<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
span.EmailStyle19
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:520363205;
        mso-list-type:hybrid;
        mso-list-template-ids:1442884260 -1027311272 67698689 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
        {mso-level-start-at:2;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:.75in;
        text-indent:-.25in;}
@list l0:level2
        {mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:1.25in;
        text-indent:-.25in;
        font-family:Symbol;}
@list l0:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:1.75in;
        text-indent:-9.0pt;}
@list l0:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:2.25in;
        text-indent:-.25in;}
@list l0:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:2.75in;
        text-indent:-.25in;}
@list l0:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:3.25in;
        text-indent:-9.0pt;}
@list l0:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:3.75in;
        text-indent:-.25in;}
@list l0:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:4.25in;
        text-indent:-.25in;}
@list l0:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:4.75in;
        text-indent:-9.0pt;}
@list l1
        {mso-list-id:592513253;
        mso-list-type:hybrid;
        mso-list-template-ids:665212522 1564913622 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
        {mso-level-start-at:2;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:.75in;
        text-indent:-.25in;}
@list l1:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:1.25in;
        text-indent:-.25in;}
@list l1:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:1.75in;
        text-indent:-9.0pt;}
@list l1:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:2.25in;
        text-indent:-.25in;}
@list l1:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:2.75in;
        text-indent:-.25in;}
@list l1:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:3.25in;
        text-indent:-9.0pt;}
@list l1:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:3.75in;
        text-indent:-.25in;}
@list l1:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:4.25in;
        text-indent:-.25in;}
@list l1:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:4.75in;
        text-indent:-9.0pt;}
@list l2
        {mso-list-id:648746564;
        mso-list-template-ids:867972344;}
@list l3
        {mso-list-id:935406531;
        mso-list-template-ids:867972344;}
@list l4
        {mso-list-id:1254827030;
        mso-list-template-ids:867972344;}
@list l5
        {mso-list-id:1390493340;
        mso-list-template-ids:758811982;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Hi Dimitris,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I’d lean towards you option #2:<o:p></o:p></p><ol start=2 type=1><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.25in;mso-list:l1 level1 lfo5'>Update 7.1.2.10.2, add the Attribute Type OU, and in the Presence column state "MUST NOT," except for Non-TLS Subordinate CA Certificates that meet the Certificate Profile described in section 7.1.2.3".<o:p></o:p></li></ol><p class=MsoNormal>Just a suggestion:<o:p></o:p></p><ol start=2 type=1><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.25in;mso-list:l0 level1 lfo6'>Update 7.1.2.10.2, add the Attribute Type OU, and in the Presence column state:<o:p></o:p></li><ul type=disc><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.25in;mso-list:l0 level2 lfo6'>MUST NOT for TLS Subordinate CA Certificates defined in section 7.1.2.3, <o:p></o:p></li><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.25in;mso-list:l0 level2 lfo6'>SHOULD NOT for all other CAs"<o:p></o:p></li></ul></ol><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Validation <validation-bounces@cabforum.org> <b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA) via Validation<br><b>Sent:</b> Thursday, October 13, 2022 12:31 PM<br><b>To:</b> validation@cabforum.org<br><b>Subject:</b> [cabf_validation] OU attribute in CA Certificates<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'>[Moving this discussion to the validation subcommittee]<o:p></o:p></p><div><p class=MsoNormal>On 13/10/2022 5:36 μ.μ., Dimitris Zacharopoulos (HARICA) via Servercert-wg wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>I'd like to ask for a few minutes to discuss about the OU attribute in CA Certificates as described in <a href="https://github.com/cabforum/servercert/pull/394">https://github.com/cabforum/servercert/pull/394</a> so we can decide on next steps.<br><br>Thanks,<br>Dimitris.<o:p></o:p></p></blockquote><p class=MsoNormal><br>Following up on todays SCWG call, I did a quick review at the profiles ballot and unfortunately the current draft describes 5 different CA Certificate profiles (actually there is one more for Cross Certificates in <a href="https://github.com/cabforum/servercert/blob/profiles/docs/BR.md#7122-cross-certified-subordinate-ca-certificate-profile">7.1.2.2</a> but that doesn't seem to create any issues):<o:p></o:p></p><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level1 lfo1'><a href="https://github.com/cabforum/servercert/blob/profiles/docs/BR.md#7121-root-ca-certificate-profile">7.1.2.1 Root CA Certificate Profile</a><o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level1 lfo1'><a href="https://github.com/cabforum/servercert/blob/profiles/docs/BR.md#7123-technically-constrained-non-tls-subordinate-ca-certificate-profile">7.1.2.3 Technically Constrained Non-TLS Subordinate CA Certificate Profile</a><o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level1 lfo1'><a href="https://github.com/cabforum/servercert/blob/profiles/docs/BR.md#7124-technically-constrained-precertificate-signing-ca-certificate-profile">7.1.2.4 Technically Constrained Precertificate Signing CA Certificate Profile</a> (we should fix the internal broken link to this pointer in section 7.1.2)<o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level1 lfo1'><a href="https://github.com/cabforum/servercert/blob/profiles/docs/BR.md#7125-technically-constrained-tls-subordinate-ca-certificate-profile">7.1.2.5 Technically Constrained TLS Subordinate CA Certificate Profile</a><o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level1 lfo1'><a href="https://github.com/cabforum/servercert/blob/profiles/docs/BR.md#7126-tls-subordinate-ca-certificate-profile">7.1.2.6 TLS Subordinate CA Certificate Profile</a><o:p></o:p></li></ol><p class=MsoNormal>that all point to a common section <a href="https://github.com/cabforum/servercert/blob/profiles/docs/BR.md#712102-ca-certificate-naming">7.1.2.10.2</a> for the subjectDN CA Certificate Naming. <br><br>If we want to disallow OU in CA Certificates (new Roots and Intermediates), shouldn't that only affect 7.1.2.5 and 7.1.2.6? I'm not sure about 7.1.2.4 as I am not so familiar with Precertificate Signing CAs but it looks like it needs to follow the "TLS CA" rules. If there is agreement, here are some ways to tackle this problem:<o:p></o:p></p><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo3'>Rename 7.1.2.10.2 from "CA Certificate Naming" to "TLS CA Certificate Naming", use "MUST NOT" for the OU field, create a 7.1.2.10.3 "Non-TLS CA Certificate Naming" with exactly what's in today's 7.1.2.10.2 and shift all sections at the same level by one; or<o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo3'>Update 7.1.2.10.2, add the Attribute Type OU, and in the Presence column state "MUST NOT," except for Non-TLS Subordinate CA Certificates that meet the Certificate Profile described in section 7.1.2.3".<o:p></o:p></li></ol><p>Thoughts or other ideas?<o:p></o:p></p><p>Dimitris.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p></div></body></html>