<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style=""><font color="#666666" face="Open Sans, Helvetica Neue, Helvetica, Arial, sans-serif"><span style="font-size: 14px;">We got a lot of positive feedback using private channels, with the large majority of CA's indicating that they want to retain the
OU field and willing to support this proposal.</span></font></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span style="color:rgb(102, 102, 102);font-family:"Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:14px;background-color:rgb(255, 255, 255);display:inline !important"><br>
</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span style="color:rgb(102, 102, 102);font-family:"Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:14px;background-color:rgb(255, 255, 255);display:inline !important">Dimitris, you suggested in the virtual meeting 51 to create some “bad
actor” scenarios, I have translated this into the attached risk register.</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span style="color:rgb(102, 102, 102);font-family:"Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:14px;background-color:rgb(255, 255, 255);display:inline !important"><br>
</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span style="color:rgb(102, 102, 102);font-family:"Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:14px;background-color:rgb(255, 255, 255);display:inline !important">In the register I have suggested to remove item 6 from the proposal as
I don't think the risk can be mitigated.</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span style="color:rgb(102, 102, 102);font-family:"Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:14px;background-color:rgb(255, 255, 255);display:inline !important"><br>
</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span style="color:rgb(102, 102, 102);font-family:"Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:14px;background-color:rgb(255, 255, 255);display:inline !important">I would like to invite this group to think about these and other risks,
and if/how they are or can be mitigated.</span></div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Validation <validation-bounces@cabforum.org> on behalf of Paul van Brouwershaven via Validation <validation@cabforum.org><br>
<b>Sent:</b> Monday, October 19, 2020 10:39<br>
<b>To:</b> validation@cabforum.org <validation@cabforum.org><br>
<b>Subject:</b> [EXTERNAL][cabf_validation] Draft Ballot SCXX: Improve OU validation requirements</font>
<div> </div>
</div>
<style type="text/css" style="display:none">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<div dir="ltr"><font color="#ff0000"><strong>WARNING:</strong></font> This email originated outside of Entrust.<br>
<font color="#ff0000"><strong>DO NOT CLICK</strong></font> links or attachments unless you trust the sender and know the content is safe.<br>
<hr>
<div style="">As discussed on the last CA/Browser Forum call last week, we would like to retain the OU field. Our enterprise customers have indicated (using a survey) to rely on this field for identifying certificate owners in large organizations and governments.
<div><br>
</div>
<div>With this (draft) ballot we try to align the `subject:organizationalUnitName` with the purpose as described by the ITU-T X.520 section 6.4.2 Organizational Unit Name.</div>
<div><br>
</div>
<div>A few explanations, this ballot:</div>
<div>
<ol>
<li>introduces a requirement to verify the existence and affiliation of the unit with the Applicant</li><li>prevents misinterpretations by requiring self-reported values to be preceded or followed by a whitespace and the well-known words “department”, “division”, “unit” or ...</li><li>supports automation by linking to a directory system of the applicant and by allowing well-known pre-approved values such as “information technology”, “marketing” or “sales”.</li><li>supports manual validation using authoritative sources, an organization charts or public directory (e.g. https://www.gov.ie/en/help/departments/)</li><li>allows values or series as defined by a government, standard, or regulatory body</li><li>allows certificate tracking using numerals which can be preceded or followed by two alphabetical characters for easier identification.</li></ol>
</div>
<div>Entrust provided a draft ballot redline [1] to improve the OU validation requirements. This is created as a Draft Pull Request to allow others to point out issues, and the current fixed commit version is [2], since [1] will be updated if/as feedback is
received.</div>
<div><br>
</div>
<div>I'm curious for feedback on these proposed changes and looking for potential endorsers for providing a ballot to the CA/Browser Forum's Server Certificate Working Group as a whole. </div>
<div><br>
</div>
<div>[1] <a href="https://github.com/cabforum/documents/pull/225" id="LPlnk">https://github.com/cabforum/documents/pull/225</a></div>
<div>[2] <a href="https://github.com/cabforum/documents/pull/225/commits/33ac251f0105f4ebb55ac22ce0c198796da685c3" id="LPlnk">
https://github.com/cabforum/documents/pull/225/commits/33ac251f0105f4ebb55ac22ce0c198796da685c3</a></div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>Paul van Brouwershaven</div>
<div>Entrust</div>
<br>
<br>
</div>
</div>
</body>
</html>