<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font face="Cambria">Just for the record, see </font><font
face="Cambria"><font face="Cambria">Section 4.2.1 </font>how ETSI
resolved the disambiguation of identical subject issue:<br>
<br>
<a class="moz-txt-link-freetext" href="http://www.etsi.org/deliver/etsi_en/319400_319499/31941203/01.01.01_60/en_31941203v010101p.pdf">http://www.etsi.org/deliver/etsi_en/319400_319499/31941203/01.01.01_60/en_31941203v010101p.pdf</a><br>
<br>
Thanks,<br>
M.D.</font><br>
<br>
<div class="moz-cite-prefix">On 10/22/2017 9:05 PM, Peter Bowen via
Public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:944E502C-F4E2-4D28-B0A3-B72DB4408667@amzn.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div class="">The dnQualifier is designed to add “disambiguating
information” to Distinguished Names. This ballot uses it for
that purpose. Notably I expect CAs to use it to disambiguate
certificates where there is no distinguished name or where the
CA has information that two certificates with identical subjects
were issued to different entities.</div>
<div class=""><br class="">
</div>
<div class="">The issue that both Li-Chun and Geoff raise appears
to be whether we should use a different attribute type instead
of dnQualifier. The most obvious suggestion would be to define
a new attribute type, under an Object Identifier arc that is
managed by the Forum or a member. However this results in
real-world compatibility issues. There are numerous products
which error if a certificate DN contains attributes not on a
whitelist.</div>
<div class=""><br class="">
</div>
<div class="">Two examples I found with a few minutes of looking
online:</div>
<div class=""><br class="">
</div>
<div class="">Cisco VCS: "If you experience unknown ssh failures
such as ssh tunnels failing to establish, please verify there
are no unknown OIDs in the certificate. This can be done by
checking that there are no undecoded numerical entries in the CN
of the Issuer & Subject fields” (from <a
href="https://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-8/Cisco-VCS-Certificate-Creation-and-Use-Deployment-Guide-X8-8.pdf"
class="" moz-do-not-send="true">https://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-8/Cisco-VCS-Certificate-Creation-and-Use-Deployment-Guide-X8-8.pdf</a>)</div>
<div class=""><br class="">
</div>
<div class="">IBM Sterling B2B Integrator: “Cannot find a class
that corresponds to Oid 1.3.6.1.4.1.311.60.2.1.1; please see
oid.map for details” (from <a
href="http://www-01.ibm.com/support/docview.wss?uid=swg21649708"
class="" moz-do-not-send="true">http://www-01.ibm.com/support/docview.wss?uid=swg21649708</a>)</div>
<div class=""><br class="">
</div>
<div class="">A bit of searching on “oid.map”, I did find the
source, which is a PKIX library from Certicom. The part of
oid.map that seems relevant is below. I note dnQualifier is not
there, so maybe we should choose one of the attributes below:</div>
<div class=""><br class="">
</div>
<div class="">
<div class=""> "CommonName, CN", 2.5.4.3</div>
<div class=""> "Surname, SN", 2.5.4.4</div>
<div class=""> "SerialNumber", 2.5.4.5</div>
<div class=""> "Country, C", 2.5.4.6</div>
<div class=""> "Locality, L", 2.5.4.7</div>
<div class=""> "StateOrProvince, ST, SP", 2.5.4.8</div>
<div class=""> "StreetAddress, STREET", 2.5.4.9</div>
<div class=""> "Organization, O", 2.5.4.10</div>
<div class=""> "OrganizationUnit, OU", 2.5.4.11</div>
<div class=""> "Title", 2.5.4.12</div>
<div class=""> "PostalCode", 2.5.4.17</div>
<div class=""> "PhoneNumber", 2.5.4.20</div>
<div class=""> "EmailAddress, E", 1.2.840.113549.1.9.1</div>
<div class=""> "rfc822Mailbox", 0.9.2342.19200300.100.1.3</div>
<div class=""><br class="">
</div>
<div class=""> # Controls (from RFC-2511)</div>
<div class=""> "Registration Token", 1.3.6.1.5.5.7.5.1.1</div>
<div class=""> "Authenticator", 1.3.6.1.5.5.7.5.1.2</div>
<div class=""> "Publication Information", 1.3.6.1.5.5.7.5.1.3</div>
<div class=""> "Archive Options", 1.3.6.1.5.5.7.5.1.4</div>
<div class=""> "OldCert ID", 1.3.6.1.5.5.7.5.1.5</div>
<div class=""> "Protocol Encryption Key", 1.3.6.1.5.5.7.5.1.6</div>
<div class=""><br class="">
</div>
<div class=""> # Registration Info (from RFC-2511)</div>
<div class=""> "UTF8 Pairs", 1.3.6.1.5.5.7.5.2.1</div>
<div class=""> "Cert Request", 1.3.6.1.5.5.7.5.2.2</div>
<div class=""><br class="">
</div>
<div class=""> # X.500 directory stuff (from RFC-1274)</div>
<div class=""> "userId", 0.9.2342.19200300.100.1.1</div>
<div class=""><br class="">
</div>
<div class=""> # These are Trustpoint defined and are used
between the policies and the Admin in the</div>
<div class=""> # additional-info sent up</div>
<div class=""> "Request-Time", 1.3.6.1.4.1.3156.11.1</div>
<div class=""> "Integrity-Verified", 1.3.6.1.4.1.3156.11.2</div>
<div class=""> "EE-Password", 1.3.6.1.4.1.3156.12.1</div>
<div class=""> "EE-Certificate", 1.3.6.1.4.1.3156.12.2</div>
<div class=""><br class="">
</div>
<div class=""> # Domain Component</div>
<div class=""> "Domain Component", 0.9.2342.19200300.100.1.25</div>
<div class=""> "IncorporationLocality",
1.3.6.1.4.1.311.60.2.1.1</div>
<div class=""> "OtherCountry", 1.3.6.1.4.1.311.60.2.1.3</div>
<div class=""> "OtherState", 1.3.6.1.4.1.311.60.2.1.2</div>
<div class=""> "BusinessCategory", 2.5.4.15</div>
</div>
<br class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">On Oct 22, 2017, at 7:41 AM, 陳立群 via Public <<a
href="mailto:public@cabforum.org" class=""
moz-do-not-send="true">public@cabforum.org</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="WordSection1" style="page: WordSection1;
font-family: Helvetica; font-size: 12px; font-style:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;">
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span
style="font-family: "Times New Roman",
serif;" class="" lang="EN-US">I would like to second
Geoff's opinion about the dnQualifier attribute. In
the ITU-T X.520 standard, the definition of the
dnQualifier attribute is as the following:<o:p
class=""></o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span
style="font-family: "Times New Roman",
serif;" class="" lang="EN-US"><o:p class=""> </o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span
style="font-family: "Times New Roman",
serif;" class="" lang="EN-US">The DN Qualifier
attribute type specifies disambiguating information to
add to the relative distinguished name of an entry. It
is intended to be used for entries held in multiple
DSAs which would otherwise have the same name, and
that its value be the same in a given DSA for all
entries to which this information has been added.<o:p
class=""></o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span
style="font-family: "Times New Roman",
serif;" class="" lang="EN-US"><o:p class=""> </o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span
style="font-family: "Times New Roman",
serif;" class="" lang="EN-US">From what I understand,
the dnQualifier attribute is intended to distinguish
two different entities which would otherwise have the
same DN if they are named by different DSAs (or naming
authorities). Therefore, the attribute value of the
dnQualifier is usually used to indicate the name of
the DSA which is in charge of naming the entity.<o:p
class=""></o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span
style="font-family: "Times New Roman",
serif;" class="" lang="EN-US"><o:p class=""> </o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span
style="font-family: "Times New Roman",
serif;" class="" lang="EN-US">If we use
the dnQualifier attribute in the manner proposed this
ballot, that will be a distortion on its original
definition in the X.520 standard.<o:p class=""></o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span
style="font-family: "Times New Roman",
serif;" class="" lang="EN-US"><o:p class=""> </o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span
style="font-family: Calibri, sans-serif; color:
rgb(31, 73, 125);" class="" lang="EN-US"> <span
class="Apple-converted-space"> </span></span><span
style="font-family: "Times New Roman",
serif;" class="" lang="EN-US">Li-Chun Chen<o:p
class=""></o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span
style="font-family: "Times New Roman",
serif;" class="" lang="EN-US"> Chunghwa Telecom<o:p
class=""></o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span
style="font-family: Calibri, sans-serif; color:
rgb(31, 73, 125);" class="" lang="EN-US"><o:p class=""> </o:p></span></div>
<div class="">
<div style="border-style: solid none none;
border-top-width: 1pt; border-top-color: rgb(181, 196,
223); padding: 3pt 0cm 0cm;" class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><b class=""><span
style="font-size: 10pt; font-family: Tahoma,
sans-serif;" class="" lang="EN-US">From:</span></b><span
style="font-size: 10pt; font-family: Tahoma,
sans-serif;" class="" lang="EN-US"><span
class="Apple-converted-space"> </span>Public [<a
href="mailto:public-bounces@cabforum.org"
style="color: purple; text-decoration:
underline;" class="" moz-do-not-send="true">mailto:public-bounces@cabforum.org</a>]<span
class="Apple-converted-space"> </span><b
class="">On Behalf Of<span
class="Apple-converted-space"> </span></b>Geoff
Keating via Public<br class="">
<b class="">Sent:</b><span
class="Apple-converted-space"> </span>Saturday,
October 21, 2017 3:15 AM<br class="">
<b class="">To:</b><span
class="Apple-converted-space"> </span>Ryan
Sleevi<br class="">
<b class="">Cc:</b><span
class="Apple-converted-space"> </span>CA/Browser
Forum Public Discussion List<br class="">
<b class="">Subject:</b><span
class="Apple-converted-space"> </span>[</span><span
style="font-size: 10pt;" class="">外部郵件</span><span
style="font-size: 10pt; font-family: Tahoma,
sans-serif;" class="" lang="EN-US">] Re: [cabfpub]
Ballot 208 - dnQualifiers<o:p class=""></o:p></span></div>
</div>
</div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span class=""
lang="EN-US"><o:p class=""> </o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span class=""
lang="EN-US"><o:p class=""> </o:p></span></div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span class=""
lang="EN-US"><br class="">
<br class="">
<o:p class=""></o:p></span></div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span class=""
lang="EN-US">On Oct 20, 2017, at 11:30 AM, Ryan
Sleevi <<a href="mailto:sleevi@google.com"
style="color: purple; text-decoration:
underline;" class="" moz-do-not-send="true">sleevi@google.com</a>>
wrote:<o:p class=""></o:p></span></div>
</div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span class=""
lang="EN-US"><o:p class=""> </o:p></span></div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US"><o:p class=""> </o:p></span></div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US"><o:p class=""> </o:p></span></div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US">On Fri, Oct 20, 2017
at 2:20 PM, Geoff Keating via Public <<a
href="mailto:public@cabforum.org"
target="_blank" style="color: purple;
text-decoration: underline;" class=""
moz-do-not-send="true">public@cabforum.org</a>>
wrote:<o:p class=""></o:p></span></div>
</div>
</div>
</div>
</div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span class=""
lang="EN-US"><br class="">
<br class="">
<o:p class=""></o:p></span></div>
<div class="">
<div class="">
<div class="">
<blockquote style="border-style: none none none
solid; border-left-width: 1pt;
border-left-color: rgb(204, 204, 204); padding:
0cm 0cm 0cm 6pt; margin-left: 4.8pt;
margin-right: 0cm;" class="" type="cite">
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 新細明體,
serif;" class=""><span class=""
lang="EN-US">- How this matches with the
X.520 definition of dnQualifier, in
particular the second sentence:<o:p
class=""></o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 新細明體,
serif;" class=""><span class=""
lang="EN-US"><o:p class=""> </o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 新細明體,
serif;" class=""><span class=""
lang="EN-US">The DN Qualifier attribute
type specifies disambiguating
information to add to
the relative distinguished name of
an entry. It is intended to be used
for entries held in multiple DSAs
which would otherwise have the
same name, and that its value be the
same in a given DSA for all entries
to which this information has
been added.<o:p class=""></o:p></span></div>
</div>
</div>
</blockquote>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US"><o:p class=""> </o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US">This matches 1:1. Is
there a concern that it doesn't match, or
that more rules are necessary?<o:p class=""></o:p></span></div>
</div>
</div>
</div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span class=""
lang="EN-US"><o:p class=""> </o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span class=""
lang="EN-US">What I quoted above is X.520. It
doesn't seem to me to be describing the same thing
as the ballot. In particular, normally you would
consider a CA’s issuing infrastructure to be one
single DSA, which produces a contradiction between
the ballot text "The CA MAY set the dnQualifer
value to the base64 encoding of the SHA1 hash of
the subjectAlternativeName” and X.520’s text “its
value be the same in a given DSA”.<o:p class=""></o:p></span></div>
</div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span class=""
lang="EN-US"><br class="">
<br class="">
<o:p class=""></o:p></span></div>
<div class="">
<div class="">
<div class="">
<blockquote style="border-style: none none none
solid; border-left-width: 1pt;
border-left-color: rgb(204, 204, 204); padding:
0cm 0cm 0cm 6pt; margin-left: 4.8pt;
margin-right: 0cm;" class="" type="cite">
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 新細明體,
serif;" class=""><span class=""
lang="EN-US">- How this is actually
intended to be used in the web PKI?<o:p
class=""></o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 新細明體,
serif;" class=""><span class=""
lang="EN-US"><o:p class=""> </o:p></span></div>
</div>
</div>
</blockquote>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US"><o:p class=""> </o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US">As raised on our most
recent call, one notable thing is that this
allows CAs to issue single certificates for
domain names greater than 64 characters, at
a DV level, while interoperably working with
the Web PKI. This flows as follows:<o:p
class=""></o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US"><o:p class=""> </o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US">- The X.509/RFC 5280
definition for commonName is limited to 64
characters.<o:p class=""></o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US">- If you have a
certificate with a domain name greater than
64 characters, you cannot place it in the
common name of the subject.<o:p class=""></o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US">- The common name of
the subject may only contain domain names
and IP addresses.<o:p class=""></o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US">- All other specified
fields of the Subject must be validated to
OV level.<o:p class=""></o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US"><o:p class=""> </o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US">As a consequence, the
only way with DV today to represent these
certificates is with an empty sequence for
the subject name and a critical
subjectAltName, pursuant with RFC5280. You
can see this at<span
class="Apple-converted-space"> </span><a
href="https://no-subject.badssl.com/"
style="color: purple; text-decoration:
underline;" class=""
moz-do-not-send="true">https://no-subject.badssl.com</a><o:p
class=""></o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US"><o:p class=""> </o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US">If you tried to load
that on Apple iOS, it would load.<o:p
class=""></o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US">If you tried to load
that on Apple macOS earlier than 10.10, it
would load.<o:p class=""></o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US">If you tried to load
that on Apple macOS since 10.10, it will
fail, as empty subjects are no longer
supported.<o:p class=""></o:p></span></div>
</div>
</div>
</div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span class=""
lang="EN-US"><o:p class=""> </o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span class=""
lang="EN-US">It works for me in 10.11—so does that
mean this ballot is no longer needed?<o:p class=""></o:p></span></div>
</div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span class=""
lang="EN-US"><br class="">
<br class="">
<o:p class=""></o:p></span></div>
<div class="">
<div class="">
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US">This provides a way
for a CA to ensure that a DV certificate
with a domain name of more than 64
characters can be issued, by using the
dnQualifier field (which is CA-controlled,
as noted in the relevant X.520 text you
cited) to serve as a disambiguator between
certificates the CA has issued.<o:p class=""></o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US"><o:p class=""> </o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US">Does that help capture
it?<o:p class=""></o:p></span></div>
</div>
</div>
</div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span class=""
lang="EN-US"><o:p class=""> </o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span class=""
lang="EN-US">I see the problem but I’m very
hesitant to standardise something in CABforum
which contradicts X.520.<o:p class=""></o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span class=""
lang="EN-US"><o:p class=""> </o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span class=""
lang="EN-US">Have we really explored other
alternatives? For example, truncate the
commonName to 60 characters and append an ellipsis
in Unicode (“…”) so that it can’t be confused with
a domain name.<o:p class=""></o:p></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span class=""
lang="EN-US"><o:p class=""> </o:p></span></div>
</div>
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;"
class="" type="cite">
<div class="">
<div class="">
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 新細明體, serif;"
class=""><span class="" lang="EN-US"> <o:p
class=""></o:p></span></div>
</div>
<blockquote style="border-style: none none none
solid; border-left-width: 1pt;
border-left-color: rgb(204, 204, 204);
padding: 0cm 0cm 0cm 6pt; margin-left: 4.8pt;
margin-right: 0cm;" class="" type="cite">
<div class="">
<div class="">
<div class="">
<blockquote style="margin-top: 5pt;
margin-bottom: 5pt;" class=""
type="cite">
<div class="">
<div class="">
<div class="">
<div style="margin: 0cm 0cm
0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;"
class=""><span class=""
lang="EN-US">On Oct 12,
2017, at 11:04 AM, Ben
Wilson via Public <<a
href="mailto:public@cabforum.org"
target="_blank"
style="color: purple;
text-decoration:
underline;" class=""
moz-do-not-send="true">public@cabforum.org</a>>
wrote:<o:p class=""></o:p></span></div>
</div>
<div style="margin: 0cm 0cm
0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;"
class=""><span class=""
lang="EN-US"><o:p class=""> </o:p></span></div>
</div>
</div>
<div class="">
<div class="">
<div class="">
<div class="">
<p
class="gmail-m-4595804663788861089line867"
style="margin-right: 0cm;
margin-left: 0cm; font-size:
12pt; font-family: 新細明體,
serif;"><strong class=""><span
style="font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""
lang="EN-US">Ballot 208
- dnQualifiers</span></strong><span
style="font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""
lang="EN-US"><o:p class=""></o:p></span></p>
<p
class="gmail-m-4595804663788861089line874"
style="margin-right: 0cm;
margin-left: 0cm; font-size:
12pt; font-family: 新細明體,
serif;"><span
style="font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""
lang="EN-US">This ballot
allows CAs to use
dnQualifiers in
certificates to partition
groups of certificates
into different sets and to
allow non-identity
information to be included
in DV certificates.<span
class="gmail-m-4595804663788861089apple-converted-space"> </span><o:p
class=""></o:p></span></p>
<p
class="gmail-m-4595804663788861089line862"
style="margin-right: 0cm;
margin-left: 0cm; font-size:
12pt; font-family: 新細明體,
serif;"><span
style="font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""
lang="EN-US">The following
motion has been proposed
by Peter Bowen of Amazon
and endorsed by Ben Wilson
of DigiCert and Ryan
Sleevi of Google.<span
class="gmail-m-4595804663788861089apple-converted-space"> </span><o:p
class=""></o:p></span></p>
<p
class="gmail-m-4595804663788861089line874"
style="margin-right: 0cm;
margin-left: 0cm; font-size:
12pt; font-family: 新細明體,
serif;"><span
style="font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""
lang="EN-US">-- MOTION
BEGINS --<span
class="gmail-m-4595804663788861089apple-converted-space"> </span><o:p
class=""></o:p></span></p>
<p
class="gmail-m-4595804663788861089line874"
style="margin-right: 0cm;
margin-left: 0cm; font-size:
12pt; font-family: 新細明體,
serif;"><span
style="font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""
lang="EN-US">In the
Baseline Requirements,
REPLACE the definition of
"Subject Identity
Information" with:<span
class="gmail-m-4595804663788861089apple-converted-space"> </span><o:p
class=""></o:p></span></p>
<p
class="gmail-m-4595804663788861089line874"
style="margin-right: 0cm;
margin-left: 0cm; font-size:
12pt; font-family: 新細明體,
serif;"><span
style="font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""
lang="EN-US">"Information
that identifies the
Certificate Subject.
Subject Identity
Information does not
include [strikeout]<s
class="">a domain name
listed in the
subjectAltName extension
or the Subject
commonName field</s>[/strikeout]
[insert]<u class="">dnQualifier
attributes in
Distinguished Names,
commonName attributes in
Distinguished Names,
dNSName Subject
Alternative Names,
iPAddress Subject
Alternative Names, or
SRVName Subject
Alternative Names</u>[/insert]."<span
class="gmail-m-4595804663788861089apple-converted-space"> </span><o:p
class=""></o:p></span></p>
<p
class="gmail-m-4595804663788861089line874"
style="margin-right: 0cm;
margin-left: 0cm; font-size:
12pt; font-family: 新細明體,
serif;"><span
style="font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""
lang="EN-US">In Section
7.1.4.2.2 Subject
Distinguished Name Fields,
re-letter "j" (Other
Subject Attributes) as
letter "k" and INSERT a
new subsection j. that
reads:<span
class="gmail-m-4595804663788861089apple-converted-space"> </span><o:p
class=""></o:p></span></p>
<p
class="gmail-m-4595804663788861089line874"
style="margin-right: 0cm;
margin-left: 0cm; font-size:
12pt; font-family: 新細明體,
serif;"><span
style="font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""
lang="EN-US">j.
Certificate Field:
subject:dnQualifier<span
class="gmail-m-4595804663788861089apple-converted-space"> </span><o:p
class=""></o:p></span></p>
<ul style="margin-bottom: 0cm;
margin-top: 0cm;" class=""
type="disc">
<li class="MsoNormal"
style="margin: 0cm 0cm
0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;"><span
style="font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""
lang="EN-US">Optional.
Contents: This field is
intended to be used when
several certificates
with the same subject
can be partitioned into
sets of related
certificates. Each
related certificate set
MAY have the same
dnQualifier. The CA may
include a dnQualifier
attribute with a zero
length value to
explicitly indicate that
the CA makes no
assertion about
relationship with other
certificates with the
same subject. The CA MAY
set the dnQualifer value
to the base64 encoding
of the SHA1 hash of the
subjectAlternativeName
extnValue if it wishes
to indicate grouping of
certificates by
alternative name set.<span
class="gmail-m-4595804663788861089apple-converted-space"> </span><o:p
class=""></o:p></span></li>
</ul>
<p
class="gmail-m-4595804663788861089line874"
style="margin-right: 0cm;
margin-left: 0cm; font-size:
12pt; font-family: 新細明體,
serif;"><span
style="font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""
lang="EN-US">-- MOTION
ENDS --<span
class="gmail-m-4595804663788861089apple-converted-space"> </span><o:p
class=""></o:p></span></p>
<p
class="gmail-m-4595804663788861089line874"
style="margin-right: 0cm;
margin-left: 0cm; font-size:
12pt; font-family: 新細明體,
serif;"><span
style="font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""
lang="EN-US">The procedure
for approval of this Final
Maintenance Guideline
ballot is as follows
(exact start and end times
may be adjusted to comply
with applicable Bylaws and
IPR Agreement):<span
class="gmail-m-4595804663788861089apple-converted-space"> </span><o:p
class=""></o:p></span></p>
<p
class="gmail-m-4595804663788861089line874"
style="margin-right: 0cm;
margin-left: 0cm; font-size:
12pt; font-family: 新細明體,
serif;"><span
style="font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""
lang="EN-US">BALLOT 208
Status: Final Maintenance
Guideline Start time
(22:00 UTC) End time
(22:00 UTC)<span
class="gmail-m-4595804663788861089apple-converted-space"> </span><o:p
class=""></o:p></span></p>
<p
class="gmail-m-4595804663788861089line874"
style="margin-right: 0cm;
margin-left: 0cm; font-size:
12pt; font-family: 新細明體,
serif;"><span
style="font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""
lang="EN-US">Discussion
begins October 12, 2017
22:00 UTC and ends October
19, 2017 22:00 UTC (7
days)<span
class="gmail-m-4595804663788861089apple-converted-space"> </span><o:p
class=""></o:p></span></p>
<p
class="gmail-m-4595804663788861089line874"
style="margin-right: 0cm;
margin-left: 0cm; font-size:
12pt; font-family: 新細明體,
serif;"><span
style="font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""
lang="EN-US">Vote for
approval begins October
19, 2017 22:00 UTC and
ends October 26, 2017
22:00 UTC (7 days)<span
class="gmail-m-4595804663788861089apple-converted-space"> </span><o:p
class=""></o:p></span></p>
<p
class="gmail-m-4595804663788861089line874"
style="margin-right: 0cm;
margin-left: 0cm; font-size:
12pt; font-family: 新細明體,
serif;"><span
style="font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""
lang="EN-US">If vote
approves ballot: Review
Period (Chair to send
Review Notice) (30 days).
If Exclusion Notice(s)
filed, ballot approval is
rescinded and PAG to be
created. If no Exclusion
Notices filed, ballot
becomes effective at end
of Review Period. Upon
filing of Review Notice by
Chair 30 days after filing
of Review Notice by Chair<span
class="gmail-m-4595804663788861089apple-converted-space"> </span><o:p
class=""></o:p></span></p>
<p
class="gmail-m-4595804663788861089line874"
style="margin-right: 0cm;
margin-left: 0cm; font-size:
12pt; font-family: 新細明體,
serif;"><span
style="font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""
lang="EN-US">From Bylaw
2.3: If the Draft
Guideline Ballot is
proposing a Final
Maintenance Guideline,
such ballot will include a
redline or comparison
showing the set of changes
from the Final Guideline
section(s) intended to
become a Final Maintenance
Guideline, and need not
include a copy of the full
set of guidelines. Such
redline or comparison
shall be made against the
Final Guideline section(s)
as they exist at the time
a ballot is proposed, and
need not take into
consideration other
ballots that may be
proposed subsequently,
except as provided in
Bylaw Section 2.3(j).<span
class="gmail-m-4595804663788861089apple-converted-space"> </span><o:p
class=""></o:p></span></p>
<p
class="gmail-m-4595804663788861089line862"
style="margin-right: 0cm;
margin-left: 0cm; font-size:
12pt; font-family: 新細明體,
serif;"><span
style="font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""
lang="EN-US">Votes must be
cast by posting an on-list
reply to this thread on
the Public list. A vote in
favor of the motion must
indicate a clear 'yes' in
the response. A vote
against must indicate a
clear 'no' in the
response. A vote to
abstain must indicate a
clear 'abstain' in the
response. Unclear
responses will not be
counted. The latest vote
received from any
representative of a voting
member before the close of
the voting period will be
counted. Voting members
are listed here:<span
class="gmail-m-4595804663788861089apple-converted-space"> </span><a
href="https://cabforum.org/members/" target="_blank" style="color:
purple; text-decoration:
underline;" class=""
moz-do-not-send="true"><span
style="color: rgb(149,
79, 114);" class="">https://cabforum.org/members/</span></a><o:p
class=""></o:p></span></p>
<p
class="gmail-m-4595804663788861089line874"
style="margin-right: 0cm;
margin-left: 0cm; font-size:
12pt; font-family: 新細明體,
serif;"><span
style="font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""
lang="EN-US">In order for
the motion to be adopted,
two thirds or more of the
votes cast by members in
the CA category and
greater than 50% of the
votes cast by members in
the browser category must
be in favor. Quorum is
shown on CA/Browser Forum
wiki. Under Bylaw 2.2(g),
at least the required
quorum number must
participate in the ballot
for the ballot to be
valid, either by voting in
favor, voting against, or
abstaining.<span
class="gmail-m-4595804663788861089apple-converted-space"> </span><o:p
class=""></o:p></span></p>
<div class="">
<div style="margin: 0cm 0cm
0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;"
class=""><span
style="font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""
lang="EN-US"> <o:p
class=""></o:p></span></div>
</div>
</div>
</div>
</div>
<div style="margin: 0cm 0cm
0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;"
class=""><span class=""
lang="EN-US"><pre-ballot-208-dnQualifier.pdf></span><span
style="font-size: 9pt;
font-family: Helvetica,
sans-serif;" class=""
lang="EN-US">_______________________________________________<br
class="">
Public mailing list<br class="">
</span><span class="" lang="EN-US"><a
href="mailto:Public@cabforum.org" target="_blank" style="color: purple;
text-decoration: underline;"
class=""
moz-do-not-send="true"><span
style="font-size: 9pt;
font-family: Helvetica,
sans-serif; color: rgb(149,
79, 114);" class="">Public@cabforum.org</span></a></span><span
style="font-size: 9pt;
font-family: Helvetica,
sans-serif;" class=""
lang="EN-US"><br class="">
</span><span class="" lang="EN-US"><a
href="https://cabforum.org/mailman/listinfo/public" target="_blank"
style="color: purple;
text-decoration: underline;"
class=""
moz-do-not-send="true"><span
style="font-size: 9pt;
font-family: Helvetica,
sans-serif; color: rgb(149,
79, 114);" class="">https://cabforum.org/mailman/listinfo/public</span></a><o:p
class=""></o:p></span></div>
</div>
</blockquote>
</div>
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 新細明體,
serif;" class=""><span class=""
lang="EN-US"><o:p class=""> </o:p></span></div>
</div>
</div>
<p class="MsoNormal" style="margin: 0cm 0cm
12pt; font-size: 12pt; font-family: 新細明體,
serif;"><span class="" lang="EN-US"><br
class="">
_______________________________________________<br class="">
Public mailing list<br class="">
<a href="mailto:Public@cabforum.org"
style="color: purple; text-decoration:
underline;" class=""
moz-do-not-send="true">Public@cabforum.org</a><br
class="">
<a
href="https://cabforum.org/mailman/listinfo/public"
target="_blank" style="color: purple;
text-decoration: underline;" class=""
moz-do-not-send="true">https://cabforum.org/mailman/listinfo/public</a><o:p
class=""></o:p></span></p>
</blockquote>
</div>
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 新細明體, serif;" class=""><span
class="" lang="EN-US"><o:p class=""> </o:p></span></div>
</div>
</div>
</blockquote>
</div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 新細明體, serif;" class=""><span class=""
lang="EN-US"><o:p class=""> </o:p></span></div>
</div>
<br style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">
<div style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">
<div class="">本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件.
如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. </div>
<div class="">Please be advised that this email message
(including any attachments) contains confidential
information and may be legally privileged. If you are
not the intended recipient, please destroy this message
and all attachments from your system and do not further
collect, process, or use them. Chunghwa Telecom and all
its subsidiaries and associated companies shall not be
liable for the improper or incomplete transmission of
the information contained in this email nor for any
delay in its receipt or damage to your system. If you
are the intended recipient, please protect the
confidential and/or personal information contained in
this email with due care. Any unauthorized use,
disclosure or distribution of this message in whole or
in part is strictly prohibited. Also, please
self-inspect attachments and hyperlinks contained in
this email to ensure the information security and to
protect personal information.</div>
</div>
<div style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class=""><br class="">
</div>
<div style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class=""><br class="">
</div>
<span style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; float: none; display:
inline !important;" class="">_______________________________________________</span><br
style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; float: none; display:
inline !important;" class="">Public mailing list</span><br
style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">
<a href="mailto:Public@cabforum.org" style="color: purple;
text-decoration: underline; font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px;" class=""
moz-do-not-send="true">Public@cabforum.org</a><br
style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">
<a href="https://cabforum.org/mailman/listinfo/public"
style="color: purple; text-decoration: underline;
font-family: Helvetica; font-size: 12px; font-style:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space:
normal; widows: auto; word-spacing: 0px;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width:
0px;" class="" moz-do-not-send="true">https://cabforum.org/mailman/listinfo/public</a></div>
</blockquote>
</div>
<br class="">
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>