<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
The breakdown makes it clearer, thanks Doug. We just need to see how
this will appear in the table via markdown.<br>
<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 13/10/2022 11:05 μ.μ., Doug Beattie
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:SEZPR03MB6593396AE4149FC52709C106F0259@SEZPR03MB6593.apcprd03.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Dimitris,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’d lean towards you option #2:<o:p></o:p></p>
<ol type="1" start="2">
<li class="MsoListParagraph"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.25in;mso-list:l1
level1 lfo5">Update 7.1.2.10.2, add the Attribute Type OU,
and in the Presence column state "MUST NOT," except for
Non-TLS Subordinate CA Certificates that meet the
Certificate Profile described in section 7.1.2.3".<o:p></o:p></li>
</ol>
<p class="MsoNormal">Just a suggestion:<o:p></o:p></p>
<ol type="1" start="2">
<li class="MsoListParagraph"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.25in;mso-list:l0
level1 lfo6">Update 7.1.2.10.2, add the Attribute Type OU,
and in the Presence column state:<o:p></o:p></li>
<ul type="disc">
<li class="MsoListParagraph"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.25in;mso-list:l0
level2 lfo6">MUST NOT for TLS Subordinate CA Certificates
defined in section 7.1.2.3, <o:p></o:p></li>
<li class="MsoListParagraph"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.25in;mso-list:l0
level2 lfo6">SHOULD NOT for all other CAs"<o:p></o:p></li>
</ul>
</ol>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Validation
<a class="moz-txt-link-rfc2396E" href="mailto:validation-bounces@cabforum.org"><validation-bounces@cabforum.org></a> <b>On Behalf Of </b>Dimitris
Zacharopoulos (HARICA) via Validation<br>
<b>Sent:</b> Thursday, October 13, 2022 12:31 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:validation@cabforum.org">validation@cabforum.org</a><br>
<b>Subject:</b> [cabf_validation] OU attribute in CA
Certificates<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">[Moving this
discussion to the validation subcommittee]<o:p></o:p></p>
<div>
<p class="MsoNormal">On 13/10/2022 5:36 μ.μ., Dimitris
Zacharopoulos (HARICA) via Servercert-wg wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">I'd like to ask for a few minutes to
discuss about the OU attribute in CA Certificates as
described in <a
href="https://github.com/cabforum/servercert/pull/394"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/servercert/pull/394</a>
so we can decide on next steps.<br>
<br>
Thanks,<br>
Dimitris.<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
Following up on todays SCWG call, I did a quick review at the
profiles ballot and unfortunately the current draft describes
5 different CA Certificate profiles (actually there is one
more for Cross Certificates in <a
href="https://github.com/cabforum/servercert/blob/profiles/docs/BR.md#7122-cross-certified-subordinate-ca-certificate-profile"
moz-do-not-send="true">7.1.2.2</a> but that doesn't seem to
create any issues):<o:p></o:p></p>
<ol type="1" start="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5
level1 lfo1"><a
href="https://github.com/cabforum/servercert/blob/profiles/docs/BR.md#7121-root-ca-certificate-profile"
moz-do-not-send="true">7.1.2.1 Root CA Certificate Profile</a><o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5
level1 lfo1"><a
href="https://github.com/cabforum/servercert/blob/profiles/docs/BR.md#7123-technically-constrained-non-tls-subordinate-ca-certificate-profile"
moz-do-not-send="true">7.1.2.3 Technically Constrained
Non-TLS Subordinate CA Certificate Profile</a><o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5
level1 lfo1"><a
href="https://github.com/cabforum/servercert/blob/profiles/docs/BR.md#7124-technically-constrained-precertificate-signing-ca-certificate-profile"
moz-do-not-send="true">7.1.2.4 Technically Constrained
Precertificate Signing CA Certificate Profile</a> (we
should fix the internal broken link to this pointer in
section 7.1.2)<o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5
level1 lfo1"><a
href="https://github.com/cabforum/servercert/blob/profiles/docs/BR.md#7125-technically-constrained-tls-subordinate-ca-certificate-profile"
moz-do-not-send="true">7.1.2.5 Technically Constrained TLS
Subordinate CA Certificate Profile</a><o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5
level1 lfo1"><a
href="https://github.com/cabforum/servercert/blob/profiles/docs/BR.md#7126-tls-subordinate-ca-certificate-profile"
moz-do-not-send="true">7.1.2.6 TLS Subordinate CA
Certificate Profile</a><o:p></o:p></li>
</ol>
<p class="MsoNormal">that all point to a common section <a
href="https://github.com/cabforum/servercert/blob/profiles/docs/BR.md#712102-ca-certificate-naming"
moz-do-not-send="true">7.1.2.10.2</a> for the subjectDN CA
Certificate Naming. <br>
<br>
If we want to disallow OU in CA Certificates (new Roots and
Intermediates), shouldn't that only affect 7.1.2.5 and
7.1.2.6? I'm not sure about 7.1.2.4 as I am not so familiar
with Precertificate Signing CAs but it looks like it needs to
follow the "TLS CA" rules. If there is agreement, here are
some ways to tackle this problem:<o:p></o:p></p>
<ol type="1" start="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
level1 lfo3">Rename 7.1.2.10.2 from "CA Certificate Naming"
to "TLS CA Certificate Naming", use "MUST NOT" for the OU
field, create a 7.1.2.10.3 "Non-TLS CA Certificate Naming"
with exactly what's in today's 7.1.2.10.2 and shift all
sections at the same level by one; or<o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
level1 lfo3">Update 7.1.2.10.2, add the Attribute Type OU,
and in the Presence column state "MUST NOT," except for
Non-TLS Subordinate CA Certificates that meet the
Certificate Profile described in section 7.1.2.3".<o:p></o:p></li>
</ol>
<p>Thoughts or other ideas?<o:p></o:p></p>
<p>Dimitris.<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>