[cabfpub] FW: [cabfquest] CP Working Group Participation

Rich Smith richard.smith at comodo.com
Mon Sep 15 19:01:41 UTC 2014

How about adding the following as a clarification in Section 9.2.4 of the

"Taking into account the optional nature of the Locality and State/Province
fields, as specified in Section 9.2.4 (c) and (d) respectively and taking
into account the possible use of the user-assigned country code XX as
specified in Section 9.2.5, IF the certificate Subject Organization field is
populated THEN Locality, State/Province and Country fields MUST also be
populated in accordance with the standard postal address conventions within
the Applicant's jurisdiction."

I think that still keeps the fields as optional when it is indeed correct to
do so, but makes it clear that any and all of those fields which are
included the official address of the Applicant MUST be included in the



From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Robin Alden
Sent: Monday, September 15, 2014 1:05 PM
To: 'Dean Coclin'; '陳立群'; public at cabforum.org
Subject: Re: [cabfpub] FW: [cabfquest] CP Working Group Participation

Hi Dean, Li Chun,

                I shall be there for the meeting, and wrote this while

It seems to me that although Li Chun has pointed out a valid issue on pages
2 through 6 - that some countries are not separated into states or provinces
- I think the suggested modification of the BRs to allow the omission of
BOTH localityName and stateOrProvinceName from the subject of a certificate
that includes an organizationName in the subject (aka an OV certificate)
permits a general reduction in the degree of detail in the subject of an OV
certificate which is undesirable.

The current wording of the BRs and draft Code-signing requirements is
already intended to deal with this situation where a stateOrProvinceName is
not always available.

The localityName field is usually used to hold the name of the village,
town, or city in which the subject entity resides.

Two things strike me from this suggested modification:

1)      That some of the countries in the list on page 2 of the PowerPoint
document definitely have place names (village/town/city) which fit well into
the localityName field; and

2)      That if there are a subset of the countries on page 2 which do not
have any internal postal address structure beyond the street address and
country code then those countries should be specifically enumerated in the
BRs so that we do not unintentionally permit addresses which are more
ambiguous than they need to be.

Another possible means to achieve the desirable aspects of this change might
be, in addition to the wording proposed in the slides, to introduce an
obligation on the CA to include in an OV certificate the detail (e.g. to
include the localityName) where it exists.  This would be something that an
auditor could test for.

If I haven’t already made it clear, my concern is that if the BRs were
amended as suggested on slides 2 through 6, a CA could issue a certificate
with a subject of:

O=Smith’s Builders

Street=125 Main Street


  And claim BR compliance while using a partial address which in many cases
would not adequately identify the subject.

although I have to admit that the BR’s today permit:

O=Smith’s Builders

Street=125 Main Street



which isn’t much better because the STATE is omitted where it should always
be present for US addresses.


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Dean Coclin
Sent: 14 September 2014 21:09
To: public at cabforum.org
Subject: [cabfpub] FW: [cabfquest] CP Working Group Participation

Reposting this to the public list (from member Chungwa Telecom). For
discussion at the meeting this week. If anyone who is not attending has
comments, please chime in.


From: 陳立群
Sent: Sunday, September 14, 2014 8:37 PM
To: ben.wilson at digicert.com; Dean Coclin
Cc: 王文正; realsky at cht.com.tw; wgh at wosign.com
Subject: FW: [cabfquest] CP Working Group Participation

Dear Ben,Dean and Richard

         Attached file is about  correcting of documents of CA/Browser
Forum. Please arrange to discuss it.

         I am looking forward to see you soon in Beijing.

Sincerely Yours,

                             Li-Chun CHEN


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140915/b6eb30c5/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6378 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140915/b6eb30c5/attachment-0003.bin>

More information about the Public mailing list