<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font face="Cambria">One more reference, see section 5.1.4 in:<br>
<br>
<a class="moz-txt-link-freetext" href="http://www.etsi.org/deliver/etsi_en/319400_319499/31941201/01.01.01_60/en_31941201v010101p.pdf">http://www.etsi.org/deliver/etsi_en/319400_319499/31941201/01.01.01_60/en_31941201v010101p.pdf</a></font><br>
<br>
Thanks,<br>
M.D.<br>
<br>
<br>
<div class="moz-cite-prefix">On 10/23/2017 6:02 PM, 陳立群 via Public
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:009b01d34c0f$fe408ce0$fac1a6a0$@cht.com.tw">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:新細明體;
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:新細明體;
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@新細明體";
panose-1:2 2 5 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"新細明體","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"註解方塊文字 字元";
margin:0cm;
margin-bottom:.0001pt;
font-size:9.0pt;
font-family:"Cambria","serif";}
p.m9145430664166345883gmail-m-4595804663788861089line867, li.m9145430664166345883gmail-m-4595804663788861089line867, div.m9145430664166345883gmail-m-4595804663788861089line867
{mso-style-name:m_9145430664166345883gmail-m-4595804663788861089line867;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"新細明體","serif";}
p.m9145430664166345883gmail-m-4595804663788861089line874, li.m9145430664166345883gmail-m-4595804663788861089line874, div.m9145430664166345883gmail-m-4595804663788861089line874
{mso-style-name:m_9145430664166345883gmail-m-4595804663788861089line874;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"新細明體","serif";}
span.m9145430664166345883gmail-m-4595804663788861089apple-converted-space
{mso-style-name:m_9145430664166345883gmail-m-4595804663788861089apple-converted-space;}
p.m9145430664166345883gmail-m-4595804663788861089line862, li.m9145430664166345883gmail-m-4595804663788861089line862, div.m9145430664166345883gmail-m-4595804663788861089line862
{mso-style-name:m_9145430664166345883gmail-m-4595804663788861089line862;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"新細明體","serif";}
span.a
{mso-style-name:"註解方塊文字 字元";
mso-style-priority:99;
mso-style-link:註解方塊文字;
font-family:"Cambria","serif";}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1547259148;
mso-list-template-ids:-56611280;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">What about using
serialNumber (2.5.4.5)?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> Li-Chun Chen </span><span
style="font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="EN-US"> Ryan Sleevi [<a class="moz-txt-link-freetext" href="mailto:sleevi@google.com">mailto:sleevi@google.com</a>] <br>
<b>Sent:</b> Monday, October 23, 2017 9:54 PM<br>
<b>To:</b> </span><span style="font-size:10.0pt">陳立群</span><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="EN-US"><br>
<b>Cc:</b> Geoff Keating; CA/Browser Forum Public Discussion
List<br>
<b>Subject:</b> [</span><span style="font-size:10.0pt">外部郵件</span><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="EN-US">] Re: [cabfpub] Ballot 208 - dnQualifiers<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">Given that the naming
authority is the DNS, and two entities with the same 64
character prefix domain would be equivalent, it does not
seem at all incorrect or imprecise to include this
information in the dnQualifier.<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Hopefully we can
find a solution other than "Don't have long domains
because the commonName" - a field deprecated nearly two
decades ago.<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">On Sun, Oct 22,
2017 at 10:41 AM, </span>陳立群<span lang="EN-US">
<<a href="mailto:realsky@cht.com.tw"
target="_blank" moz-do-not-send="true">realsky@cht.com.tw</a>>
wrote:<o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Times New
Roman","serif";color:black"
lang="EN-US">I would like to second Geoff's
opinion about the dnQualifier attribute. In the
ITU-T X.520 standard, the definition of the
dnQualifier attribute is as the following:</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Times New
Roman","serif";color:black"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Times New
Roman","serif";color:black"
lang="EN-US">The DN Qualifier attribute type
specifies disambiguating information to add to
the relative distinguished name of an entry. It
is intended to be used for entries held in
multiple DSAs which would otherwise have the
same name, and that its value be the same in a
given DSA for all entries to which this
information has been added.</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Times New
Roman","serif";color:black"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Times New
Roman","serif";color:black"
lang="EN-US">From what I understand, the
dnQualifier attribute is intended to distinguish
two different entities which would otherwise
have the same DN if they are named by different
DSAs (or naming authorities). Therefore, the
attribute value of the dnQualifier is usually
used to indicate the name of the DSA which is in
charge of naming the entity.</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Times New
Roman","serif";color:black"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Times New
Roman","serif";color:black"
lang="EN-US">If we use the dnQualifier attribute
in the manner proposed this ballot, that will be
a distortion on its original definition in the
X.520 standard.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Times New
Roman","serif";color:black"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"> </span><span
style="font-family:"Times New
Roman","serif";color:black"
lang="EN-US">Li-Chun Chen</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Times New
Roman","serif";color:black"
lang="EN-US"> Chunghwa Telecom</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="EN-US"> Public [mailto:<a
href="mailto:public-bounces@cabforum.org"
target="_blank" moz-do-not-send="true">public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Geoff Keating via
Public<br>
<b>Sent:</b> Saturday, October 21, 2017 3:15
AM<br>
<b>To:</b> Ryan Sleevi<br>
<b>Cc:</b> CA/Browser Forum Public
Discussion List<br>
<b>Subject:</b> [</span><span
style="font-size:10.0pt">外部郵件</span><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="EN-US">] Re: [cabfpub] Ballot 208 -
dnQualifiers</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span
lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">On Oct 20, 2017, at 11:30 AM,
Ryan Sleevi <<a
href="mailto:sleevi@google.com"
target="_blank" moz-do-not-send="true">sleevi@google.com</a>>
wrote:<o:p></o:p></span></p>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">On Fri, Oct 20, 2017 at
2:20 PM, Geoff Keating via Public <<a
href="mailto:public@cabforum.org"
target="_blank"
moz-do-not-send="true">public@cabforum.org</a>>
wrote:<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span
lang="EN-US"><o:p> </o:p></span></p>
<div>
<div>
<div>
<blockquote
style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0cm 0cm 0cm
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">- How this matches
with the X.520 definition of
dnQualifier, in particular the
second sentence:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">The DN Qualifier attribute
type specifies disambiguating
information to add to
the relative distinguished name of
an entry. It is intended to
be used for entries held
in multiple DSAs
which would otherwise have the
same name, and that its value be
the same in a given DSA for
all entries to which
this information has been added.<o:p></o:p></span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">This matches 1:1. Is
there a concern that it doesn't match,
or that more rules are necessary?<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">What I quoted above is X.520.
It doesn't seem to me to be describing the
same thing as the ballot. In particular,
normally you would consider a CA’s issuing
infrastructure to be one single DSA, which
produces a contradiction between the ballot
text "The CA MAY set the dnQualifer value to
the base64 encoding of the SHA1 hash of
the subjectAlternativeName” and X.520’s text
“its value be the same in a given DSA”.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span
lang="EN-US"><o:p> </o:p></span></p>
<div>
<div>
<div>
<blockquote
style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0cm 0cm 0cm
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">- How this is
actually intended to be used in
the web PKI?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">As raised on our most
recent call, one notable thing is that
this allows CAs to issue single
certificates for domain names greater
than 64 characters, at a DV level,
while interoperably working with the
Web PKI. This flows as follows:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">- The X.509/RFC 5280
definition for commonName is limited
to 64 characters.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">- If you have a
certificate with a domain name greater
than 64 characters, you cannot place
it in the common name of the subject.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">- The common name of the
subject may only contain domain names
and IP addresses.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">- All other specified
fields of the Subject must be
validated to OV level.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">As a consequence, the
only way with DV today to represent
these certificates is with an empty
sequence for the subject name and a
critical subjectAltName, pursuant with
RFC5280. You can see this at <a
href="https://no-subject.badssl.com"
target="_blank"
moz-do-not-send="true">https://no-subject.badssl.com</a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">If you tried to load that
on Apple iOS, it would load.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">If you tried to load that
on Apple macOS earlier than 10.10, it
would load.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">If you tried to load that
on Apple macOS since 10.10, it will
fail, as empty subjects are no longer
supported.<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">It works for me in 10.11—so
does that mean this ballot is no longer
needed?<o:p></o:p></span></p>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span
lang="EN-US"><o:p> </o:p></span></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">This provides a way for a
CA to ensure that a DV certificate
with a domain name of more than 64
characters can be issued, by using the
dnQualifier field (which is
CA-controlled, as noted in the
relevant X.520 text you cited) to
serve as a disambiguator between
certificates the CA has issued.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">Does that help capture
it?<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">I see the problem but I’m very
hesitant to standardise something in
CABforum which contradicts X.520.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">Have we really explored other
alternatives? For example, truncate the
commonName to 60 characters and append an
ellipsis in Unicode (“…”) so that it can’t
be confused with a domain name.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
<blockquote
style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0cm 0cm 0cm
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<div>
<div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">On Oct
12, 2017, at 11:04 AM,
Ben Wilson via Public
<<a
href="mailto:public@cabforum.org"
target="_blank"
moz-do-not-send="true">public@cabforum.org</a>>
wrote:<o:p></o:p></span></p>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<div>
<div>
<p
class="m9145430664166345883gmail-m-4595804663788861089line867"><strong><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">Ballot
208 - dnQualifiers</span></strong><span
lang="EN-US"><o:p></o:p></span></p>
<p
class="m9145430664166345883gmail-m-4595804663788861089line874"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">This
ballot allows CAs to
use dnQualifiers in
certificates to
partition groups of
certificates into
different sets and
to allow
non-identity
information to be
included in DV
certificates.<span
class="m9145430664166345883gmail-m-4595804663788861089apple-converted-space"> </span></span><span
lang="EN-US"><o:p></o:p></span></p>
<p
class="m9145430664166345883gmail-m-4595804663788861089line862"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">The
following motion has
been proposed by
Peter Bowen of
Amazon and endorsed
by Ben Wilson of
DigiCert and Ryan
Sleevi of Google.<span
class="m9145430664166345883gmail-m-4595804663788861089apple-converted-space"> </span></span><span
lang="EN-US"><o:p></o:p></span></p>
<p
class="m9145430664166345883gmail-m-4595804663788861089line874"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">--
MOTION BEGINS --<span
class="m9145430664166345883gmail-m-4595804663788861089apple-converted-space"> </span></span><span
lang="EN-US"><o:p></o:p></span></p>
<p
class="m9145430664166345883gmail-m-4595804663788861089line874"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">In the
Baseline
Requirements,
REPLACE the
definition of
"Subject Identity
Information" with:<span
class="m9145430664166345883gmail-m-4595804663788861089apple-converted-space"> </span></span><span
lang="EN-US"><o:p></o:p></span></p>
<p
class="m9145430664166345883gmail-m-4595804663788861089line874"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">"Information
that identifies the
Certificate Subject.
Subject Identity
Information does not
include [strikeout]<s>a
domain name listed
in the
subjectAltName
extension or the
Subject commonName
field</s>[/strikeout]
[insert]<u>dnQualifier
attributes in
Distinguished
Names, commonName
attributes in
Distinguished
Names, dNSName
Subject
Alternative Names,
iPAddress Subject
Alternative Names,
or SRVName Subject
Alternative Names</u>[/insert]."<span
class="m9145430664166345883gmail-m-4595804663788861089apple-converted-space"> </span></span><span
lang="EN-US"><o:p></o:p></span></p>
<p
class="m9145430664166345883gmail-m-4595804663788861089line874"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">In
Section 7.1.4.2.2
Subject
Distinguished Name
Fields, re-letter
"j" (Other Subject
Attributes) as
letter "k" and
INSERT a new
subsection j. that
reads:<span
class="m9145430664166345883gmail-m-4595804663788861089apple-converted-space"> </span></span><span
lang="EN-US"><o:p></o:p></span></p>
<p
class="m9145430664166345883gmail-m-4595804663788861089line874"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">j.
Certificate Field:
subject:dnQualifier<span
class="m9145430664166345883gmail-m-4595804663788861089apple-converted-space"> </span></span><span
lang="EN-US"><o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo1"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">Optional.
Contents: This
field is intended
to be used when
several
certificates with
the same subject
can be partitioned
into sets of
related
certificates. Each
related
certificate set
MAY have the same
dnQualifier. The
CA may include a
dnQualifier
attribute with a
zero length value
to explicitly
indicate that the
CA makes no
assertion about
relationship with
other certificates
with the same
subject. The CA
MAY set the
dnQualifer value
to the base64
encoding of the
SHA1 hash of the
subjectAlternativeName
extnValue if it
wishes to indicate
grouping of
certificates by
alternative name
set.<span
class="m9145430664166345883gmail-m-4595804663788861089apple-converted-space"> </span></span><span
lang="EN-US"><o:p></o:p></span></li>
</ul>
<p
class="m9145430664166345883gmail-m-4595804663788861089line874"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">--
MOTION ENDS --<span
class="m9145430664166345883gmail-m-4595804663788861089apple-converted-space"> </span></span><span
lang="EN-US"><o:p></o:p></span></p>
<p
class="m9145430664166345883gmail-m-4595804663788861089line874"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">The
procedure for
approval of this
Final Maintenance
Guideline ballot is
as follows (exact
start and end times
may be adjusted to
comply with
applicable Bylaws
and IPR Agreement):<span
class="m9145430664166345883gmail-m-4595804663788861089apple-converted-space"> </span></span><span
lang="EN-US"><o:p></o:p></span></p>
<p
class="m9145430664166345883gmail-m-4595804663788861089line874"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">BALLOT
208 Status: Final
Maintenance
Guideline Start time
(22:00 UTC) End time
(22:00 UTC)<span
class="m9145430664166345883gmail-m-4595804663788861089apple-converted-space"> </span></span><span
lang="EN-US"><o:p></o:p></span></p>
<p
class="m9145430664166345883gmail-m-4595804663788861089line874"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">Discussion
begins October 12,
2017 22:00 UTC and
ends October 19,
2017 22:00 UTC (7
days)<span
class="m9145430664166345883gmail-m-4595804663788861089apple-converted-space"> </span></span><span
lang="EN-US"><o:p></o:p></span></p>
<p
class="m9145430664166345883gmail-m-4595804663788861089line874"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">Vote
for approval begins
October 19, 2017
22:00 UTC and ends
October 26, 2017
22:00 UTC (7 days)<span
class="m9145430664166345883gmail-m-4595804663788861089apple-converted-space"> </span></span><span
lang="EN-US"><o:p></o:p></span></p>
<p
class="m9145430664166345883gmail-m-4595804663788861089line874"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">If vote
approves ballot:
Review Period (Chair
to send Review
Notice) (30 days).
If Exclusion
Notice(s) filed,
ballot approval is
rescinded and PAG to
be created. If no
Exclusion Notices
filed, ballot
becomes effective at
end of Review
Period. Upon filing
of Review Notice by
Chair 30 days after
filing of Review
Notice by Chair<span
class="m9145430664166345883gmail-m-4595804663788861089apple-converted-space"> </span></span><span
lang="EN-US"><o:p></o:p></span></p>
<p
class="m9145430664166345883gmail-m-4595804663788861089line874"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">From
Bylaw 2.3: If the
Draft Guideline
Ballot is proposing
a Final Maintenance
Guideline, such
ballot will include
a redline or
comparison showing
the set of changes
from the Final
Guideline section(s)
intended to become a
Final Maintenance
Guideline, and need
not include a copy
of the full set of
guidelines. Such
redline or
comparison shall be
made against the
Final Guideline
section(s) as they
exist at the time a
ballot is proposed,
and need not take
into consideration
other ballots that
may be proposed
subsequently, except
as provided in Bylaw
Section 2.3(j).<span
class="m9145430664166345883gmail-m-4595804663788861089apple-converted-space"> </span></span><span
lang="EN-US"><o:p></o:p></span></p>
<p
class="m9145430664166345883gmail-m-4595804663788861089line862"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">Votes
must be cast by
posting an on-list
reply to this thread
on the Public list.
A vote in favor of
the motion must
indicate a clear
'yes' in the
response. A vote
against must
indicate a clear
'no' in the
response. A vote to
abstain must
indicate a clear
'abstain' in the
response. Unclear
responses will not
be counted. The
latest vote received
from any
representative of a
voting member before
the close of the
voting period will
be counted. Voting
members are listed
here:<span
class="m9145430664166345883gmail-m-4595804663788861089apple-converted-space"> </span><a
href="https://cabforum.org/members/" target="_blank"
moz-do-not-send="true"><span
style="color:#954F72">https://cabforum.org/members/</span></a></span><span
lang="EN-US"><o:p></o:p></span></p>
<p
class="m9145430664166345883gmail-m-4595804663788861089line874"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">In
order for the motion
to be adopted, two
thirds or more of
the votes cast by
members in the CA
category and greater
than 50% of the
votes cast by
members in the
browser category
must be in favor.
Quorum is shown on
CA/Browser Forum
wiki. Under Bylaw
2.2(g), at least the
required quorum
number must
participate in the
ballot for the
ballot to be valid,
either by voting in
favor, voting
against, or
abstaining.<span
class="m9145430664166345883gmail-m-4595804663788861089apple-converted-space"> </span></span><span
lang="EN-US"><o:p></o:p></span></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"><pre-ballot-208-dnQualifier.pdf></span><span
style="font-size:9.0pt;font-family:"Helvetica","sans-serif""
lang="EN-US">_______________________________________________<br>
Public mailing list<br>
</span><span lang="EN-US"><a
href="mailto:Public@cabforum.org" target="_blank" moz-do-not-send="true"><span
style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:#954F72">Public@cabforum.org</span></a></span><span
style="font-size:9.0pt;font-family:"Helvetica","sans-serif""
lang="EN-US"><br>
</span><span lang="EN-US"><a
href="https://cabforum.org/mailman/listinfo/public" target="_blank"
moz-do-not-send="true"><span
style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:#954F72">https://cabforum.org/mailman/listinfo/public</span></a><o:p></o:p></span></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span
lang="EN-US"><br>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org"
target="_blank"
moz-do-not-send="true">Public@cabforum.org</a><br>
<a
href="https://cabforum.org/mailman/listinfo/public"
target="_blank"
moz-do-not-send="true">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></span></p>
</blockquote>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal">本信件可能包含中華電信股份有限公司機密資訊<span
lang="EN-US">,</span>非指定之收件者<span lang="EN-US">,</span>請勿蒐集、處理或利用本信件內容<span
lang="EN-US">,</span>並請銷毀此信件<span lang="EN-US">.
</span>如為指定收件者<span lang="EN-US">,</span>應確實保護郵件中本公司之營業機密及個人資料<span
lang="EN-US">,</span>不得任意傳佈或揭露<span lang="EN-US">,</span>並應自行確認本郵件之附檔與超連結之安全性<span
lang="EN-US">,</span>以共同善盡資訊安全與個資保護責任<span
lang="EN-US">. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Please be
advised that this email message (including any
attachments) contains confidential information
and may be legally privileged. If you are not
the intended recipient, please destroy this
message and all attachments from your system and
do not further collect, process, or use them.
Chunghwa Telecom and all its subsidiaries and
associated companies shall not be liable for the
improper or incomplete transmission of the
information contained in this email nor for any
delay in its receipt or damage to your system.
If you are the intended recipient, please
protect the confidential and/or personal
information contained in this email with due
care. Any unauthorized use, disclosure or
distribution of this message in whole or in part
is strictly prohibited. Also, please
self-inspect attachments and hyperlinks
contained in this email to ensure the
information security and to protect personal
information.<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
</div>
</div>
</div>
<br>
<div>
<div>本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件.
如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. </div>
<div>Please be advised that this email message (including any
attachments) contains confidential information and may be
legally privileged. If you are not the intended recipient,
please destroy this message and all attachments from your
system and do not further collect, process, or use them.
Chunghwa Telecom and all its subsidiaries and associated
companies shall not be liable for the improper or incomplete
transmission of the information contained in this email nor
for any delay in its receipt or damage to your system. If you
are the intended recipient, please protect the confidential
and/or personal information contained in this email with due
care. Any unauthorized use, disclosure or distribution of this
message in whole or in part is strictly prohibited. Also,
please self-inspect attachments and hyperlinks contained in
this email to ensure the information security and to protect
personal information.</div>
</div>
<div><br>
</div>
<div><br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>