[cabfpub] Ballot 92 - Subject Alternative Names

Gervase Markham gerv at mozilla.org
Fri Nov 16 17:24:23 UTC 2012

On 16/11/12 16:56, Jeremy Rowley wrote:
> In that case, isn't the most appropriate action for Mozilla to raise its
> concern about the level of vetting required for inclusion of the O field in
> the form of an amendment to the baseline requirements?  If Mozilla doesn't
> believe the baseline requirements are sufficient, I'd appreciate a proposed
> amendment about what is sufficient to show the O field.

This is an old debate which I'm not sure it's enormously valuable to 

The BRs, at the request of CAs who wanted it, contains some codified 
requirements on the minimum validation CAs have to do in order to 
include the O field in a cert.

Mozilla has opinions about the minimum validation required such that we 
feel comfortable displaying the O field in primary UI. There is no 
reason why this should be the same as "the validation specified in the 
BRs". There is also no reason why other clients should share our 
opinions; they may well have different opinions, and do different things 

As it turns out, we feel that EV is strong enough for confident O field 
display, and the BRs are not. For us, one of the driving purposes of EV 
was to specify the minimum standard of validation necessary that we 
could be confident displaying the O field in primary UI. (If you think 
EV goes above and beyond that, then propose amendments to simplify it.)

There is no point us trying to change the BRs so that they validate the 
O field to EV standard; what would be gained? It is much easier to just 
keep our software working the way it does today.


More information about the Public mailing list