registration Agency – e.g., the Jurisdiction of Incorporation for an Incorporating
Agency or Jurisdiction of Registration for a Registration Agency at the country level would include country information but not state or province or locality information; the Jurisdiction of Incorporation for the applicable Incorporating Agency or Registration
Agency at the state or province level would include both country and state or province information, but not locality information; and so forth. Country information MUST be specified using the applicable ISO country code. State or province information, and
locality information (where applicable), for the Subject’s Jurisdiction of Incorporation or Registration MUST be specified using the full name of the applicable jurisdiction.<u></u><u></u></span></p>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Insert the following paragraph:<u></u><u></u></span></p>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Contents These fields MUST contain information only relevant to the level of the Incorporating Agency or Registration Agency – e.g., the Jurisdiction of Incorporation for an Incorporating
Agency or Jurisdiction of Registration for a Registration Agency at the country level would include country information but not state or province or locality information; the Jurisdiction of Incorporation for the applicable Incorporating Agency or Registration
Agency at the state or province level would include both country and state or province information, but not locality information ; the Jurisdiction of Incorporation for the applicable Incorporating Agency or Registration Agency at locality level would include
country and also state or province information where the state or province regulates the registration of the entities at the locality level. Country information MUST be specified using the applicable ISO country code. State or province or locality information
(where applicable), for the Subject’s Jurisdiction of Incorporation or Registration MUST be specified using the full name of the applicable jurisdiction.<u></u><u></u></span></p>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Delete the following paragraph from the Definitions Section.<u></u><u></u></span></p>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">41. Jurisdiction of Incorporation: In the case of a Private Organization, the country and (where applicable) the state or province where the organization’s legal existence was established
by a filing with (or an act of) an appropriate government agency or entity (e.g., where it was incorporated). In the case of a Government Entity, the country and (where applicable) the state or province where the Entity’s legal existence was created by law.<u></u><u></u></span></p>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Insert the following paragraph:<u></u><u></u></span></p>
<p class="m_-155593644471316204line874" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">41. Jurisdiction of Incorporation: In the case of a Private Organization, the country and (where applicable) the state or province or locality where the organization’s legal existence
was established by a filing with (or an act of) an appropriate government agency or entity (e.g., where it was incorporated). In the case of a Government Entity, the country and (where applicable) the state or province where the Entity’s legal existence was
created by law.<u></u><u></u></span></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" noshade style="color:black" align="center">
</div>
<p class="m_-155593644471316204line862" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Erratum ends<u></u><u></u></span></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" noshade style="color:black" align="center">
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" noshade style="color:black" align="center">
</div>
<p class="m_-155593644471316204line862" style="margin:0in;margin-bottom:.0001pt;background:white;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;text-decoration-style:initial;text-decoration-color:initial;word-spacing:0px">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Motion ends<u></u><u></u></span></p>
<p class="MsoNormal"><span><u></u> <u></u></span></p>
</div>
</div>
<br>______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
<br></blockquote></div><br></div>