[cabfpub] IV OID Ballot 150

Thu Jul 9 01:37:23 MST 2015

On 09/07/15 07:59, Mads Egil Henriksveen wrote:
> Hi Dean
>
> Section 7.1.4.2.2. Subject Distinguished Name Fields b) Certificate
> Field: subject:organizationName (OID 2.5.4.10) says:
>
> /Because Subject name attributes for individuals (e.g. givenName
> (2.5.4.42) and surname (2.5.4.4)) are not broadly supported by
> application software,

Dean,

What does "not broadly supported by application software" actually mean 
here?

Do you have a list of specific application software that will reject a 
server certificate that contains givenName and surname in the Subject?

> _the CA MAY use the subject:organizationName_
> field to convey a natural person Subject’s name or DBA./
>
> This is apparently inconsistent with the last sentence in the ballot:
>
> /If the Certificate asserts the policy identifier of either
> 2.23.140.1.2.2 or 2.23.140.1.2.3 , then _it MUST also include
> organizationName_, localityName, stateOrProvinceName (if applicable),
> and countryName in the Subject field/.
>
> I assume it should still be possible to issue certificates to
> individuals (natural persons) without requiring the use of
> organizationName for holding the individuals name, but rather use other
> subject attributes (?)
>
> Regards
>
> Mads
>
> *From:*public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> *On Behalf Of *Dean Coclin
> *Sent:* 8. juli 2015 23:12
> *To:* public at cabforum.org
> *Subject:* [cabfpub] IV OID Ballot 150
>
> I’m reintroducing this ballot based on the meeting in Zurich. I’ll write
> a separate ballot for the EV, and EV Code Signing OIDs.
>
> I have highlighted changes to the existing language so hopefully
> everyone can see the changes. I’ve also enclosed a pdf version.
>
> Endorsers: I assume you are still good with this? There are no changes.
>
> Thanks,
> Dean
>
> *Ballot 150-Addition of Optional OID for Individual Validation*
>
> The following motion has been proposed by Dean Coclin of Symantec and
> endorsed by Jeremy Rowley of Digicert and Kirk Hall of Trend Micro
>
> -- MOTION BEGINS –
>
> Modify section 1.2 of Baseline Requirements as follows:
>
> *1.2 Document Name and Identification*
>
> This certificate policy (CP) contains the requirements for the issuance
> and management of publicly‐trusted SSL certificates, as adopted by the
> CA/Browser Forum.
>
> The following Certificate Policy identifiers are reserved for use by CAs
> as an optional means of asserting compliance with this CP (OID arc
> 2.23.140.1.2) as follows:
>
> {joint‐iso‐itu‐t(2) international‐organizations(23)
> ca‐browser‐forum(140) certificate‐policies(1) baseline‐ requirements(2)
> domain‐validated(1)} (2.23.140.1.2.1);
>
> {joint‐iso‐itu‐t(2) international‐organizations(23)
> ca‐browser‐forum(140) certificate‐policies(1) baseline‐ requirements(2)
> organization-validated(2)} (2.23.140.1.2.2) and
>
> {joint‐iso‐itu‐t(2) international‐organizations(23)
> ca‐browser‐forum(140) certificate‐policies(1) baseline‐ requirements(2)
> individual-validated(3)} (2.23.140.1.2.3).
>
> Modify section 7.1.6.1 as follows:
>
> *7.1.6.1. Reserved Certificate Policy Identifiers *
>
> This section describes the content requirements for the Root CA,
> Subordinate CA, and Subscriber Certificates, as they relate to the
> identification of Certificate Policy.
>
> The following Certificate Policy identifiers are reserved for use by CAs
> as an optional means of asserting compliance with these Requirements as
> follows:
>
> {joint‐iso‐itu‐t(2) international‐organizations(23)
> ca‐browser‐forum(140) certificate‐policies(1) baseline‐requirements(2)
> domain‐validated(1)} (2.23.140.1.2.1), if the Certificate complies with
> these Requirements but lacks Subject Identity Information that is
> verified in accordance with either Section 3.2.2.1 or Section 3.2.3.
>
> If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then
> it MUST NOT include organizationName, streetAddress, localityName,
> stateOrProvinceName, or postalCode in the Subject field.
>
> {joint‐iso‐itu‐t(2) international‐organizations(23)
> ca‐browser‐forum(140) certificate‐policies(1) baseline‐requirements(2)
> organization-validated(2)} (2.23.140.1.2.2), if the Certificate complies
> with these Requirements and includes Subject Identity Information that
> is verified in accordance with Section 3.2.2.1.
>
> {joint‐iso‐itu‐t(2) international‐organizations(23)
> ca‐browser‐forum(140) certificate‐policies(1) baseline‐requirements(2)
> individual-validated(3)} (2.23.140.1.2.3), if the Certificate complies
> with these Requirements and includes Subject Identity Information that
> is verified in accordance with Section 3.2.3.
>
> If the Certificate asserts the policy identifier of either
> 2.23.140.1.2.2or 2.23.140.1.2.3 , then it MUST also include
> organizationName, localityName, stateOrProvinceName (if applicable), and
> countryName in the Subject field.
>
> If the ballot passes, the custodian of the Forum OIDs will be instructed
> to obtain the new OID for IV as indicated above.
>
> -- MOTION ENDS –
>
> The review period for this ballot shall commence at 2200 UTC on Thursday
> July 9, 2015, and will close at 2200 UTC on Thursday 16 July 2015.
> Unless the motion is withdrawn during the review period, the voting
> period will start immediately thereafter and will close at 2200 UTC on
> Thursday, 23 July 2015. Votes must be cast by posting an on-list reply
> to this thread.
>
> A vote in favor of the motion must indicate a clear 'yes' in the
> response. A vote against must indicate a clear 'no' in the response. A
> vote to abstain must indicate a clear 'abstain' in the response. Unclear
> responses will not be counted. The latest vote received from any
> representative of a voting member before the close of the voting period
> will be counted. Voting members are listed here:
> https://cabforum.org/members/
>
> In order for the motion to be adopted, two thirds or more of the votes
> cast by members in the CA category and greater than 50% of the votes
> cast by members in the browser category must be in favor. Quorum is
> currently nine (9) members– at least nine members must participate in
> the ballot, either by voting in favor, voting against, or abstaining.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online