<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1943688493;
mso-list-type:hybrid;
mso-list-template-ids:1097370060 67698713 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Here’s what the BR currently has regarding requirements for the OU field:<o:p></o:p></p>
<p class="MsoNormal">7.1.4.2.2<o:p></o:p></p>
<p class="MsoNormal">i. Certificate Field: subject:organizationalUnitName (OID: 2.5.4.11) Required/Optional: Optional.<o:p></o:p></p>
<p class="MsoNormal">Contents: The CA SHALL implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified
this information in accordance with Section 3.2 and the Certificate also contains subject:organizationName, subject:givenName, subject:surname, subject:localityName, and subject:countryName attributes, also verified in accordance with Section 3.2.2.1.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">9.6.1<o:p></o:p></p>
<p class="MsoNormal">3. Accuracy of Information: That, at the time of issuance, the CA (i) implemented a procedure for verifying the accuracy of all of the information contained in the Certificate (with the exception of the subject:organizationalUnitName
attribute); (ii) followed the procedure when issuing the Certificate; and (iii) accurately described the procedure in the CA's Certificate Policy and/or Certification Practice Statement;<o:p></o:p></p>
<p class="MsoNormal">4. No Misleading Information: That, at the time of issuance, the CA (i) implemented a procedure for reducing the likelihood that the information contained in the Certificate's subject:organizationalUnitName attribute would be
misleading; (ii) followed the procedure when issuing the Certificate; and (iii) accurately described the procedure in the CA's Certificate Policy and/or Certification Practice Statement;<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I propose to reword:<o:p></o:p></p>
<p class="MsoNormal">7.1.4.2.2<o:p></o:p></p>
<p class="MsoNormal">i. Certificate Field: subject:organizationalUnitName (OID: 2.5.4.11) Required/Optional: Optional.<o:p></o:p></p>
<p class="MsoNormal">Contents: The CA SHALL implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified
this information in accordance with Section 3.2 and the Certificate also contains the following attributes, verified in accordance with section 3.2.2.1:<o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="a">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">subject:organizationName, OR;<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">subject:givenName AND subject:surname<o:p></o:p></li></ol>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Because currently any cert that does not contain subject:organization AND subject:givenName AND subject:surname but does include an OU field is arguably non-compliant. That is certainly not the intent of the section, but the fact that it
can be read that way needs to be fixed.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I also think we should remove the exception for OU from 9.6.1 (3), strike 9.6.1 (4) completely. As has been discussed ad nauseum in other contexts, what does “misleading” actually mean? It’s not auditable and provides no meaningful normative
guidance. IMO we should implement ACTUAL verification requirements for the OU field in 3.2.2.1.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="98%" style="width:98.5%;border-collapse:collapse">
<tbody>
<tr style="height:9.05pt">
<td width="687" valign="top" style="width:515.45pt;padding:0in 0in 0in 0in;height:9.05pt">
<p class="MsoNormal"><a name="_Hlk27646815"><b>Rich Smith<o:p></o:p></b></a></p>
</td>
<span style="mso-bookmark:_Hlk27646815"></span>
</tr>
<tr style="height:11.25pt">
<td width="687" valign="top" style="width:515.45pt;padding:0in 0in 0in 0in;height:11.25pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk27646815"><b>Sr. Compliance Manager<o:p></o:p></b></span></p>
</td>
<span style="mso-bookmark:_Hlk27646815"></span>
</tr>
<tr style="height:31.6pt">
<td width="687" valign="top" style="width:515.45pt;padding:0in 0in 0in 0in;height:31.6pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk27646815"><img width="175" height="55" style="width:1.825in;height:.575in" id="Picture_x0020_10" src="cid:image001.png@01D67A08.ABEECF90"></span><a href="https://www.linkedin.com/company/sectigo/"><span style="mso-bookmark:_Hlk27646815"><span style="color:windowtext;text-decoration:none"><img border="0" width="48" height="49" style="width:.5in;height:.5083in" id="Picture_x0020_11" src="cid:image002.png@01D67A08.ABEECF90"></span></span><span style="mso-bookmark:_Hlk27646815"></span></a><span style="mso-bookmark:_Hlk27646815"></span><a href="https://twitter.com/SectigoHQ"><span style="mso-bookmark:_Hlk27646815"><span style="color:windowtext;text-decoration:none"><img border="0" width="48" height="49" style="width:.5in;height:.5083in" id="Picture_x0020_12" src="cid:image003.png@01D67A08.ABEECF90"></span></span><span style="mso-bookmark:_Hlk27646815"></span></a><span style="mso-bookmark:_Hlk27646815"></span><a href="https://www.youtube.com/channel/UCpBIBygkjPsEdrGkkWNGOsQ"><span style="mso-bookmark:_Hlk27646815"><span style="color:windowtext;text-decoration:none"><img border="0" width="48" height="49" style="width:.5in;height:.5083in" id="Picture_x0020_13" src="cid:image004.png@01D67A08.ABEECF90"></span></span><span style="mso-bookmark:_Hlk27646815"></span></a><span style="mso-bookmark:_Hlk27646815"><o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk27646815"></span>
</tr>
<tr style="height:2.25pt">
<td width="687" valign="top" style="width:515.45pt;padding:0in 0in 0in 0in;height:2.25pt">
<span style="mso-bookmark:_Hlk27646815"></span>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk27646815"><span style="font-size:1.0pt"><o:p> </o:p></span></span></p>
</td>
<span style="mso-bookmark:_Hlk27646815"></span>
</tr>
<tr style="height:9.55pt">
<td width="687" valign="top" style="width:515.45pt;padding:0in 0in 0in 0in;height:9.55pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk27646815"><span lang="FR" style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#15B073;mso-fareast-language:EN-GB">W:
</span></span><span style="mso-bookmark:_Hlk27646815"></span><a href="http://www.sectigo.com/"><span style="mso-bookmark:_Hlk27646815"><span lang="FR" style="font-size:10.0pt;font-family:"Arial",sans-serif;color:windowtext;mso-fareast-language:EN-GB;text-decoration:none">Sectigo.com</span></span><span style="mso-bookmark:_Hlk27646815"></span></a><span style="mso-bookmark:_Hlk27646815"><span lang="FR" style="font-size:10.0pt;font-family:"Arial",sans-serif;mso-fareast-language:EN-GB">
<span style="color:#15B073">E:</span> rich@sectigo.com</span></span><span style="mso-bookmark:_Hlk27646815"><span lang="FR" style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-GB"><o:p></o:p></span></span></p>
</td>
<span style="mso-bookmark:_Hlk27646815"></span>
</tr>
<tr style="height:9.0pt">
<td width="687" valign="top" style="width:515.45pt;padding:0in 0in 0in 0in;height:9.0pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk27646815"><span style="font-size:4.0pt"><img border="0" width="697" height="5" style="width:7.2583in;height:.05in" id="Picture_x0020_3" src="cid:image007.png@01D67A09.A4C8DD90"></span></span><span style="mso-bookmark:_Hlk27646815"><span lang="EN-GB" style="font-size:4.0pt"><o:p></o:p></span></span></p>
</td>
<span style="mso-bookmark:_Hlk27646815"></span>
</tr>
<tr style="height:31.6pt">
<td width="687" valign="top" style="width:515.45pt;padding:0in 0in 0in 0in;height:31.6pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk27646815"><span style="font-size:6.0pt">This message and any files associated with it may contain legally privileged, confidential, or propriety information. If you are not the intended recipient, you are not
permitted to use, copy, or forward it, in whole or in part without the express consent of the sender. Please notify the sender by reply email, disregard the foregoing messages, and delete it immediately.<o:p></o:p></span></span></p>
</td>
<span style="mso-bookmark:_Hlk27646815"></span>
</tr>
</tbody>
</table>
<span style="mso-bookmark:_Hlk27646815"></span>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:4.0pt;font-family:"Arial",sans-serif;color:#15B073;mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>