<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-2022-jp"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EstiloCorreo22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:520363205;
mso-list-type:hybrid;
mso-list-template-ids:1442884260 -1027311272 67698689 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-start-at:2;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:54.0pt;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:90.0pt;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:126.0pt;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:162.0pt;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:198.0pt;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:234.0pt;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:270.0pt;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:306.0pt;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:342.0pt;
text-indent:-9.0pt;}
@list l1
{mso-list-id:592513253;
mso-list-type:hybrid;
mso-list-template-ids:665212522 1564913622 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-start-at:2;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:54.0pt;
text-indent:-18.0pt;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:90.0pt;
text-indent:-18.0pt;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:126.0pt;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:162.0pt;
text-indent:-18.0pt;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:198.0pt;
text-indent:-18.0pt;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:234.0pt;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:270.0pt;
text-indent:-18.0pt;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:306.0pt;
text-indent:-18.0pt;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:342.0pt;
text-indent:-9.0pt;}
@list l2
{mso-list-id:648746564;
mso-list-template-ids:867972344;}
@list l2:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3
{mso-list-id:1390493340;
mso-list-template-ids:758811982;}
@list l3:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=ES link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'>I like the idea of having a common framework for all WGs base documents (basic BRs common to all BRs), and from there, work on the specificities of every certificate type.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'>We�$B!-�(Bve been having some discussions in the S/MIME WG because of this �$B!H�(Balignment�$B!I�(B with the SC WG, and also happened initially with the CS. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b>De:</b> Validation <validation-bounces@cabforum.org> <b>En nombre de </b>Tim Hollebeek via Validation<br><b>Enviado el:</b> viernes, 14 de octubre de 2022 15:40<br><b>Para:</b> Martijn Katerbarg <martijn.katerbarg@sectigo.com>; CABforum3 <validation@cabforum.org>; Doug Beattie <doug.beattie@globalsign.com>; Dimitris Zacharopoulos (HARICA) <dzacharo@harica.gr><br><b>Asunto:</b> Re: [cabf_validation] OU attribute in CA Certificates<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span lang=EN-US style='font-size:10.0pt;color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=EN-US>I continue to have issues with whether the server certificate BRs should be able to impose requirements on the contents of non-server ICAs. It seems like a violation of the charter to me, as I�$B!G�(Bve stated several times before over the years.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>It makes sense to insist that they are well-formed, compliant with RFC 5280, have an EKU, can be determined to *<b>not</b>* be a TLS ICA, etc. But going beyond that to state what fields are or are not permitted seems to be stepping on the toes of the other working groups that are responsible for such certificates. I�$B!G�(Bd support a uniform standard for what can/can be included in all ICAs, but I think that needs to be done by a WG like the �$B!H�(BBR of BRs�$B!I�(B working group that has been discussed ever since we started doing governance reform. I don�$B!G�(Bt think server cert as it is currently chartered can do it.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>-Tim<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> Validation <<a href="mailto:validation-bounces@cabforum.org">validation-bounces@cabforum.org</a>> <b>On Behalf Of </b>Martijn Katerbarg via Validation<br><b>Sent:</b> Friday, October 14, 2022 3:54 AM<br><b>To:</b> Doug Beattie <<a href="mailto:doug.beattie@globalsign.com">doug.beattie@globalsign.com</a>>; CABforum3 <<a href="mailto:validation@cabforum.org">validation@cabforum.org</a>>; Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr">dzacharo@harica.gr</a>><br><b>Subject:</b> Re: [cabf_validation] OU attribute in CA Certificates<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB>Dimitris, Doug,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB>Is there any reason why we wouldn�$B!G�(Bt want to prohibit it for Root CA certificates and non-TLS Sub CA Certificates?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB>Now maybe this is going in a direct where it becomes part of version 2 of the profiles, but should we be looking at which fields are being included at this moment and make a more clear requirement on what�$B!G�(Bs allowed and what�$B!G�(Bs not? <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>With the language as it is proposed, it seems that any subject attribute except for OU is allowed. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB>In my opinion it would be more desirable to add a specific MAY for fields that CA�$B!G�(Bs are using and are deemed acceptable, and find a path forward on setting Any Other Attribute to MUST NOT<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB>Martijn<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> Validation <<a href="mailto:validation-bounces@cabforum.org">validation-bounces@cabforum.org</a>> <b>On Behalf Of </b>Doug Beattie via Validation<br><b>Sent:</b> Thursday, 13 October 2022 22:06<br><b>To:</b> Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr">dzacharo@harica.gr</a>>; CA/Browser Forum Validation SC List <<a href="mailto:validation@cabforum.org">validation@cabforum.org</a>><br><b>Subject:</b> Re: [cabf_validation] OU attribute in CA Certificates<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span lang=EN-US style='font-size:10.0pt;color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=EN-US>Hi Dimitris,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>I�$B!G�(Bd lean towards you option #2:<o:p></o:p></span></p><ol start=2 type=1><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:18.0pt;mso-list:l1 level1 lfo1'><span lang=EN-US>Update 7.1.2.10.2, add the Attribute Type OU, and in the Presence column state "MUST NOT," except for Non-TLS Subordinate CA Certificates that meet the Certificate Profile described in section 7.1.2.3".<o:p></o:p></span></li></ol><p class=MsoNormal><span lang=EN-US>Just a suggestion:<o:p></o:p></span></p><ol start=2 type=1><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:18.0pt;mso-list:l0 level1 lfo2'><span lang=EN-US>Update 7.1.2.10.2, add the Attribute Type OU, and in the Presence column state:<o:p></o:p></span></li></ol><ol start=2 type=1><ul type=disc><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:18.0pt;mso-list:l0 level2 lfo2'><span lang=EN-US>MUST NOT for TLS Subordinate CA Certificates defined in section 7.1.2.3, <o:p></o:p></span></li><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:18.0pt;mso-list:l0 level2 lfo2'><span lang=EN-US>SHOULD NOT for all other CAs"<o:p></o:p></span></li></ul></ol><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> Validation <<a href="mailto:validation-bounces@cabforum.org">validation-bounces@cabforum.org</a>> <b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA) via Validation<br><b>Sent:</b> Thursday, October 13, 2022 12:31 PM<br><b>To:</b> <a href="mailto:validation@cabforum.org">validation@cabforum.org</a><br><b>Subject:</b> [cabf_validation] OU attribute in CA Certificates<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US>[Moving this discussion to the validation subcommittee]<o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US>On 13/10/2022 5:36 �$B&L�(B.�$B&L�(B., Dimitris Zacharopoulos (HARICA) via Servercert-wg wrote:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US>I'd like to ask for a few minutes to discuss about the OU attribute in CA Certificates as described in <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fpull%2F394&data=05%7C01%7Cinigo.barreira%40sectigo.com%7Ce371835b16c745daacdb08daade996fe%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638013517302302284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=edm4%2Bx%2BFMb%2BNs3co8xxjxgb4DuWehQluULLVYduKOTU%3D&reserved=0">https://github.com/cabforum/servercert/pull/394</a> so we can decide on next steps.<br><br>Thanks,<br>Dimitris.<o:p></o:p></span></p></blockquote><p class=MsoNormal><span lang=EN-US><br>Following up on todays SCWG call, I did a quick review at the profiles ballot and unfortunately the current draft describes 5 different CA Certificate profiles (actually there is one more for Cross Certificates in <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fblob%2Fprofiles%2Fdocs%2FBR.md%237122-cross-certified-subordinate-ca-certificate-profile&data=05%7C01%7Cinigo.barreira%40sectigo.com%7Ce371835b16c745daacdb08daade996fe%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638013517302302284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=YRnw6ZukubcQ%2FddBRyuMm1cXn7KEhoCQitqOFlPiMyI%3D&reserved=0">7.1.2.2</a> but that doesn't seem to create any issues):<o:p></o:p></span></p><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo3'><span lang=EN-US><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fblob%2Fprofiles%2Fdocs%2FBR.md%237121-root-ca-certificate-profile&data=05%7C01%7Cinigo.barreira%40sectigo.com%7Ce371835b16c745daacdb08daade996fe%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638013517302302284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=UkesSsNS7BPiKWkrI1mesJ%2BBjtpVpn6GipI5fKwSPow%3D&reserved=0">7.1.2.1 Root CA Certificate Profile</a><o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo3'><span lang=EN-US><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fblob%2Fprofiles%2Fdocs%2FBR.md%237123-technically-constrained-non-tls-subordinate-ca-certificate-profile&data=05%7C01%7Cinigo.barreira%40sectigo.com%7Ce371835b16c745daacdb08daade996fe%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638013517302302284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=vk50t9Q5pM43vNxUXG5T%2Fs2P0DGdWg4PXTJsVobJr%2FY%3D&reserved=0">7.1.2.3 Technically Constrained Non-TLS Subordinate CA Certificate Profile</a><o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo3'><span lang=EN-US><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fblob%2Fprofiles%2Fdocs%2FBR.md%237124-technically-constrained-precertificate-signing-ca-certificate-profile&data=05%7C01%7Cinigo.barreira%40sectigo.com%7Ce371835b16c745daacdb08daade996fe%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638013517302302284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=CHUcmBuXR2Ueg1W%2FEoByMMmKch9fws1L%2BTGrh3cUzIc%3D&reserved=0">7.1.2.4 Technically Constrained Precertificate Signing CA Certificate Profile</a> (we should fix the internal broken link to this pointer in section 7.1.2)<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo3'><span lang=EN-US><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fblob%2Fprofiles%2Fdocs%2FBR.md%237125-technically-constrained-tls-subordinate-ca-certificate-profile&data=05%7C01%7Cinigo.barreira%40sectigo.com%7Ce371835b16c745daacdb08daade996fe%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638013517302302284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=VMThJ3yyA4%2FZFlQ%2FUMCfKruInN%2FgESCD3GKxzQLH9EU%3D&reserved=0">7.1.2.5 Technically Constrained TLS Subordinate CA Certificate Profile</a><o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo3'><span lang=EN-US><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fblob%2Fprofiles%2Fdocs%2FBR.md%237126-tls-subordinate-ca-certificate-profile&data=05%7C01%7Cinigo.barreira%40sectigo.com%7Ce371835b16c745daacdb08daade996fe%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638013517302302284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=eua5zHKSrdKdqhvZmsvE9VL3FtmDk1iRWphcBKa6FYE%3D&reserved=0">7.1.2.6 TLS Subordinate CA Certificate Profile</a><o:p></o:p></span></li></ol><p class=MsoNormal><span lang=EN-US>that all point to a common section <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fblob%2Fprofiles%2Fdocs%2FBR.md%23712102-ca-certificate-naming&data=05%7C01%7Cinigo.barreira%40sectigo.com%7Ce371835b16c745daacdb08daade996fe%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638013517302458498%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=vDN8KC5j09nikKGj3EO7aTrEv%2BWQIeCp4zw%2BZ%2Bn2IJo%3D&reserved=0">7.1.2.10.2</a> for the subjectDN CA Certificate Naming. <br><br>If we want to disallow OU in CA Certificates (new Roots and Intermediates), shouldn't that only affect 7.1.2.5 and 7.1.2.6? I'm not sure about 7.1.2.4 as I am not so familiar with Precertificate Signing CAs but it looks like it needs to follow the "TLS CA" rules. If there is agreement, here are some ways to tackle this problem:<o:p></o:p></span></p><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo4'><span lang=EN-US>Rename 7.1.2.10.2 from "CA Certificate Naming" to "TLS CA Certificate Naming", use "MUST NOT" for the OU field, create a 7.1.2.10.3 "Non-TLS CA Certificate Naming" with exactly what's in today's 7.1.2.10.2 and shift all sections at the same level by one; or<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo4'><span lang=EN-US>Update 7.1.2.10.2, add the Attribute Type OU, and in the Presence column state "MUST NOT," except for Non-TLS Subordinate CA Certificates that meet the Certificate Profile described in section 7.1.2.3".<o:p></o:p></span></li></ol><p><span lang=EN-US>Thoughts or other ideas?<o:p></o:p></span></p><p><span lang=EN-US>Dimitris.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US><o:p> </o:p></span></p></div></div></div></div></body></html>