<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">Hi Adriano,<div><br></div><div>I haven’t looked through minutes and such yet, but as I recall this ordering was discussed a number of times on Validation Subcommittee calls during the creation of SC-062 (i.e. sometime in 2020-2023). The resultant ordering originated from the combination of 3 primary sources:</div><div>1. <span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">X.509/X.520</span></div><div>2. <span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">RFC 5280</span></div><div><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">3. WG Consensus</span></div><div><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><br></span></div><div><font color="#000000">I think there’s additional discussion in the link that Jaime provided that’s relevant as well:</font></div><div><font color="#000000"><br></font></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><div><font color="#000000"><div>chrisbn May 13, 2022</div></font></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><div><font color="#000000"><div>How would fields need to be handled that are not in the current list? E.g. subject:businessCategory or subject:jurisdictionLocalityName from EVG? I'm also interested to know if there's a source for this requirement, or what's the driver for the ordering?</div></font></div></blockquote><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><font color="#000000"><div><br></div></font></blockquote><font color="#000000"><div>sleevi May 13, 2022</div></font><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><font color="#000000"><div>You mean, where would these be sorted?</div></font></blockquote><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><font color="#000000"><div>These are requirements derived from the semantics of RFC 5280 and X.509. A DN is hierarchical in semantic naming, and an RDN with multiple elements is saying that these names are semantically equivalent hierarchically.</div></font></blockquote><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><font color="#000000"><div>For the name forms listed, they are not semantically equivalent (e.g. a countryName is not the same hierarchy as a localityName / interchangeable with), and there is a semantic hierarchy.</div></font></blockquote><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><font color="#000000"><div>These are already existing logical requirements, just being made explicit.</div></font></blockquote><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><font color="#000000"><div><br></div></font></blockquote><font color="#000000"><div>chrisbn May 13, 2022</div></font><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><font color="#000000"><div>Yes, I wonder about the order of fields not in this list.</div></font></blockquote><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><font color="#000000"><div>I understand the hierarchy to order logic, but is the order defined in Section 7.1.4.2 based on an existing specification, or how did we come to this ordering?</div></font></blockquote><font color="#000000"><div style="caret-color: rgb(0, 0, 0);"><br></div></font><font color="#000000"><div><div>sleevi May 13, 2022</div></div></font><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><font color="#000000"><div><div>It is based on the definitions within X.509 and X.520, given these fields are generally geographical in nature.</div></div></font></blockquote><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><font color="#000000"><div><div>That said, there’s definitely flexibility here to get us closer to consistency among CAs, which is a key point of profiling, so if there are changes and concerns, it’s totally appropriate to highlight.</div></div></font></blockquote><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><font color="#000000"><div><div>Prior relevant art includes RFC 2377 [<a href="https://datatracker.ietf.org/doc/html/rfc2377">https://datatracker.ietf.org/doc/html/rfc2377</a>], RFC 1218 [<a href="https://www.rfc-editor.org/rfc/rfc1218.html">https://www.rfc-editor.org/rfc/rfc1218.html</a>], and RFC 1255 [<a href="https://www.rfc-editor.org/rfc/rfc1255">https://www.rfc-editor.org/rfc/rfc1255</a>]</div></div></font></blockquote></blockquote><font color="#000000"><div><div style="caret-color: rgb(0, 0, 0);"><br></div></div><div style="caret-color: rgb(0, 0, 0);">Cheers,</div><div style="caret-color: rgb(0, 0, 0);">-Clint</div></font><div><font color="#000000"><div><br></div></font></div><div><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><br></span></div><div><div><br><blockquote type="cite"><div>On Mar 21, 2024, at 2:06 AM, Adriano Santoni via Servercert-wg <servercert-wg@cabforum.org> wrote:</div><br class="Apple-interchange-newline"><div>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div><p><font face="Calibri">Thank you </font>Jaime , but <font face="Calibri">I had already checked that.</font></p><p><font face="Calibri">At that link I can only find the following
very short exchange between chrisbn and sleevi:<br>
</font></p><div><font face="Calibri">
</font><br class="webkit-block-placeholder"></div><blockquote type="cite"><font face="Calibri">@chrisbn chrisbn May 13, 2022<br>
Yes, I wonder about the order of fields not in this list.<br>
I understand the hierarchy to order logic, but is the order
defined in Section 7.1.4.2 based on an existing specification,
or how did we come to this ordering?<br>
@sleevi sleevi May 13, 2022<br>
It is based on the definitions within X.509 and X.520, given
these fields are generally geographical in nature.<br>
That said, there’s definitely flexibility here to get us
closer to consistency among CAs, which is a key point of
profiling, so if there are changes and concerns, it’s totally
appropriate to highlight.</font></blockquote><font face="Calibri">
</font><div><br class="webkit-block-placeholder"></div><p><font face="Calibri">That does not seem to clarify much, so I
suppose there is more somewhere else.<br>
</font></p><p><font face="Calibri">No discussion of the mailing list? No
discussion in SCWG calls?<br>
</font></p><p><font face="Calibri">Adriano</font></p><p><font face="Calibri"><br>
</font></p><p><font face="Calibri"><br>
</font></p>
<div class="moz-cite-prefix">Il 21/03/2024 09:52, Jaime Hablutzel ha
scritto:<br>
</div>
<blockquote type="cite" cite="mid:478B7BEF-2E4A-4DA0-BFE7-63D74038FA3D@wisekey.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
The discussion in <a href="https://github.com/sleevi/cabforum-docs/pull/36#discussion_r872103477" moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/sleevi/cabforum-docs/pull/36#discussion_r872103477</a> could
help.<br id="lineBreakAtBeginningOfMessage">
<div><br>
<blockquote type="cite">
<div>On 21 Mar 2024, at 09:39, Adriano Santoni via
Servercert-wg <a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a> wrote:</div>
<br class="Apple-interchange-newline">
<div>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div><p><font face="Calibri">All, can anyone help me find the
past email discussion, or at least the rationale that
someone wrote somewhere (e.g. on Github?), supporting
the Subject attributes encoding relative order
requirement that was introduced in BR 2.0.0 (Ballot
SC-062) ? </font></p><p><font face="Calibri">I am talking about §7.1.4.2
Subject Attribute Encoding, and specifically about
this language:<br>
</font></p><p><font face="Calibri">"CAs that include attributes in
the Certificate subject field that are listed in the
table below<br>
SHALL encode those attributes in the relative order as
they appear in the table and follow the<br>
specified encoding requirements for the attribute."<br>
</font></p><p><font face="Calibri">I do not recall, and cannot find,
a discussion on this mailing list on this particular
topic. Maybe I just missed a whole bunch of email
messages due to some otherwise undetected email
problem. I also did a search on Github, starting from
the links provided at
<a class="moz-txt-link-freetext" href="https://cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/" moz-do-not-send="true">https://cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/</a>),
but was unable to figure out who proposed it and,
above all, for what reason.<br>
</font></p>
<font face="Calibri">Adriano</font><br>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a><br>
<a class="moz-txt-link-freetext" href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=TmnUymVu4aN7JJUi7E4FNf5W7JAuYX7-j6JtyhXK9EAAxJqhk7RvTa9sOsMmibge&s=pzZ-HMcq_CggzRO87gqT5_XxYy9n5hIbsxrERd7c_so&e=">https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=TmnUymVu4aN7JJUi7E4FNf5W7JAuYX7-j6JtyhXK9EAAxJqhk7RvTa9sOsMmibge&s=pzZ-HMcq_CggzRO87gqT5_XxYy9n5hIbsxrERd7c_so&e=</a><br>
</div>
</blockquote>
</div>
<br>
</blockquote>
</div>
_______________________________________________<br>Servercert-wg mailing list<br>Servercert-wg@cabforum.org<br>https://lists.cabforum.org/mailman/listinfo/servercert-wg<br></div></blockquote></div><br></div></body></html>