<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:143744566;
mso-list-type:hybrid;
mso-list-template-ids:20764898 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:1665477136;
mso-list-type:hybrid;
mso-list-template-ids:-1129382296 -494086980 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoPlainText>Minutes of the Validation Subcommittee call on 2020-09-10<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Antitrust statement was read.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Present<o:p></o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1'>Wayne Thayer (Mozilla) (Leading)<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1'>Andrea Holland (SecureTrust)<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1'>Andreas Hentschel (D-TRUST)<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1'>Ben Wilson (Mozilla)<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1'>Bruce Morton (Entrust Datacard)<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1'>Clint Wilson (Apple)<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1'>Corey Bonnell (SecureTrust)<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1'>Daniela Hood (GoDaddy)<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1'>Dean Coclin (Digicert)<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1'>Dimitris Zacharopoulos (HARICA)<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1'>Doug Beattie (GlobalSign)<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1'>Janet Hines (SecureTrust)<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1'>Johnny Reading<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1'>Li-Chun Chen<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1'>Rich Smith<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1'>Ryan Sleevi (Google)<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1'>Shelley Brewer (DigiCert)<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1'>Trevoli Ponds-White (Amazon)<o:p></o:p></li><li class=MsoListParagraphCxSpLast style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1'>Wendy Brown (US Federal PKI Management Authority)<o:p></o:p></li></ul><p class=MsoNormal>This week we focused on defining some of the attributes in the TLS Distinguished Names tab of the Profile spreadsheet. We reviewed Country, stateOrProvinceName , localityName and StreetAddress. The goal of this exercise is to simplify the current wording which combines validation with the required/optional logic and that makes for difficult reading. If we separate the use of the field from the validation, we have an easier to ready specification.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>We also discussed the possibility of profiling the SubjectDN per product (DV, OV, IV, EV) to simplify things, but that will be addressed during a future meeting<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Country:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Country is required if the subject: organizationName is present and Optional if the subject: organizationName is not present. The only case of a Country when organizationName is not present is DV, and there are rules for how that is validated in the BRs. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>We agreed that we should re-look at changing this requirement to only include Country when organizationName exists.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Ryan raised the point that if we remove country from DV as a supported field, and with CommonName being deprecated, the SubjectDN could be blank. That’s a discussion for another day, but something we need to revisit. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>stateOrProvinceName:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The rules for State are more complex and the current specification is confusing to read. We unwound the current spec into these 4 cases:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>1) Required when organizationName, givenName, or surName is present and localityName is absent<br>2) Optional when organizationName, givenName, or surName is present and localityName is present<br>3) Prohibited when organizationName, givenName, and surName are absent<br>4) Optional if countryName = XX<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The strict reading of #2 means that the inclusion of state is optional when you include the locality, even if there is a defined state for that locality. This was probably not the intended interpretation and that the intent was probably that you MUST include the state when a state exists for the specified locality (which is better defined in the EVGL). This clarification is something to be considered in future updates, but for now the specification will remain unchanged.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Ryan and Rich discussed what goes into the state field as this gets complicated when country=xx, so the validation rules for the content need make a conditional statement around the value of country. As it stands, when country=XX, the CA <b>may</b> include either the State, or <instead> the full spelling of the Country (where MAY should mean you MUST include one or the other; but that is not clear from the current spec and there was a suggestion to put in “instead” which helps in this regard). This further ripples into the Locality where the Locality may contain the value of the State (instead of the locality) when the Country=XX, and State contains Country. Ryan said that we might have been better off defining a new field to put the country name when country-xx instead of pushing the values down a level as is currently specified.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Rich also suggested a future update that we don’t ripple down the content and when country = XX the state field includes both the country and state, the we leave locality untouched.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Locality<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>We had a discussion similar to the State discussion above and also ended up with 4 specific statements about when it’s required and optional:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>1) Required when organizationName, givenName, or surName is present and stateOrProvinceName is absent<br>2) Optional when organizationName, givenName, or surName is present and stateOrProvinceName is present<br>3) Prohibited when organizationName, givenName, and surName are absent<br>4) Optional if countryName = XX<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Currently locality is optional when you have state (even if locality exists for the region). Like the State discussion above, this probably was not the intent and is something we should fix.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>For regions like Singapore or Vatican City that do not have either a state or locality, we discussed putting country in for locality. This means we could make locality required. Twain has a different allocating of regions and does not follow the traditional State and locality construct. Rich recommended that we should require Locality in all cases, and when there is no real locality, we should specify the Country in the locality field (the locality is the country in this case).<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Again any changes to the rules will be applied in a future update once the profiles for the current version of the BRs is created. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>StreetAddress<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Wayne brought up the topic of needing multiple street addresses (street address 1, street address 2)<o:p></o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo2'>Rich said that they may include multiple lines of street addresses<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo2'>Since streetAddress is in a “set” construct where order is not specified, how do you specify the order of the fields to map to street address 1 and street address 2?<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo2'>The max length for street is 30 characters which may not be enough to put 2 street address lines into one field<o:p></o:p></li><li class=MsoListParagraphCxSpLast style='margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo2'>In Japan, the order of the address fields is based on the name form (Romanized or naturalized Japanize form) where the order is reversed.<o:p></o:p></li></ul><p class=MsoNormal>Ryan asked how we address this in general? If you get geo IP address for 4 countries. Do you want to add multiple country fields?<o:p></o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraph style='margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo2'>His view is that we should have only one instance of each field (one country, one street address, etc.)<o:p></o:p></li></ul><p class=MsoNormal>Dimitris said ETSI permits multiple instances of given name and surname because people may have 2 names<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Dimitris suggested we add guidance or rules about how many of each subject DN field are permitted<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Ryan said that if the focus is to make these fields human readable, we use the current approach, but if we wanted to make these machine readable, we may want to introduce new attributes vs. re-purposing existing ones.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Next meeting we’ll pick up here and continue through the remaining fields<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoPlainText>Doug Beattie<o:p></o:p></p><p class=MsoPlainText>GlobalSign<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p></div></body></html>