<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1253">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="">
<blockquote itemscope="" itemtype="https://schemas.microsoft.com/QuotedText" style="color: rgb(102, 102, 102); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; border-left: 3px solid rgb(200, 200, 200); border-top-color: rgb(200, 200, 200); border-right-color: rgb(200, 200, 200); border-bottom-color: rgb(200, 200, 200); padding-left: 1ex; margin-left: 0.8ex;">
<div><span style="font-family:"Segoe UI", "Segoe UI Web (West European)", "Segoe UI", -apple-system, BlinkMacSystemFont, Roboto, "Helvetica Neue", sans-serif;font-size:14px;background-color:rgb(255, 255, 255);display:inline !important">I'll note the latest
draft still suffers the same basic issues we've been discussing for years, without meaningful improvement.</span></div>
<div style="margin:0px;font-size:14px;font-family:"Segoe UI", "Segoe UI Web (West European)", "Segoe UI", -apple-system, BlinkMacSystemFont, Roboto, "Helvetica Neue", sans-serif;background-color:rgb(255, 255, 255)">
<br>
</div>
<div style="margin:0px;font-size:14px;font-family:"Segoe UI", "Segoe UI Web (West European)", "Segoe UI", -apple-system, BlinkMacSystemFont, Roboto, "Helvetica Neue", sans-serif;background-color:rgb(255, 255, 255)">
For example, it still relies on ambiguous, subjective interpretations, which has shown to result in a number of incidents for CAs. "Local business register" and "locally accepted abbreviation" are exactly the sort of issues that the Validation WG sought to
meaningfully address, and which Entrust here has failed to do. Equally, the presumption of trust in the Applicant data is the very antithesis of validation, yet remains a core component of this proposal.</div>
</blockquote>
<div style="margin: 0px;"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">In the initial version we proposed the same language as currently used in section 3.2 of the BR, this version is trying to address
your comments to that version. I'm happy to create a definition for "Local business register" or you can suggest another term for official business registers. I don't think it's fair to argue that this proposal 'suffers the same basic issues' based on language
that is currently accepted in other sections and not easily to replace without forbidding identity information in general.</span></div>
<div style="margin: 0px;"><br>
</div>
<div style="margin: 0px;"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">While I agree we should try to address all issues in the current requirements, but let's start that process instead of removing/blocking
improvements based on the same principles.</span></div>
<div style="margin: 0px;"><br>
</div>
<div style="margin: 0px;"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Another example, we also allow locally accepted abbreviations for the subject organization name, why would this not be accepted
for the OU field?</span></div>
<blockquote itemscope="" itemtype="https://schemas.microsoft.com/QuotedText" style="color: rgb(102, 102, 102); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; border-left: 3px solid rgb(200, 200, 200); border-top-color: rgb(200, 200, 200); border-right-color: rgb(200, 200, 200); border-bottom-color: rgb(200, 200, 200); padding-left: 1ex; margin-left: 0.8ex;">
<div style="margin:0px;font-size:14px;font-family:"Segoe UI", "Segoe UI Web (West European)", "Segoe UI", -apple-system, BlinkMacSystemFont, Roboto, "Helvetica Neue", sans-serif;background-color:rgb(255, 255, 255)">
<span style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Segoe UI", -apple-system, BlinkMacSystemFont, Roboto, "Helvetica Neue", sans-serif; font-size: 14px;">As stated, we do not see a viable path forward for this, not (as it has been unfortunately
stated) as an attempt to shut down discussion, but precisely because this fails to meet the bare minimum of addressing the systemic issues, and is thus not a remotely viable or acceptable "solution" to the problems identified and, unfortunately, practiced
by CAs.</span></div>
</blockquote>
</div>
<div style=""><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Personally, I think that the strong opinionated position from Google and the negativity towards any attempt to strengthen the requirements
has prevented participation in a progressive discussion on improving the requirements on this list.</span></div>
<div style=""><br>
</div>
<div style=""><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">I suggest that the validation working group starts to address the existing language in the requirements (and as proposed for this ballot) prior
to any decision about the OU field removal.</span><font color="#000000" face="Calibri, Arial, Helvetica, sans-serif"></font></div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Ryan Sleevi <sleevi@google.com><br>
<b>Sent:</b> Thursday, January 14, 2021 20:16<br>
<b>To:</b> Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com><br>
<b>Cc:</b> Dimitris Zacharopoulos (HARICA) <dzacharo@harica.gr>; CA/Browser Forum Validation SC List <validation@cabforum.org><br>
<b>Subject:</b> Re: [cabf_validation] [EXTERNAL] Draft Ballot SCXX: Improve OU validation requirements</font>
<div> </div>
</div>
<div>
<div dir="ltr">I'll note the latest draft still suffers the same basic issues we've been discussing for years, without meaningful improvement.
<div><br>
</div>
<div>For example, it still relies on ambiguous, subjective interpretations, which has shown to result in a number of incidents for CAs. "Local business register" and "locally accepted abbreviation" are exactly the sort of issues that the Validation WG sought
to meaningfully address, and which Entrust here has failed to do. Equally, the presumption of trust in the Applicant data is the very antithesis of validation, yet remains a core component of this proposal.</div>
<div><br>
</div>
<div>As stated, we do not see a viable path forward for this, not (as it has been unfortunately stated) as an attempt to shut down discussion, but precisely because this fails to meet the bare minimum of addressing the systemic issues, and is thus not a remotely
viable or acceptable "solution" to the problems identified and, unfortunately, practiced by CAs.</div>
</div>
<br>
<div class="x_gmail_quote">
<div dir="ltr" class="x_gmail_attr">On Thu, Jan 14, 2021 at 2:12 PM Paul van Brouwershaven <<a href="mailto:Paul.vanBrouwershaven@entrust.com">Paul.vanBrouwershaven@entrust.com</a>> wrote:<br>
</div>
<blockquote class="x_gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div style="margin:0px; font-size:12pt; color:black; background-color:rgb(255,255,255)">
This is the latest version of the proposed ballot to strengthen the validation requirements of the OU field:</div>
<div style="margin:0px; font-size:12pt; color:black; background-color:rgb(255,255,255)">
<b><br>
</b></div>
</div>
<blockquote style="margin:0px 0px 0px 40px; border:none; padding:0px">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div style="margin:0px; font-size:12pt; color:black; background-color:rgb(255,255,255)">
<b>#### 3.2.2.1.1 Organizational Unit</b></div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div style="margin:0px; font-size:12pt; color:black; background-color:rgb(255,255,255)">
<div style="margin:0px">If the Subject Identity Information is to include an organizational unit, then it MUST be preceded or followed by a whitespace and one of the words “unit”, “department”, “division”, “group”, “service", "system", "center", "office", “school”,
“faculty”, "administration", "operations” in singular or plural form; or an unambiguous certified translation of the equivalent in a language other than English.</div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div style="margin:0px; font-size:12pt; color:black; background-color:rgb(255,255,255)">
<div style="margin:0px"><br>
</div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div style="margin:0px; font-size:12pt; color:black; background-color:rgb(255,255,255)">
<div style="margin:0px">The CA MUST verify the existence of the organizational unit using an Organizational Chart provided by the human resource offices of the Applicant or that is signed <span style="margin:0px; background-color:white">by a listed officer
of<span> </span><span style="margin:0px; background-color:white">Applicant</span>.</span></div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div style="margin:0px; font-size:12pt; color:black; background-color:rgb(255,255,255)">
<div style="margin:0px"><br>
</div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div style="margin:0px; font-size:12pt; color:black; background-color:rgb(255,255,255)">
<div style="margin:0px">If a word in the value holds an active registration in the ‘WIPO Global Brand Database’ or a local business register the CA MUST only include these registered values when the CA has verified the right of usage in relation to the<span> </span><span style="margin:0px; background-color:white">Applicant<span style="margin:0px"> </span></span>in
accordance with Section 3.2.</div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div style="margin:0px; font-size:12pt; color:black; background-color:rgb(255,255,255)">
<div style="margin:0px"><br>
</div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div style="margin:0px; font-size:12pt; color:black; background-color:rgb(255,255,255)">
<div style="margin:0px">The value SHALL not be abbreviated unless this would exceed the maximum length of the `subject:organizationalUnitName` field, in which case it SHALL only use locally accepted abbreviation.</div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div style="margin:0px; font-size:12pt; color:black; background-color:rgb(255,255,255)">
<div style="margin:0px"><br>
</div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div style="margin:0px; font-size:12pt; color:black; background-color:rgb(255,255,255)">
<div style="margin:0px">i.<span> </span><b>__Certificate Field:__</b><span> </span>`subject:organizationalUnitName` (OID: 2.5.4.11)</div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div style="margin:0px; font-size:12pt; color:black; background-color:rgb(255,255,255)">
<div style="margin:0px"> <span> </span><b> __Required/Optional:__<span> </span></b> </div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div style="margin:0px; font-size:12pt; color:black; background-color:rgb(255,255,255)">
<div style="margin:0px"> <b>__Optional__</b><span> </span>if the `subject:organizationName` field is present. </div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div style="margin:0px; font-size:12pt; color:black; background-color:rgb(255,255,255)">
<div style="margin:0px"> <b>__Prohibited__</b><span> </span>if the `subject:organizationName` is absent.</div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div style="margin:0px; font-size:12pt; color:black; background-color:rgb(255,255,255)">
<div style="margin:0px"> <b>__Contents:__</b><span> </span>If present, the `subject:organizationalUnitName` field MUST contain the Subject's organizational unit name as verified under Section 3.2.2.1.1.</div>
</div>
</div>
</blockquote>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div id="x_gmail-m_2719617433761128757appendonsend"></div>
<hr style="display:inline-block; width:98%">
<div id="x_gmail-m_2719617433761128757divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Validation <<a href="mailto:validation-bounces@cabforum.org" target="_blank">validation-bounces@cabforum.org</a>>
on behalf of Dimitris Zacharopoulos (HARICA) via Validation <<a href="mailto:validation@cabforum.org" target="_blank">validation@cabforum.org</a>><br>
<b>Sent:</b> Monday, November 23, 2020 21:11<br>
<b>To:</b> Ryan Sleevi <<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>><br>
<b>Cc:</b> CA/Browser Forum Validation SC List <<a href="mailto:validation@cabforum.org" target="_blank">validation@cabforum.org</a>><br>
<b>Subject:</b> Re: [cabf_validation] [EXTERNAL] Draft Ballot SCXX: Improve OU validation requirements</font>
<div> </div>
</div>
<div><br>
Thank for the detailed response. It summarizes Google's viewpoint on several issues, including Identity.<br>
<br>
<div>On 23/11/2020 8:45 ì.ì., Ryan Sleevi wrote:<br>
</div>
<blockquote type="cite">The Baseline Requirements do not, nor have they ever, permitted CAs to include unverified, self-attested information. Every piece of information included in a certificate has a requirement to be validated by the CA, as captured by 7.1.2.4
of the BRs, as well as more specific individual requirements. It is unfortunate that a CA needs to be reminded of this, or of the principles and motivations, and this applies equally to LEI, OU, or any other field or data the CA might imagine here.</blockquote>
<br>
The validation rules for OU are already in the BRs (7.1.4.2.2 i). They have been there for years. It has always been self-attested information. The CA had to "implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark,
address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section 3.2 and the Certificate also contains subject:organizationName, subject:givenName, subject:surname,
subject:localityName, and subject:countryName attributes, also verified in accordance with Section 3.2.2.1."<br>
<br>
I would like to highlight that 7.1.2.4 allows for "other fields and extensions" but during the
<i>organizationIdentifier </i>discussion, you had expressed a preference that if this
<b>validated</b> <b>information </b>were to be included, it should be in an extension rather than the subjectDN.<br>
<br>
Regarding the LEI, of course the CA would need to verify/validate the information included in the extension; I never implied that information would not be validated. In my previous post, I mentioned that "BRs allow custom extensions to be defined by CAs (and
how CAs validate this information)", so I hope we're in agreement that this is still currently allowed, if a CA meets everything listed in 7.1.2.4.<br>
<br>
To use an example, if a CA were to define in its CP/CPS an extension that follows exactly the description of the
<em>cabfOrganizationIdentifier</em> as described in section 9.8.2 of the EV Guidelines (my previous example was flawed), describe the same EVG validation rules for that extension and include this extension in an OV Certificate, wouldn't that be compliant with
the BRs?<br>
<br>
<br>
</div>
</div>
</blockquote>
</div>
</div>
</body>
</html>