<div dir="ltr">I'll note the latest draft still suffers the same basic issues we've been discussing for years, without meaningful improvement.<div><br></div><div>For example, it still relies on ambiguous, subjective interpretations, which has shown to result in a number of incidents for CAs. "Local business register" and "locally accepted abbreviation" are exactly the sort of issues that the Validation WG sought to meaningfully address, and which Entrust here has failed to do. Equally, the presumption of trust in the Applicant data is the very antithesis of validation, yet remains a core component of this proposal.</div><div><br></div><div>As stated, we do not see a viable path forward for this, not (as it has been unfortunately stated) as an attempt to shut down discussion, but precisely because this fails to meet the bare minimum of addressing the systemic issues, and is thus not a remotely viable or acceptable "solution" to the problems identified and, unfortunately, practiced by CAs.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jan 14, 2021 at 2:12 PM Paul van Brouwershaven <<a href="mailto:Paul.vanBrouwershaven@entrust.com">Paul.vanBrouwershaven@entrust.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="margin:0px;font-size:12pt;color:black;background-color:rgb(255,255,255)">
This is the latest version of the proposed ballot to strengthen the validation requirements of the OU field:</div>
<div style="margin:0px;font-size:12pt;color:black;background-color:rgb(255,255,255)">
<b><br>
</b></div>
</div>
<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="margin:0px;font-size:12pt;color:black;background-color:rgb(255,255,255)">
<b>#### 3.2.2.1.1 Organizational Unit</b></div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="margin:0px;font-size:12pt;color:black;background-color:rgb(255,255,255)">
<div style="margin:0px">If the Subject Identity Information is to include an organizational unit, then it MUST be preceded or followed by a whitespace and one of the words “unit”, “department”, “division”, “group”, “service", "system", "center", "office", “school”,
“faculty”, "administration", "operations” in singular or plural form; or an unambiguous certified translation of the equivalent in a language other than English.</div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="margin:0px;font-size:12pt;color:black;background-color:rgb(255,255,255)">
<div style="margin:0px"><br>
</div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="margin:0px;font-size:12pt;color:black;background-color:rgb(255,255,255)">
<div style="margin:0px">The CA MUST verify the existence of the organizational unit using an Organizational Chart provided by the human resource offices of the Applicant or that is signed <span style="margin:0px;background-color:white">by a listed officer
of<span> </span><span style="margin:0px;background-color:white">Applicant</span>.</span></div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="margin:0px;font-size:12pt;color:black;background-color:rgb(255,255,255)">
<div style="margin:0px"><br>
</div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="margin:0px;font-size:12pt;color:black;background-color:rgb(255,255,255)">
<div style="margin:0px">If a word in the value holds an active registration in the ‘WIPO Global Brand Database’ or a local business register the CA MUST only include these registered values when the CA has verified the right of usage in relation to the<span> </span><span style="margin:0px;background-color:white">Applicant<span style="margin:0px"> </span></span>in
accordance with Section 3.2.</div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="margin:0px;font-size:12pt;color:black;background-color:rgb(255,255,255)">
<div style="margin:0px"><br>
</div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="margin:0px;font-size:12pt;color:black;background-color:rgb(255,255,255)">
<div style="margin:0px">The value SHALL not be abbreviated unless this would exceed the maximum length of the `subject:organizationalUnitName` field, in which case it SHALL only use locally accepted abbreviation.</div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="margin:0px;font-size:12pt;color:black;background-color:rgb(255,255,255)">
<div style="margin:0px"><br>
</div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="margin:0px;font-size:12pt;color:black;background-color:rgb(255,255,255)">
<div style="margin:0px">i.<span> </span><b>__Certificate Field:__</b><span> </span>`subject:organizationalUnitName` (OID: 2.5.4.11)</div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="margin:0px;font-size:12pt;color:black;background-color:rgb(255,255,255)">
<div style="margin:0px"> <span> </span><b> __Required/Optional:__<span> </span></b> </div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="margin:0px;font-size:12pt;color:black;background-color:rgb(255,255,255)">
<div style="margin:0px"> <b>__Optional__</b><span> </span>if the `subject:organizationName` field is present. </div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="margin:0px;font-size:12pt;color:black;background-color:rgb(255,255,255)">
<div style="margin:0px"> <b>__Prohibited__</b><span> </span>if the `subject:organizationName` is absent.</div>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="margin:0px;font-size:12pt;color:black;background-color:rgb(255,255,255)">
<div style="margin:0px"> <b>__Contents:__</b><span> </span>If present, the `subject:organizationalUnitName` field MUST contain the Subject's organizational unit name as verified under Section 3.2.2.1.1.</div>
</div>
</div>
</blockquote>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div id="gmail-m_2719617433761128757appendonsend"></div>
<hr style="display:inline-block;width:98%">
<div id="gmail-m_2719617433761128757divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Validation <<a href="mailto:validation-bounces@cabforum.org" target="_blank">validation-bounces@cabforum.org</a>> on behalf of Dimitris Zacharopoulos (HARICA) via Validation <<a href="mailto:validation@cabforum.org" target="_blank">validation@cabforum.org</a>><br>
<b>Sent:</b> Monday, November 23, 2020 21:11<br>
<b>To:</b> Ryan Sleevi <<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>><br>
<b>Cc:</b> CA/Browser Forum Validation SC List <<a href="mailto:validation@cabforum.org" target="_blank">validation@cabforum.org</a>><br>
<b>Subject:</b> Re: [cabf_validation] [EXTERNAL] Draft Ballot SCXX: Improve OU validation requirements</font>
<div> </div>
</div>
<div><br>
Thank for the detailed response. It summarizes Google's viewpoint on several issues, including Identity.<br>
<br>
<div>On 23/11/2020 8:45 μ.μ., Ryan Sleevi wrote:<br>
</div>
<blockquote type="cite">The Baseline Requirements do not, nor have they ever, permitted CAs to include unverified, self-attested information. Every piece of information included in a certificate has a requirement to be validated by the CA, as captured by 7.1.2.4
of the BRs, as well as more specific individual requirements. It is unfortunate that a CA needs to be reminded of this, or of the principles and motivations, and this applies equally to LEI, OU, or any other field or data the CA might imagine here.</blockquote>
<br>
The validation rules for OU are already in the BRs (7.1.4.2.2 i). They have been there for years. It has always been self-attested information. The CA had to "implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark,
address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section 3.2 and the Certificate also contains subject:organizationName, subject:givenName, subject:surname,
subject:localityName, and subject:countryName attributes, also verified in accordance with Section 3.2.2.1."<br>
<br>
I would like to highlight that 7.1.2.4 allows for "other fields and extensions" but during the
<i>organizationIdentifier </i>discussion, you had expressed a preference that if this
<b>validated</b> <b>information </b>were to be included, it should be in an extension rather than the subjectDN.<br>
<br>
Regarding the LEI, of course the CA would need to verify/validate the information included in the extension; I never implied that information would not be validated. In my previous post, I mentioned that "BRs allow custom extensions to be defined by CAs (and
how CAs validate this information)", so I hope we're in agreement that this is still currently allowed, if a CA meets everything listed in 7.1.2.4.<br>
<br>
To use an example, if a CA were to define in its CP/CPS an extension that follows exactly the description of the
<em>cabfOrganizationIdentifier</em> as described in section 9.8.2 of the EV Guidelines (my previous example was flawed), describe the same EVG validation rules for that extension and include this extension in an OV Certificate, wouldn't that be compliant with
the BRs?<br>
<br>
<br>
</div>
</div>
</blockquote></div>