[cabfpub] Questions about [70] EV Code Signing Identifier

Rick Andrews Rick_Andrews at symantec.com
Fri Jun 8 22:12:58 UTC 2012


(copying the public list)

I think I understand now. There shouldn't be ambiguity if State is omitted, or if State and/or Org contain hyphens because anyone who needs to parse the permanentIdentifier will do so not by looking for hyphen delimiters, but by checking if State and/or Org are present in the DN and skipping past those matching values from the DN.

I haven't created any motions yet, so if you wouldn't mind creating it, I will endorse it. Thanks,


From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
Sent: Friday, June 08, 2012 2:14 PM
To: Rick Andrews; management at cabforum.org
Subject: RE: [cabfpub] Questions about [70] EV Code Signing Identifier

My opinions are in-line.  I posted this to the management list since I am unable to post to the public list.

 1.  Since the STATE part is "if applicable", what happens if the STATE is not applicable? Is the permanentIdentifier "CC--REG or DATE"?
STATE is the locality, state, or province as listed in the relevant field jurisdiction of incorporation field.  If none of these are listed in the jurisdiction of incorporation field, then it should be either CC-REG or CC-REG-DATE-ORG, depending on the jurisdiction and whether it assigns registration numbers.

 1.  Can a State or Province include a hyphen? If so, I would expect it would need to be escaped somehow so as not to be interpreted as a delimiter.

Right now it may include the identifier - the state/province/locality identifier should match the information in the Jurisdiction of Incorporation State or Province field  OR the Jurisdiction of Incorporation Locality  field exactly

 1.  Same question about Org, except that I know that Orgs can contain hyphens (e.g., "Hewlett-Packard").

 1.  We don't understand the need to allow the CA to truncate so the combination doesn't exceed 64 characters. That's the max length of DN components, but this is an extension. If the intent is to insure that any CA would come up with the same combination for a given organization, this seems to allow for variability that will cause incompatibilities.
True - that was included when we were originally looking and DN components and was left inadvertently when the identifier moved to an extension.

I'd support a motion to clarify some of these issues if you'd like to make one.  If you'd prefer, I can craft a motion to clarify these issues.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120608/332d9159/attachment-0004.html>

More information about the Public mailing list