<div dir="ltr">Hi Paul,<div><br></div><div>As I commented on the Github issue, while I believe this is an earnest attempt, it unfortunately applies all of the same faulty logic and approaches that we know are unacceptably insecure and inappropriate. Further, the consideration of the timelines is equally unthinkably insecure: this is something we can and should be resolving so that all new certificates issued can be improved sometime in th next six months. My hope is that realizing that waiting until 2024 to improve an arbitrary injection vulnerability is unthinkably inappropriate.</div><div><br></div><div>However, as I note, it misses the most basic requirement, which has been on the agenda since our discussions in London in 2018, is addressing the use cases here for this data. Entrust has failed to do so, other than expressing a customer desire, and thus makes it unreasonable for any further consideration, as the absence of such data precludes productive discussion, including that of alternatives.</div><div><br></div><div>We do not support this ballot, in its current form or in any modified form, without having such basic use cases addressed. CAs wishing to advocate for its continued inclusion must recognize the importance of capturing the use case appropriately, rather than presuming that how things were done was a correct and appropriate manner, especially given the counter-factual evidence and experience.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Oct 19, 2020 at 8:40 AM Paul van Brouwershaven via Validation <<a href="mailto:validation@cabforum.org">validation@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Hi Burton, </div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
While I do agree that for some use cases a certificate policy could have a preference over putting constraints on an OU, this is not the intend of this ballot.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
With this (draft) ballot we try to align the `subject:organizationalUnitName` with the purpose as described by the ITU-T X.520 section 6.4.2 Organizational Unit Name to support organizations, infrastructure and application that rely on the OU field today.<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Thanks for your suggestion,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Paul</div>
<div id="gmail-m_7396596176465664652appendonsend"></div>
<hr style="display:inline-block;width:98%">
<div id="gmail-m_7396596176465664652divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Burton <<a href="mailto:burton@typewritten.net" target="_blank">burton@typewritten.net</a>><br>
<b>Sent:</b> Monday, October 19, 2020 14:02<br>
<b>To:</b> Paul van Brouwershaven <<a href="mailto:Paul.vanBrouwershaven@entrust.com" target="_blank">Paul.vanBrouwershaven@entrust.com</a>>; CA/Browser Forum Validation SC List <<a href="mailto:validation@cabforum.org" target="_blank">validation@cabforum.org</a>><br>
<b>Subject:</b> [EXTERNAL]Re: [cabf_validation] Draft Ballot SCXX: Improve OU validation requirements</font>
<div> </div>
</div>
<div><font color="#ff0000"><strong>WARNING:</strong></font> This email originated outside of Entrust.<br>
<font color="#ff0000"><strong>DO NOT CLICK</strong></font> links or attachments unless you trust the sender and know the content is safe.<br>
<hr>
<div dir="auto">Hi Paul,
<div dir="auto"><br>
</div>
<div dir="auto">Why can't businesses and governments use enterprise numbers OIDs in the certificates policy section for identifying department purposes? That OID can be verified with IANA enterprise number list.</div>
<div dir="auto"><br>
</div>
<div dir="auto">Thank you</div>
<div dir="auto"><br>
</div>
<div dir="auto">Burton</div>
</div>
<br>
<div>
<div dir="ltr">On Mon, 19 Oct 2020, 09:39 Paul van Brouwershaven via Validation, <<a href="mailto:validation@cabforum.org" rel="noreferrer" target="_blank">validation@cabforum.org</a>> wrote:<br>
</div>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>As discussed on the last CA/Browser Forum call last week, we would like to retain the OU field. Our enterprise customers have indicated (using a survey) to rely on this field for identifying certificate owners in large organizations and governments.
<div><br>
</div>
<div>With this (draft) ballot we try to align the `subject:organizationalUnitName` with the purpose as described by the ITU-T X.520 section 6.4.2 Organizational Unit Name.</div>
<div><br>
</div>
<div>A few explanations, this ballot:</div>
<div>
<ol>
<li>introduces a requirement to verify the existence and affiliation of the unit with the Applicant</li><li>prevents misinterpretations by requiring self-reported values to be preceded or followed by a whitespace and the well-known words “department”, “division”, “unit” or ...</li><li>supports automation by linking to a directory system of the applicant and by allowing well-known pre-approved values such as “information technology”, “marketing” or “sales”.</li><li>supports manual validation using authoritative sources, an organization charts or public directory (e.g.
<a href="https://www.gov.ie/en/help/departments/" rel="noreferrer noreferrer" target="_blank">
https://www.gov.ie/en/help/departments/</a>)</li><li>allows values or series as defined by a government, standard, or regulatory body</li><li>allows certificate tracking using numerals which can be preceded or followed by two alphabetical characters for easier identification.</li></ol>
</div>
<div>Entrust provided a draft ballot redline [1] to improve the OU validation requirements. This is created as a Draft Pull Request to allow others to point out issues, and the current fixed commit version is [2], since [1] will be updated if/as feedback is
received.</div>
<div><br>
</div>
<div>I'm curious for feedback on these proposed changes and looking for potential endorsers for providing a ballot to the CA/Browser Forum's Server Certificate Working Group as a whole. </div>
<div><br>
</div>
<div>[1] <a href="https://github.com/cabforum/documents/pull/225" id="gmail-m_7396596176465664652x_m_6246594008471940516m_820918108826533722LPlnk" rel="noreferrer noreferrer" target="_blank">
https://github.com/cabforum/documents/pull/225</a></div>
<div>[2] <a href="https://github.com/cabforum/documents/pull/225/commits/33ac251f0105f4ebb55ac22ce0c198796da685c3" id="gmail-m_7396596176465664652x_m_6246594008471940516m_820918108826533722LPlnk" rel="noreferrer noreferrer" target="_blank">
https://github.com/cabforum/documents/pull/225/commits/33ac251f0105f4ebb55ac22ce0c198796da685c3</a></div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>Paul van Brouwershaven</div>
<div>Entrust</div>
<br>
<br>
</div>
</div>
_______________________________________________<br>
Validation mailing list<br>
<a href="mailto:Validation@cabforum.org" rel="noreferrer noreferrer" target="_blank">Validation@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/validation" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/validation</a><br>
</blockquote>
</div>
</div>
</div>
_______________________________________________<br>
Validation mailing list<br>
<a href="mailto:Validation@cabforum.org" target="_blank">Validation@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/validation" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/validation</a><br>
</blockquote></div>