<div dir="ltr">Hi Paul,<div><br></div><div>I'm glad to see Entrust has recognized that its previously suggested approach to OU lacks consensus.</div><div><br></div><div>However, we have yet to see any data to support the 2024 deadline, especially when this timeline is functionally not effective deadline of May 31, 2025, due to certificate lifetimes. Given the data presented around the use, and misuse, of OU, and the many CA incidents, it does not seem like a 2024 date can be reasonably justified, but perhaps there is more concrete data you would like to share? Certainly, Certificate Transparency offers us a clear empirical roadmap to both those affected and the (previously discussed) use cases, much better than any survey or "customer wishlist" would.</div><div><br></div><div>As per past discussions in the Forum regarding acceptable timeframes, I think the reasonable timeframe that we could endorse would look to see it immediately moved to a SHOULD NOT, with a goal of MUST NOT on roughly the timeframe you propose (May 2022, or approximately one year out). This would allow us to ensure that data is promptly gathered as soon as possible, through the SHOULD NOT transition, and ensure that if there is data that warrants it, relevant to the risk to users and certificate holders, that we can revisit that timeline if it proves to be necessary.</div><div><br></div><div>However, the process of "documented case-by-case exception" is, while conceptually interesting, deeply problematic, and something that I don't think we could support. This process fundamentally repeats the mistakes that we're trying to correct with OU, which is to allow a subjective, inconsistent, non-industry standard approach that exposes users and browsers to unnecessary risk, both in interpretation and action. You may recall similar proposals with SHA-1, and the particular repeat failures of CAs to adhere to those processes discussed. We have zero reason to believe things have improved; indeed, evidence to the contrary is readily apparent even in CA non-compliance issues in the past few months. Because of this, while interesting, it certainly does not seem to find the right user security balance.</div><div><br></div><div>While these are ultimately things that can be directly addressed by root program policies to the CAs within those root programs, we are certainly interested in seeing if there is a reasonable point in the Forum for discussion. While this draft ballot does not yet factor in the many conversations that have been had, or the concerns that have been raised, we look forward to working with you on a more reasonable timeframe, and with a more reasonable process in play. Again, using the past experiences of the Forum, anything that does not "immediately" SHOULD NOT would be certainly not setting up site operators for success, as they replace certificates this year, but we do believe you're on the right track to gathering and producing explicit documentation on the use cases here as the year progresses, to allow us to revisit if there are any use cases that have not yet been exhaustively discussed.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, May 25, 2021 at 9:47 AM Paul van Brouwershaven via Validation <<a href="mailto:validation@cabforum.org">validation@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">Entrust is proposing this change to deprecate and finally prohibit the `subject:organizationName` as a follow-up to our previous proposal that
failed to gain consensus on the way to improve the validation. </span><span style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt">Ben Wilson from Mozilla and Chema Lopez from Firmaprofesional have indicated to endorse
this proposal to deprecation and finally prohibit the OU.</span></div>
<div><br>
</div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">Before we submit the ballot, we would like to know if the members of the validation working group are fine with the definition 'documented
case-by-case exception' that is required in this proposal and expects the CA to create or collect documentation on why this exception was required.</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<blockquote style="margin-top:0px;margin-bottom:0px"><span style="font-family:"Courier New",monospace;font-size:10pt">i. __Certificate Field:__ `subject:organizationalUnitName` (OID: 2.5.4.11) </span>
<div><span style="font-family:"Courier New",monospace;font-size:10pt"> __Required/Optional:__ __Optional__. </span></div>
<div><span style="font-family:"Courier New",monospace;font-size:10pt"> __Required/Optional:__
</span></div>
<div><span style="font-family:"Courier New",monospace;font-size:10pt"> __Prohibited__ if the `subject:organizationName` is absent.</span></div>
<div><span style="font-family:"Courier New",monospace;font-size:10pt"> __Prohibited__ after May 31, 2022 but allowed as a documented case-by-case exception until and including May 31, 2024.</span></div>
<span style="font-family:"Courier New",monospace;font-size:10pt"> __Deprecated__ discouraged until prohibited.</span><br>
</blockquote>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<a href="https://github.com/cabforum/servercert/compare/main...vanbroup:oudeprecation" target="_blank">Comparing cabforum:main...vanbroup:oudeprecation · cabforum/servercert (github.com)</a><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Thanks,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
Paul</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
</div>
_______________________________________________<br>
Validation mailing list<br>
<a href="mailto:Validation@cabforum.org" target="_blank">Validation@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/validation" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/validation</a><br>
</blockquote></div>