<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=big5"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:·s²Ó©úÅé;
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:²Ó©úÅé;
panose-1:2 2 5 9 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@·s²Ó©úÅé";
panose-1:2 1 6 1 0 1 1 1 1 1;}
@font-face
{font-family:·L³n¥¿¶ÂÅé;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@·L³n¥¿¶ÂÅé";}
@font-face
{font-family:"\@²Ó©úÅé";
panose-1:2 1 6 9 0 1 1 1 1 1;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"¯Â¤å¦r ¦r¤¸";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:8.0pt;
margin-left:36.0pt;
mso-add-space:auto;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:8.0pt;
margin-left:36.0pt;
mso-add-space:auto;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.a
{mso-style-name:"¯Â¤å¦r ¦r¤¸";
mso-style-priority:99;
mso-style-link:¯Â¤å¦r;
font-family:²Ó©úÅé;}
p.PlainText, li.PlainText, div.PlainText
{mso-style-name:"Plain Text";
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:143744566;
mso-list-type:hybrid;
mso-list-template-ids:20764898 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:„X;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:„X;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:„X;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:213661340;
mso-list-template-ids:-1718332526;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2
{mso-list-id:720976657;
mso-list-template-ids:1745930974;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3
{mso-list-id:1356269108;
mso-list-template-ids:1298033850;}
@list l3:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4
{mso-list-id:1665477136;
mso-list-type:hybrid;
mso-list-template-ids:-1129382296 -494086980 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l4:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:„X;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:„X;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:„X;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l5
{mso-list-id:1707485271;
mso-list-template-ids:-1551356388;}
@list l5:level1
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level2
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level3
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level4
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level5
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level6
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level7
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level8
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level9
{mso-level-number-format:bullet;
mso-level-text:„h;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=ZH-TW link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:14.0pt;color:black'>Regarding reviewing the concerns about 'what if there is neither a suitable stateOrProvinceName or a suitable localityName to be added into the subject name in last meeting:<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:36.0pt;text-indent:-18.0pt;mso-list:l3 level1 lfo8'><![if !supportLists]><span lang=EN-US style='font-size:14.0pt;font-family:SimSun'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-size:14.0pt;color:black'>I hereby would like to take this opportunity to express that we are unhappy with the naming rule that requires either a stateOrProvinceName or a localityName must be present in the Subject Distinguished Name(DN) of a TLS Certificate, although we had raised this issue before but in the end the forum was not willing to modify the naming rule in the BR. Many small countries like Taiwan are so small that many organizations are established and exist at the country level. For those country-level organizations, there is actually neither a suitable stateOrProvinceName or a suitable localityName to be added into the Subject DN. The purpose of the Subject DN is to uniquely (or at least as uniquely as possible) identify the certificate subscriber. In big countries, it is usually necessary and naturally to have a stateOrProvinceName or at least a localityName to distinguish an organization from other organizations which might be otherwise have the same Subject DN. Unfortunately, this is not the case for small countries. In a small country, the countryName might already be the geographical division sufficient identify the organization registered in this country. In addition, there might be no 'state' or 'province' in the organizational system or autonomous system in a small country. Among the attributes defined in X.500/LDAP standards, countryName, stateOrProvinceName, and localityName are geographical attributes that are intended to be used as a hierarchical naming tool to help creating a Subject DN to uniquely identify the certificate subscriber. Our question is that if an officially-registered name of the country-level organization under the countryName is sufficient to uniquely identify the certificate subscriber, why it is necessary to compel us to additionally add either a stateOrProvinceName or a localityName in the Subject DN, whatever the value of the stateOrProvinceName or localityName is and it might even be a not meaningful name or a name that actually might cause confusion on the contrary rather than increase the identifiability of the certificate subscriber? Let us take a country-level organization named 'National Information Infrastructure Enterprise Promotion Association' in Taiwan as an example. To us, the following Subject DN is sufficient to uniquely identify this country-level organization:<br><span style='background:white'><br> C=TW, O=National Information Infrastructure Enterprise Promotion Association<br><br>With the current naming rule for the OV TLS certificate, we have to additionally add either a stateOrProvinceName or a localityName into the Subject DN. The stateOrProvinceName is absolutely not suitable for us. Therefore, we have no choice but to add a localityName into the Subject DN. In the end, the Subject DN for this country-level organization in Taiwan will be:<br><br> C=TW, L=Taipei City, O=National Information Infrastructure Enterprise Promotion Association<br><br>Adding the localityName 'Taipei City' in this case neither make the Subject DN more meaningful or increase the identifiability of the certificate subscriber. The only reason that we have to add it is because the current naming rule requires it. We had raised the question regarding why either a stateOrProvinceName or a localityName must be present in the Subject DN before. However, no one in the forum can give us a reasonable rationale behind this name rule. We are unhappy with the rule that requires either a stateOrProvinceName or a localityName must be present, but we had learned to live with it. After several years, We have added a localityName into the subject DN of OV TLS certificates no mater whether it is necessary. </span></span><span lang=EN-US style='font-size:14.0pt;font-family:SimSun'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:14.0pt;color:black;background:white'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:36.0pt;text-indent:-18.0pt;mso-list:l3 level1 lfo8'><![if !supportLists]><span lang=EN-US style='font-size:14.0pt;color:black'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-size:14.0pt;color:black;background:white'>Regarding the certificate profile, I have concern about that the stateOrProvinceName was indicated in the 'Required/Optional/Prohibited' field as 'Required' for the OV TLS Certificate and the IV TLS Certificate in ¡§Subscriber TLS¡¨ tab in <a href="https://docs.google.com/spreadsheets/d/1G-ADocQbNJE7XoRlbTfQtub6SF7xq34SBoEGu-wBh_k/edit#gid=0">https://docs.google.com/spreadsheets/d/1G-ADocQbNJE7XoRlbTfQtub6SF7xq34SBoEGu-wBh_k/edit#gid=0</a> . This might cause misinterpretation because the stateOrProvinceName is requires only when organizationName, givenName, or surName is present and localityName is absent. Therefore, I suggest that as the attached figure should be added in the 'Notes and comments' field:<br> Required when organizationName, givenName, or surName is present and localityName is absent<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:#1F497D'> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:#1F497D'> </span><span lang=EN-US style='font-size:14.0pt;color:black;background:white'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:14.0pt;color:black;background:white'> Li-Chun Chen<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> Validation <validation-bounces@cabforum.org> <b>On Behalf Of </b>Doug Beattie via Validation<br><b>Sent:</b> Friday, September 18, 2020 8:37 PM<br><b>To:</b> CA/Browser Forum Validation SC List <validation@cabforum.org><br><b>Subject:</b> [</span><span style='font-family:"·L³n¥¿¶ÂÅé",sans-serif'>¥~³¡¶l¥ó</span><span lang=EN-US>] [cabf_validation] Minutes of the Validation subcommittee call on 2020-09-10<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>Minutes of the Validation Subcommittee call on 2020-09-10<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>Antitrust statement was read.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Present<o:p></o:p></span></p><ul style='margin-top:0cm' type=disc><li class=MsoNormalCxSpMiddle style='margin-bottom:8.0pt;mso-add-space:auto;line-height:105%;mso-list:l0 level1 lfo3'><span lang=EN-US>Wayne Thayer (Mozilla) (Leading)<o:p></o:p></span></li><li class=MsoNormalCxSpMiddle style='margin-bottom:8.0pt;mso-add-space:auto;line-height:105%;mso-list:l0 level1 lfo3'><span lang=EN-US>Andrea Holland (SecureTrust)<o:p></o:p></span></li><li class=MsoNormalCxSpMiddle style='margin-bottom:8.0pt;mso-add-space:auto;line-height:105%;mso-list:l0 level1 lfo3'><span lang=EN-US>Andreas Hentschel (D-TRUST)<o:p></o:p></span></li><li class=MsoNormalCxSpMiddle style='margin-bottom:8.0pt;mso-add-space:auto;line-height:105%;mso-list:l0 level1 lfo3'><span lang=EN-US>Ben Wilson (Mozilla)<o:p></o:p></span></li><li class=MsoNormalCxSpMiddle style='margin-bottom:8.0pt;mso-add-space:auto;line-height:105%;mso-list:l0 level1 lfo3'><span lang=EN-US>Bruce Morton (Entrust Datacard)<o:p></o:p></span></li><li class=MsoNormalCxSpMiddle style='margin-bottom:8.0pt;mso-add-space:auto;line-height:105%;mso-list:l0 level1 lfo3'><span lang=EN-US>Clint Wilson (Apple)<o:p></o:p></span></li><li class=MsoNormalCxSpMiddle style='margin-bottom:8.0pt;mso-add-space:auto;line-height:105%;mso-list:l0 level1 lfo3'><span lang=EN-US>Corey Bonnell (SecureTrust)<o:p></o:p></span></li><li class=MsoNormalCxSpMiddle style='margin-bottom:8.0pt;mso-add-space:auto;line-height:105%;mso-list:l0 level1 lfo3'><span lang=EN-US>Daniela Hood (GoDaddy)<o:p></o:p></span></li><li class=MsoNormalCxSpMiddle style='margin-bottom:8.0pt;mso-add-space:auto;line-height:105%;mso-list:l0 level1 lfo3'><span lang=EN-US>Dean Coclin (Digicert)<o:p></o:p></span></li><li class=MsoNormalCxSpMiddle style='color:black;margin-bottom:8.0pt;mso-add-space:auto;line-height:105%;mso-list:l0 level1 lfo3'><span lang=EN-US>Dimitris Zacharopoulos (HARICA)<o:p></o:p></span></li><li class=MsoNormalCxSpMiddle style='margin-bottom:8.0pt;mso-add-space:auto;line-height:105%;mso-list:l0 level1 lfo3'><span lang=EN-US>Doug Beattie (GlobalSign)<o:p></o:p></span></li><li class=MsoNormalCxSpMiddle style='margin-bottom:8.0pt;mso-add-space:auto;line-height:105%;mso-list:l0 level1 lfo3'><span lang=EN-US>Janet Hines (SecureTrust)<o:p></o:p></span></li><li class=MsoNormalCxSpMiddle style='margin-bottom:8.0pt;mso-add-space:auto;line-height:105%;mso-list:l0 level1 lfo3'><span lang=EN-US>Johnny Reading<o:p></o:p></span></li><li class=MsoNormalCxSpMiddle style='margin-bottom:8.0pt;mso-add-space:auto;line-height:105%;mso-list:l0 level1 lfo3'><span lang=EN-US>Li-Chun Chen<o:p></o:p></span></li><li class=MsoNormalCxSpMiddle style='margin-bottom:8.0pt;mso-add-space:auto;line-height:105%;mso-list:l0 level1 lfo3'><span lang=EN-US>Rich Smith<o:p></o:p></span></li><li class=MsoNormalCxSpMiddle style='margin-bottom:8.0pt;mso-add-space:auto;line-height:105%;mso-list:l0 level1 lfo3'><span lang=EN-US>Ryan Sleevi (Google)<o:p></o:p></span></li><li class=MsoNormalCxSpMiddle style='margin-bottom:8.0pt;mso-add-space:auto;line-height:105%;mso-list:l0 level1 lfo3'><span lang=EN-US>Shelley Brewer (DigiCert)<o:p></o:p></span></li><li class=MsoNormalCxSpMiddle style='margin-bottom:8.0pt;mso-add-space:auto;line-height:105%;mso-list:l0 level1 lfo3'><span lang=EN-US>Trevoli Ponds-White (Amazon)<o:p></o:p></span></li><li class=MsoNormalCxSpMiddle style='margin-bottom:8.0pt;mso-add-space:auto;line-height:105%;mso-list:l0 level1 lfo3'><span lang=EN-US>Wendy Brown (US Federal PKI Management Authority)<o:p></o:p></span></li></ul><p class=MsoNormal><span lang=EN-US>This week we focused on defining some of the attributes in the TLS Distinguished Names tab of the Profile spreadsheet. We reviewed Country, stateOrProvinceName , localityName and StreetAddress. The goal of this exercise is to simplify the current wording which combines validation with the required/optional logic and that makes for difficult reading. If we separate the use of the field from the validation, we have an easier to ready specification.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>We also discussed the possibility of profiling the SubjectDN per product (DV, OV, IV, EV) to simplify things, but that will be addressed during a future meeting<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Country:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Country is required if the subject: organizationName is present and Optional if the subject: organizationName is not present. The only case of a Country when organizationName is not present is DV, and there are rules for how that is validated in the BRs. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>We agreed that we should re-look at changing this requirement to only include Country when organizationName exists.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Ryan raised the point that if we remove country from DV as a supported field, and with CommonName being deprecated, the SubjectDN could be blank. That¡¦s a discussion for another day, but something we need to revisit. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>stateOrProvinceName:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>The rules for State are more complex and the current specification is confusing to read. We unwound the current spec into these 4 cases:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>1) Required when organizationName, givenName, or surName is present and localityName is absent<br>2) Optional when organizationName, givenName, or surName is present and localityName is present<br>3) Prohibited when organizationName, givenName, and surName are absent<br>4) Optional if countryName = XX<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>The strict reading of #2 means that the inclusion of state is optional when you include the locality, even if there is a defined state for that locality. This was probably not the intended interpretation and that the intent was probably that you MUST include the state when a state exists for the specified locality (which is better defined in the EVGL). This clarification is something to be considered in future updates, but for now the specification will remain unchanged.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Ryan and Rich discussed what goes into the state field as this gets complicated when country=xx, so the validation rules for the content need make a conditional statement around the value of country. As it stands, when country=XX, the CA <b>may</b> include either the State, or <instead> the full spelling of the Country (where MAY should mean you MUST include one or the other; but that is not clear from the current spec and there was a suggestion to put in ¡§instead¡¨ which helps in this regard). This further ripples into the Locality where the Locality may contain the value of the State (instead of the locality) when the Country=XX, and State contains Country. Ryan said that we might have been better off defining a new field to put the country name when country-xx instead of pushing the values down a level as is currently specified.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Rich also suggested a future update that we don¡¦t ripple down the content and when country = XX the state field includes both the country and state, the we leave locality untouched.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Locality<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>We had a discussion similar to the State discussion above and also ended up with 4 specific statements about when it¡¦s required and optional:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>1) Required when organizationName, givenName, or surName is present and stateOrProvinceName is absent<br>2) Optional when organizationName, givenName, or surName is present and stateOrProvinceName is present<br>3) Prohibited when organizationName, givenName, and surName are absent<br>4) Optional if countryName = XX<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Currently locality is optional when you have state (even if locality exists for the region). Like the State discussion above, this probably was not the intent and is something we should fix.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>For regions like Singapore or Vatican City that do not have either a state or locality, we discussed putting country in for locality. This means we could make locality required. Twain has a different allocating of regions and does not follow the traditional State and locality construct. Rich recommended that we should require Locality in all cases, and when there is no real locality, we should specify the Country in the locality field (the locality is the country in this case).<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Again any changes to the rules will be applied in a future update once the profiles for the current version of the BRs is created. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>StreetAddress<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Wayne brought up the topic of needing multiple street addresses (street address 1, street address 2)<o:p></o:p></span></p><p class=MsoNormalCxSpMiddle style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:8.0pt;margin-left:36.0pt;mso-add-space:auto;text-indent:-18.0pt;line-height:105%;mso-list:l4 level1 lfo6'><![if !supportLists]><span lang=EN-US><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US>Rich said that they may include multiple lines of street addresses<o:p></o:p></span></p><p class=MsoNormalCxSpMiddle style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:8.0pt;margin-left:36.0pt;mso-add-space:auto;text-indent:-18.0pt;line-height:105%;mso-list:l4 level1 lfo6'><![if !supportLists]><span lang=EN-US><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US>Since streetAddress is in a ¡§set¡¨ construct where order is not specified, how do you specify the order of the fields to map to street address 1 and street address 2?<o:p></o:p></span></p><p class=MsoNormalCxSpMiddle style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:8.0pt;margin-left:36.0pt;mso-add-space:auto;text-indent:-18.0pt;line-height:105%;mso-list:l4 level1 lfo6'><![if !supportLists]><span lang=EN-US><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US>The max length for street is 30 characters which may not be enough to put 2 street address lines into one field<o:p></o:p></span></p><p class=MsoNormalCxSpMiddle style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:8.0pt;margin-left:36.0pt;mso-add-space:auto;text-indent:-18.0pt;line-height:105%;mso-list:l4 level1 lfo6'><![if !supportLists]><span lang=EN-US><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US>In Japan, the order of the address fields is based on the name form (Romanized or naturalized Japanize form) where the order is reversed.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Ryan asked how we address this in general? If you get geo IP address for 4 countries. Do you want to add multiple country fields?<o:p></o:p></span></p><p class=MsoNormalCxSpMiddle style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:8.0pt;margin-left:36.0pt;mso-add-space:auto;text-indent:-18.0pt;line-height:105%;mso-list:l4 level1 lfo6'><![if !supportLists]><span lang=EN-US><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US>His view is that we should have only one instance of each field (one country, one street address, etc.)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Dimitris said ETSI permits multiple instances of given name and surname because people may have 2 names<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Dimitris suggested we add guidance or rules about how many of each subject DN field are permitted<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Ryan said that if the focus is to make these fields human readable, we use the current approach, but if we wanted to make these machine readable, we may want to introduce new attributes vs. re-purposing existing ones.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Next meeting we¡¦ll pick up here and continue through the remaining fields<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>Doug Beattie<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>GlobalSign<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p></div><!-- --><B><BR><BR><font size="-1">本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件.
如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.
<BR>Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.</font></B>
</body></html>