[cabfpub] Questions about [70] EV Code Signing Identifier

Ben Wilson ben at digicert.com
Fri Jun 8 23:20:49 UTC 2012 

Also, the hyphens are mainly to help humans to delimit the
permanentidentifier, but I don't think they can be used for machine-parsing
unless you have a rule set that covers all potential combinations for
various jurisdictions, etc.  For example, you could have Hewlett-Packard
with Corporate Serial Number 123-456-789 located in Port-au-Prince.

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rick Andrews
Sent: Friday, June 08, 2012 4:13 PM
To: Jeremy Rowley; management at cabforum.org; public at cabforum.org
Subject: Re: [cabfpub] Questions about [70] EV Code Signing Identifier

 

Jeremy,

 

(copying the public list)

 

I think I understand now. There shouldn't be ambiguity if State is omitted,
or if State and/or Org contain hyphens because anyone who needs to parse the
permanentIdentifier will do so not by looking for hyphen delimiters, but by
checking if State and/or Org are present in the DN and skipping past those
matching values from the DN.

 

I haven't created any motions yet, so if you wouldn't mind creating it, I
will endorse it. Thanks,

 

-Rick

 

From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com] 
Sent: Friday, June 08, 2012 2:14 PM
To: Rick Andrews; management at cabforum.org
Subject: RE: [cabfpub] Questions about [70] EV Code Signing Identifier

 

My opinions are in-line.  I posted this to the management list since I am
unable to post to the public list.

 

a.	Since the STATE part is "if applicable", what happens if the STATE
is not applicable? Is the permanentIdentifier "CC--REG or DATE"?

STATE is the locality, state, or province as listed in the relevant field
jurisdiction of incorporation field.  If none of these are listed in the
jurisdiction of incorporation field, then it should be either CC-REG or
CC-REG-DATE-ORG, depending on the jurisdiction and whether it assigns
registration numbers.

b.	Can a State or Province include a hyphen? If so, I would expect it
would need to be escaped somehow so as not to be interpreted as a delimiter.

Right now it may include the identifier - the state/province/locality
identifier should match the information in the Jurisdiction of Incorporation
State or Province field  OR the Jurisdiction of Incorporation Locality
field exactly

c.	Same question about Org, except that I know that Orgs can contain
hyphens (e.g., "Hewlett-Packard").

Sure

d.	We don't understand the need to allow the CA to truncate so the
combination doesn't exceed 64 characters. That's the max length of DN
components, but this is an extension. If the intent is to insure that any CA
would come up with the same combination for a given organization, this seems
to allow for variability that will cause incompatibilities.

True - that was included when we were originally looking and DN components
and was left inadvertently when the identifier moved to an extension.  

 

I'd support a motion to clarify some of these issues if you'd like to make
one.  If you'd prefer, I can craft a motion to clarify these issues.

 

Jeremy

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120608/78b157a1/attachment-0004.html>

More information about the Public mailing list