<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">On Wed, Feb 20, 2019 at 3:26 PM Geoff Keating via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">My response would be that the OU could be a single hyphen minus, but this does not mean ‘absent’ or ’none provided’, it means the organization unit’s name is ‘-’. (Perhaps other units are called ‘•’, ‘▷’, and ‘◆’.)<br>
<br>
It’s definitely the case that 7.1.4.2.2j does not apply to 7.1.4.2.2i, this was intentional because we did not want to require CAs to verify the names of organization units.<br>
<br></blockquote><div><div dir="ltr"><div>I agree with you but I also think this contradicts a lot of the discussions that have happened over the past few years, such as the one Dean referenced.<br></div><div><br></div><div>I also agree with Jeremy's statement that this is "the semi-official interpretation of the requirement based on unofficial discussion", but from a practical perspective, this has been treated as misissuance [1][2], so I think the conservative reponse I provided to Dean is appropriate.</div><div><br></div><div>This issue is related to the ambiguity in EVGL section 9.2.8, and if no one beats me to it, I will propose a ballot to clarify both of these sections.</div><div><br></div><div>- Wayne<br></div><div><br></div><div>[1] <a href="https://misissued.com/batch/5/">https://misissued.com/batch/5/</a><br></div><div>[2] <a href="https://bugzilla.mozilla.org/buglist.cgi?list_id=14577117&short_desc_type=allwordssubstr&short_desc=metadata&resolution=---&resolution=FIXED&resolution=INVALID&resolution=WONTFIX&resolution=INACTIVE&resolution=DUPLICATE&resolution=WORKSFORME&resolution=INCOMPLETE&resolution=SUPPORT&resolution=EXPIRED&resolution=MOVED&classification=Client%20Software&classification=Developer%20Infrastructure&classification=Components&classification=Server%20Software&classification=Other&query_format=advanced&component=CA%20Certificate%20Compliance" target="_blank">https://bugzilla.mozilla.org/buglist.cgi?list_id=14577117&short_desc_type=allwordssubstr&short_desc=metadata&resolution=---&resolution=FIXED&resolution=INVALID&resolution=WONTFIX&resolution=INACTIVE&resolution=DUPLICATE&resolution=WORKSFORME&resolution=INCOMPLETE&resolution=SUPPORT&resolution=EXPIRED&resolution=MOVED&classification=Client%20Software&classification=Developer%20Infrastructure&classification=Components&classification=Server%20Software&classification=Other&query_format=advanced&component=CA%20Certificate%20Compliance</a><br></div><div><br></div><div><br></div></div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> On Feb 19, 2019, at 6:30 PM, <a href="mailto:sts07065692175@ezweb.ne.jp" target="_blank">sts07065692175@ezweb.ne.jp</a> wrote:<br>
> <br>
> Thank you for your confirmation.<br>
> <br>
> Is it possible that the value of OU of subject distinguished<br>
> name in a BR subscriber certificate is a single hyphen minus,<br>
> provided that the value satisfies conditions of 7.1.4.2.2.i?<br>
> --<br>
> iida<br>
> <br>
>> Hello,<br>
>> <br>
>> Thank you for contacting the CA/B Forum. You are correct. 7.1.4.2.2.j<br>
>> applies to Subject attributes other than those listed in .a through .i, and<br>
>> the Baseline Requirements permit CAs to include Subject attributes that are<br>
>> not defined in 7.1.4.2.2 (Note that different rules apply to EV).<br>
<br>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
</blockquote></div></div></div></div></div>