<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Hi Burton, </div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
While I do agree that for some use cases a certificate policy could have a preference over putting constraints on an OU, this is not the intend of this ballot.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
With this (draft) ballot we try to align the `subject:organizationalUnitName` with the purpose as described by the ITU-T X.520 section 6.4.2 Organizational Unit Name to support organizations, infrastructure and application that rely on the OU field today.<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Thanks for your suggestion,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Paul</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Burton <burton@typewritten.net><br>
<b>Sent:</b> Monday, October 19, 2020 14:02<br>
<b>To:</b> Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>; CA/Browser Forum Validation SC List <validation@cabforum.org><br>
<b>Subject:</b> [EXTERNAL]Re: [cabf_validation] Draft Ballot SCXX: Improve OU validation requirements</font>
<div> </div>
</div>
<div><font color="#ff0000"><strong>WARNING:</strong></font> This email originated outside of Entrust.<br>
<font color="#ff0000"><strong>DO NOT CLICK</strong></font> links or attachments unless you trust the sender and know the content is safe.<br>
<hr>
<div dir="auto">Hi Paul,
<div dir="auto"><br>
</div>
<div dir="auto">Why can't businesses and governments use enterprise numbers OIDs in the certificates policy section for identifying department purposes? That OID can be verified with IANA enterprise number list.</div>
<div dir="auto"><br>
</div>
<div dir="auto">Thank you</div>
<div dir="auto"><br>
</div>
<div dir="auto">Burton</div>
</div>
<br>
<div class="x_gmail_quote">
<div dir="ltr" class="x_gmail_attr">On Mon, 19 Oct 2020, 09:39 Paul van Brouwershaven via Validation, <<a href="mailto:validation@cabforum.org" target="_blank" rel="noreferrer">validation@cabforum.org</a>> wrote:<br>
</div>
<blockquote class="x_gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div dir="ltr">
<div>As discussed on the last CA/Browser Forum call last week, we would like to retain the OU field. Our enterprise customers have indicated (using a survey) to rely on this field for identifying certificate owners in large organizations and governments.
<div><br>
</div>
<div>With this (draft) ballot we try to align the `subject:organizationalUnitName` with the purpose as described by the ITU-T X.520 section 6.4.2 Organizational Unit Name.</div>
<div><br>
</div>
<div>A few explanations, this ballot:</div>
<div>
<ol>
<li>introduces a requirement to verify the existence and affiliation of the unit with the Applicant</li><li>prevents misinterpretations by requiring self-reported values to be preceded or followed by a whitespace and the well-known words “department”, “division”, “unit” or ...</li><li>supports automation by linking to a directory system of the applicant and by allowing well-known pre-approved values such as “information technology”, “marketing” or “sales”.</li><li>supports manual validation using authoritative sources, an organization charts or public directory (e.g.
<a href="https://www.gov.ie/en/help/departments/" rel="noreferrer noreferrer" target="_blank">
https://www.gov.ie/en/help/departments/</a>)</li><li>allows values or series as defined by a government, standard, or regulatory body</li><li>allows certificate tracking using numerals which can be preceded or followed by two alphabetical characters for easier identification.</li></ol>
</div>
<div>Entrust provided a draft ballot redline [1] to improve the OU validation requirements. This is created as a Draft Pull Request to allow others to point out issues, and the current fixed commit version is [2], since [1] will be updated if/as feedback is
received.</div>
<div><br>
</div>
<div>I'm curious for feedback on these proposed changes and looking for potential endorsers for providing a ballot to the CA/Browser Forum's Server Certificate Working Group as a whole. </div>
<div><br>
</div>
<div>[1] <a href="https://github.com/cabforum/documents/pull/225" id="x_m_6246594008471940516m_820918108826533722LPlnk" rel="noreferrer noreferrer" target="_blank">
https://github.com/cabforum/documents/pull/225</a></div>
<div>[2] <a href="https://github.com/cabforum/documents/pull/225/commits/33ac251f0105f4ebb55ac22ce0c198796da685c3" id="x_m_6246594008471940516m_820918108826533722LPlnk" rel="noreferrer noreferrer" target="_blank">
https://github.com/cabforum/documents/pull/225/commits/33ac251f0105f4ebb55ac22ce0c198796da685c3</a></div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>Paul van Brouwershaven</div>
<div>Entrust</div>
<br>
<br>
</div>
</div>
_______________________________________________<br>
Validation mailing list<br>
<a href="mailto:Validation@cabforum.org" rel="noreferrer noreferrer" target="_blank">Validation@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/validation" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/validation</a><br>
</blockquote>
</div>
</div>
</body>
</html>