[cabfpub] FW: [cabfquest] CP Working Group Participation

Robin Alden robin at comodo.com
Mon Sep 15 18:19:59 MST 2014 

Hi Rich,

                I think that’s a good step in the right direction, but I
was thinking that perhaps we have to make it slightly clearer that if there
is a locality name then it must appear in the subject; if there is a state
or province name then it too has to appear in the subject.



To be fair, it may be that as I have stated it above goes too far.  It is
always complicated trying to formalize that which has been previously left
to the CA’s common sense and good practice.  We still rely on the CA’s
good intentions as well as their good practice.



The important question is why we put the address in the subject at all.

I think that we don’t put the address in the certificate subject so that a
relying party could copy the address from the certificate and write it on an
envelope to post a letter to the subject organization, but rather we add the
address information in an effort to more precisely identify the subject by
trying to remove any ambiguity which might allow, or lead to, confusion over
the identity of the subject.

I suspect that, in the general case, these two concepts (of completely
accurate postal addressing and disambiguation of the subject) have us arrive
at the same point.  Certainly, considering cases where a partial address
seems attractive, I think we are in danger of relying on either local
knowledge which may not be shared with a relying party or ignorance of local
factors which may be unknown to the CA.

E.g.

China World Hotel

Beijing

China

Sounds like a plausible subject for a certificate, but it is only doing its
job of disambiguation if there is exactly one ‘China World Hotel’ in
Beijing.  Furthermore it is only doing its job as a subject if the
Registration Authority has taken steps to verify that there is exactly one
‘China World Hotel’ in Beijing.

Should the RA also verify that there are no plans to open a second one?  I
think not.  Instead, providing a complete and accurate address for the hotel
remove any possible ambiguity that pre-exists or which may later arise.

                China World Hotel

                No 1 Jianguomenwai Avenue
                Beijing
                100004

                China



Robin





From: Rich Smith [mailto:richard.smith at comodo.com]
Sent: 16 September 2014 03:02
To: 'Robin Alden'; 'Dean Coclin'; '陳立群'; public at cabforum.org
Subject: RE: [cabfpub] FW: [cabfquest] CP Working Group Participation



How about adding the following as a clarification in Section 9.2.4 of the
BRs:

"Taking into account the optional nature of the Locality and State/Province
fields, as specified in Section 9.2.4 (c) and (d) respectively and taking
into account the possible use of the user-assigned country code XX as
specified in Section 9.2.5, IF the certificate Subject Organization field is
populated THEN Locality, State/Province and Country fields MUST also be
populated in accordance with the standard postal address conventions within
the Applicant's jurisdiction."



I think that still keeps the fields as optional when it is indeed correct to
do so, but makes it clear that any and all of those fields which are
included the official address of the Applicant MUST be included in the
certificate.



Regards,

Rich



From:  <mailto:public-bounces at cabforum.org> public-bounces at cabforum.org [
<mailto:public-bounces at cabforum.org> mailto:public-bounces at cabforum.org] On
Behalf Of Robin Alden
Sent: Monday, September 15, 2014 1:05 PM
To: 'Dean Coclin'; '陳立群';  <mailto:public at cabforum.org>
public at cabforum.org
Subject: Re: [cabfpub] FW: [cabfquest] CP Working Group Participation



Hi Dean, Li Chun,

                I shall be there for the meeting, and wrote this while
travelling.

It seems to me that although Li Chun has pointed out a valid issue on pages
2 through 6 - that some countries are not separated into states or provinces
- I think the suggested modification of the BRs to allow the omission of
BOTH localityName and stateOrProvinceName from the subject of a certificate
that includes an organizationName in the subject (aka an OV certificate)
permits a general reduction in the degree of detail in the subject of an OV
certificate which is undesirable.

The current wording of the BRs and draft Code-signing requirements is
already intended to deal with this situation where a stateOrProvinceName is
not always available.



The localityName field is usually used to hold the name of the village,
town, or city in which the subject entity resides.



Two things strike me from this suggested modification:

1)      That some of the countries in the list on page 2 of the PowerPoint
document definitely have place names (village/town/city) which fit well into
the localityName field; and

2)      That if there are a subset of the countries on page 2 which do not
have any internal postal address structure beyond the street address and
country code then those countries should be specifically enumerated in the
BRs so that we do not unintentionally permit addresses which are more
ambiguous than they need to be.



Another possible means to achieve the desirable aspects of this change might
be, in addition to the wording proposed in the slides, to introduce an
obligation on the CA to include in an OV certificate the detail (e.g. to
include the localityName) where it exists.  This would be something that an
auditor could test for.



If I haven’t already made it clear, my concern is that if the BRs were
amended as suggested on slides 2 through 6, a CA could issue a certificate
with a subject of:

O=Smith’s Builders

Street=125 Main Street

C=US

  And claim BR compliance while using a partial address which in many cases
would not adequately identify the subject.

although I have to admit that the BR’s today permit:

O=Smith’s Builders

Street=125 Main Street

L=Springfield

C=US

which isn’t much better because the STATE is omitted where it should always
be present for US addresses.



Robin



From:  <mailto:public-bounces at cabforum.org> public-bounces at cabforum.org [
<mailto:public-bounces at cabforum.org> mailto:public-bounces at cabforum.org] On
Behalf Of Dean Coclin
Sent: 14 September 2014 21:09
To:  <mailto:public at cabforum.org> public at cabforum.org
Subject: [cabfpub] FW: [cabfquest] CP Working Group Participation



Reposting this to the public list (from member Chungwa Telecom). For
discussion at the meeting this week. If anyone who is not attending has
comments, please chime in.



Thanks,
Dean







From: 陳立群
Sent: Sunday, September 14, 2014 8:37 PM
To:  <mailto:ben.wilson at digicert.com> ben.wilson at digicert.com; Dean Coclin
Cc: 王文正;  <mailto:realsky at cht.com.tw> realsky at cht.com.tw;
<mailto:wgh at wosign.com> wgh at wosign.com
Subject: FW: [cabfquest] CP Working Group Participation



Dear Ben,Dean and Richard



         Attached file is about  correcting of documents of CA/Browser
Forum. Please arrange to discuss it.



         I am looking forward to see you soon in Beijing.



Sincerely Yours,



                             Li-Chun CHEN

Engineer



-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140916/f5c7251c/attachment-0001.html

More information about the Public mailing list