<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <br>
    <br>
    <div class="moz-cite-prefix">On 14/10/2022 10:53 π.μ., Martijn
      Katerbarg wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:MW5PR17MB601253CE3B337C597A942160E3249@MW5PR17MB6012.namprd17.prod.outlook.com">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <style>@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0cm;
        margin-right:0cm;
        margin-bottom:0cm;
        margin-left:36.0pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}span.EmailStyle22
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:windowtext;}.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}div.WordSection1
        {page:WordSection1;}ol
        {margin-bottom:0cm;}ul
        {margin-bottom:0cm;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span style="mso-fareast-language:EN-US"
            lang="EN-GB">Dimitris, Doug,<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-fareast-language:EN-US"
            lang="EN-GB"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="mso-fareast-language:EN-US"
            lang="EN-GB">Is there any reason why we wouldn’t want to
            prohibit it for Root CA certificates and non-TLS Sub CA
            Certificates?<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-fareast-language:EN-US"
            lang="EN-GB"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="mso-fareast-language:EN-US"
            lang="EN-GB">Now maybe this is going in a direct where it
            becomes part of version 2 of the profiles, but should we be
            looking at which fields are being included at this moment
            and make a more clear requirement on what’s allowed and
            what’s not? <o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-fareast-language:EN-US"
            lang="EN-GB">With the language as it is proposed, it seems
            that any subject attribute except for OU is allowed. <o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-fareast-language:EN-US"
            lang="EN-GB"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="mso-fareast-language:EN-US"
            lang="EN-GB">In my opinion it would be more desirable to add
            a specific MAY for fields that CA’s are using and are deemed
            acceptable, and find a path forward on setting Any Other
            Attribute to MUST NOT</span></p>
      </div>
    </blockquote>
    <br>
    Martijn,<br>
    <br>
    I agree with you that this should be the ultimate goal (add a
    specific MAY for more fields, etc) but this would require more work
    and discussion. I don't believe it can be added to the profiles
    ballot as it would cause more delays.<br>
    <br>
    At the same time, there is already agreement to prohibit OU for
    TLS-specific CAs that will cause no impact since it is not included
    in CA Certificates since the cutoff date.<br>
    <br>
    <br>
    Thanks,<br>
    Dimitris.<br>
    <br>
    <blockquote type="cite"
cite="mid:MW5PR17MB601253CE3B337C597A942160E3249@MW5PR17MB6012.namprd17.prod.outlook.com">
      <div class="WordSection1">
        <p class="MsoNormal"><span style="mso-fareast-language:EN-US"
            lang="EN-GB"><o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-fareast-language:EN-US"
            lang="EN-GB"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="mso-fareast-language:EN-US"
            lang="EN-GB">Martijn<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-fareast-language:EN-US"
            lang="EN-GB"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #E1E1E1
            1.0pt;padding:3.0pt 0cm 0cm 0cm">
            <p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
                lang="EN-US"> Validation
                <a class="moz-txt-link-rfc2396E" href="mailto:validation-bounces@cabforum.org"><validation-bounces@cabforum.org></a> <b>On Behalf Of
                </b>Doug Beattie via Validation<br>
                <b>Sent:</b> Thursday, 13 October 2022 22:06<br>
                <b>To:</b> Dimitris Zacharopoulos (HARICA)
                <a class="moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a>; CA/Browser Forum Validation
                SC List <a class="moz-txt-link-rfc2396E" href="mailto:validation@cabforum.org"><validation@cabforum.org></a><br>
                <b>Subject:</b> Re: [cabf_validation] OU attribute in CA
                Certificates<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <div style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt
          2.0pt">
          <p class="MsoNormal"
            style="line-height:12.0pt;background:#FAFA03"><span
              style="font-size:10.0pt;color:black" lang="EN-US">CAUTION:
              This email originated from outside of the organization. Do
              not click links or open attachments unless you recognize
              the sender and know the content is safe.<o:p></o:p></span></p>
        </div>
        <p class="MsoNormal"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif" lang="EN-US"><o:p> </o:p></span></p>
        <div>
          <p class="MsoNormal"><span lang="EN-US">Hi Dimitris,<o:p></o:p></span></p>
          <p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
          <p class="MsoNormal"><span lang="EN-US">I’d lean towards you
              option #2:<o:p></o:p></span></p>
          <ol type="1" start="2">
            <li class="MsoListParagraph"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:18.0pt;mso-list:l1
              level1 lfo1"><span lang="EN-US">Update 7.1.2.10.2, add the
                Attribute Type OU, and in the Presence column state
                "MUST NOT," except for Non-TLS Subordinate CA
                Certificates that meet the Certificate Profile described
                in section 7.1.2.3".<o:p></o:p></span></li>
          </ol>
          <p class="MsoNormal"><span lang="EN-US">Just a suggestion:<o:p></o:p></span></p>
          <ol type="1" start="2">
            <li class="MsoListParagraph"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:18.0pt;mso-list:l0
              level1 lfo2"><span lang="EN-US">Update 7.1.2.10.2, add the
                Attribute Type OU, and in the Presence column state:<o:p></o:p></span></li>
          </ol>
          <ol type="1" start="2">
            <ul type="disc">
              <li class="MsoListParagraph"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:18.0pt;mso-list:l0
                level2 lfo2"><span lang="EN-US">MUST NOT for TLS
                  Subordinate CA Certificates defined in section
                  7.1.2.3, <o:p></o:p></span></li>
              <li class="MsoListParagraph"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:18.0pt;mso-list:l0
                level2 lfo2"><span lang="EN-US">SHOULD NOT for all other
                  CAs"<o:p></o:p></span></li>
            </ul>
          </ol>
          <p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
          <p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
          <p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
          <div>
            <div style="border:none;border-top:solid #E1E1E1
              1.0pt;padding:3.0pt 0cm 0cm 0cm">
              <p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
                  lang="EN-US"> Validation <<a
                    href="mailto:validation-bounces@cabforum.org"
                    moz-do-not-send="true" class="moz-txt-link-freetext">validation-bounces@cabforum.org</a>>
                  <b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA)
                  via Validation<br>
                  <b>Sent:</b> Thursday, October 13, 2022 12:31 PM<br>
                  <b>To:</b> <a href="mailto:validation@cabforum.org"
                    moz-do-not-send="true" class="moz-txt-link-freetext">validation@cabforum.org</a><br>
                  <b>Subject:</b> [cabf_validation] OU attribute in CA
                  Certificates<o:p></o:p></span></p>
            </div>
          </div>
          <p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
          <p class="MsoNormal" style="margin-bottom:12.0pt"><span
              lang="EN-US">[Moving this discussion to the validation
              subcommittee]<o:p></o:p></span></p>
          <div>
            <p class="MsoNormal"><span lang="EN-US">On 13/10/2022 5:36
                μ.μ., Dimitris Zacharopoulos (HARICA) via Servercert-wg
                wrote:<o:p></o:p></span></p>
          </div>
          <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
            <p class="MsoNormal"><span lang="EN-US">I'd like to ask for
                a few minutes to discuss about the OU attribute in CA
                Certificates as described in <a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fpull%2F394&data=05%7C01%7Cjacco.rens%40sectigo.com%7Cebc9d445838648f70d5008daad566518%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638012883815617803%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=PB9Qq%2F8B5JDESNPMwJV0uNlgNMaNwHRb8YDGX1gCE38%3D&reserved=0"
                  moz-do-not-send="true">https://github.com/cabforum/servercert/pull/394</a>
                so we can decide on next steps.<br>
                <br>
                Thanks,<br>
                Dimitris.<o:p></o:p></span></p>
          </blockquote>
          <p class="MsoNormal"><span lang="EN-US"><br>
              Following up on todays SCWG call, I did a quick review at
              the profiles ballot and unfortunately the current draft
              describes 5 different CA Certificate profiles (actually
              there is one more for Cross Certificates in <a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fblob%2Fprofiles%2Fdocs%2FBR.md%237122-cross-certified-subordinate-ca-certificate-profile&data=05%7C01%7Cjacco.rens%40sectigo.com%7Cebc9d445838648f70d5008daad566518%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638012883815617803%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WeR8L7DOjeA7a7iM9Qrkz1SlxBVSUp%2B0bwx%2F9LozIOI%3D&reserved=0"
                moz-do-not-send="true">7.1.2.2</a> but that doesn't seem
              to create any issues):<o:p></o:p></span></p>
          <ol type="1" start="1">
            <li class="MsoNormal"
              style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3
              level1 lfo3"><span lang="EN-US"><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fblob%2Fprofiles%2Fdocs%2FBR.md%237121-root-ca-certificate-profile&data=05%7C01%7Cjacco.rens%40sectigo.com%7Cebc9d445838648f70d5008daad566518%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638012883815617803%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6CzFgTpYWVUG7jdcGcqlETJ2W%2BF97q2mqqamQt3eLUA%3D&reserved=0"
                  moz-do-not-send="true">7.1.2.1 Root CA Certificate
                  Profile</a><o:p></o:p></span></li>
            <li class="MsoNormal"
              style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3
              level1 lfo3"><span lang="EN-US"><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fblob%2Fprofiles%2Fdocs%2FBR.md%237123-technically-constrained-non-tls-subordinate-ca-certificate-profile&data=05%7C01%7Cjacco.rens%40sectigo.com%7Cebc9d445838648f70d5008daad566518%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638012883815617803%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fje0irQN3UlqUtvNX9LMwIPGEk%2Fd8BcaB6khnHL5a3o%3D&reserved=0"
                  moz-do-not-send="true">7.1.2.3 Technically Constrained
                  Non-TLS Subordinate CA Certificate Profile</a><o:p></o:p></span></li>
            <li class="MsoNormal"
              style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3
              level1 lfo3"><span lang="EN-US"><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fblob%2Fprofiles%2Fdocs%2FBR.md%237124-technically-constrained-precertificate-signing-ca-certificate-profile&data=05%7C01%7Cjacco.rens%40sectigo.com%7Cebc9d445838648f70d5008daad566518%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638012883815617803%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=in45vH0byYZGNPPc5E%2FlF%2Bv08bQttI%2BRf6ijRphnYbw%3D&reserved=0"
                  moz-do-not-send="true">7.1.2.4 Technically Constrained
                  Precertificate Signing CA Certificate Profile</a> (we
                should fix the internal broken link to this pointer in
                section 7.1.2)<o:p></o:p></span></li>
            <li class="MsoNormal"
              style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3
              level1 lfo3"><span lang="EN-US"><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fblob%2Fprofiles%2Fdocs%2FBR.md%237125-technically-constrained-tls-subordinate-ca-certificate-profile&data=05%7C01%7Cjacco.rens%40sectigo.com%7Cebc9d445838648f70d5008daad566518%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638012883815617803%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wSiob5hiGnHqcQ3Zn%2F1pxCiCodv28GliCQPtgMa2FhY%3D&reserved=0"
                  moz-do-not-send="true">7.1.2.5 Technically Constrained
                  TLS Subordinate CA Certificate Profile</a><o:p></o:p></span></li>
            <li class="MsoNormal"
              style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3
              level1 lfo3"><span lang="EN-US"><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fblob%2Fprofiles%2Fdocs%2FBR.md%237126-tls-subordinate-ca-certificate-profile&data=05%7C01%7Cjacco.rens%40sectigo.com%7Cebc9d445838648f70d5008daad566518%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638012883815617803%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FwcOXJnJpds1YwHo8IRYLne7W7jJPqTUpgf2KjhK1tY%3D&reserved=0"
                  moz-do-not-send="true">7.1.2.6 TLS Subordinate CA
                  Certificate Profile</a><o:p></o:p></span></li>
          </ol>
          <p class="MsoNormal"><span lang="EN-US">that all point to a
              common section <a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fblob%2Fprofiles%2Fdocs%2FBR.md%23712102-ca-certificate-naming&data=05%7C01%7Cjacco.rens%40sectigo.com%7Cebc9d445838648f70d5008daad566518%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638012883815617803%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=X5qV3KU0biI2gfUhWZ63EWAUIWes2Qo8lTrg%2Br5wuAo%3D&reserved=0"
                moz-do-not-send="true">7.1.2.10.2</a> for the subjectDN
              CA Certificate Naming. <br>
              <br>
              If we want to disallow OU in CA Certificates (new Roots
              and Intermediates), shouldn't that only affect 7.1.2.5 and
              7.1.2.6? I'm not sure about 7.1.2.4 as I am not so
              familiar with Precertificate Signing CAs but it looks like
              it needs to follow the "TLS CA" rules. If there is
              agreement, here are some ways to tackle this problem:<o:p></o:p></span></p>
          <ol type="1" start="1">
            <li class="MsoNormal"
              style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
              level1 lfo4"><span lang="EN-US">Rename 7.1.2.10.2 from "CA
                Certificate Naming" to "TLS CA Certificate Naming", use
                "MUST NOT" for the OU field, create a 7.1.2.10.3
                "Non-TLS CA Certificate Naming" with exactly what's in
                today's 7.1.2.10.2 and shift all sections at the same
                level by one; or<o:p></o:p></span></li>
            <li class="MsoNormal"
              style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
              level1 lfo4"><span lang="EN-US">Update 7.1.2.10.2, add the
                Attribute Type OU, and in the Presence column state
                "MUST NOT," except for Non-TLS Subordinate CA
                Certificates that meet the Certificate Profile described
                in section 7.1.2.3".<o:p></o:p></span></li>
          </ol>
          <p><span lang="EN-US">Thoughts or other ideas?<o:p></o:p></span></p>
          <p><span lang="EN-US">Dimitris.<o:p></o:p></span></p>
          <p class="MsoNormal" style="margin-bottom:12.0pt"><span
              lang="EN-US"><o:p> </o:p></span></p>
        </div>
      </div>
    </blockquote>
    <br>
  </body>
</html>