[cabfpub] [cabfman] Ballot 92 - Subject Alternative Names

Steve Roylance steve.roylance at globalsign.com
Sun Nov 18 17:42:29 UTC 2012

Hi Brian,

Yes.  One option is to not have the details included if they are all the
same.   This is to ensure individuals or entities that would fail to be
validated to OV standards can still obtain a multi-domain DV so long as all
the domains to be included are consistent and owned by that
individual/entity.    This was changed from the previous ballot text in
order to find middle ground and not deprecate a legitimate business case.

Details are only required if it's a mix of owners for each domain that are
not affiliated in any way.   It's up to the CA, the party holding the
private key and each of the entities that own the domains to decide what
information is presented to relying parties.

I hope that helps.


From:  Brian Trzupek <BTrzupek at trustwave.com>
Date:  Friday, 16 November 2012 22:31
To:  Eddy Nigg <eddy_nigg at startcom.org>
Cc:  CABForum Management <management at cabforum.org>, "public at cabforum.org"
<public at cabforum.org>
Subject:  Re: [cabfpub] [cabfman]    Ballot 92 - Subject Alternative Names

So, is it a fair summary to say:

A) with the baselines we have blessed methods to validate domains.

B) we can have multiple domains (San) in those certs.

C) when we try an issue an OV cert, now there is a perceived confusion of
the relying party in instances where there are multiple organizations for
the included domains?

Maybe this is over simplifying, but with baseline Multi org DV is just fine
because the cert presents no org, but we are trying to nail down who the org
"should" be in the OV equivalent?

(I know there are other potential items in this ballot, but this is of the
most interest to me)


Sent from my iPhone

On Nov 16, 2012, at 3:57 PM, "Eddy Nigg (StartCom Ltd.)"
<eddy_nigg at startcom.org> wrote:

> On 11/16/2012 11:36 PM, From Eddy Nigg (StartCom Ltd.):
>> As long as there are CAs that will sign just anything and everything (for
>> pay), what does it matter if there are revocation capabilities?
>> Don't make EV weaker than it is already, we have enough trouble earning some
>> credibility in the other settings, we don't need more of that.
> Having said that, even though I'm in disagreement with Gerv about his
> perception regarding OV certificates, it's still troubling to hear that there
> is still no confidence in the work and diligence most of us probably do.
> If we can change this perception by raising the bar with serious and
> reasonable improvements, we probably should do it. We certainly should
> eliminate well known risk first.
> Regards 
> Signer: Eddy Nigg, COO/CTO
>  StartCom Ltd. <http://www.startcom.org>
> XMPP: startcom at startcom.org
> Blog: Join the Revolution! <http://blog.startcom.org>
> Twitter: Follow Me <http://twitter.com/eddy_nigg>
>> _______________________________________________
>> Management mailing list
>> Management at cabforum.org
>> https://cabforum.org/mailman/listinfo/management
> This transmission may contain information that is privileged, confidential,
> and/or exempt from disclosure under applicable law. If you are not the
> intended recipient, you are hereby notified that any disclosure, copying,
> distribution, or use of the information contained herein (including any
> reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in
> error, please immediately contact the sender and destroy the material in its
> entirety, whether in electronic or hard copy format.
> _______________________________________________ Public mailing list
> Public at cabforum.org https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121118/5b098155/attachment-0004.html>

More information about the Public mailing list