[cabfpub] IV OID Ballot 150
Dean Coclin
Dean_Coclin at symantec.com
Mon Jul 13 14:54:00 MST 2015
I have no idea. I didn't write that. It was in the original BRs and not part of the ballot.
-----Original Message-----
From: Rob Stradling [mailto:rob.stradling at comodo.com]
Sent: Thursday, July 09, 2015 4:37 AM
To: Dean Coclin; public at cabforum.org
Cc: Mads Egil Henriksveen
Subject: Re: [cabfpub] IV OID Ballot 150
On 09/07/15 07:59, Mads Egil Henriksveen wrote:
> Hi Dean
>
> Section 7.1.4.2.2. Subject Distinguished Name Fields b) Certificate
> Field: subject:organizationName (OID 2.5.4.10) says:
>
> /Because Subject name attributes for individuals (e.g. givenName
> (2.5.4.42) and surname (2.5.4.4)) are not broadly supported by
> application software,
Dean,
What does "not broadly supported by application software" actually mean here?
Do you have a list of specific application software that will reject a server certificate that contains givenName and surname in the Subject?
> _the CA MAY use the subject:organizationName_ field to convey a
> natural person Subject’s name or DBA./
>
> This is apparently inconsistent with the last sentence in the ballot:
>
> /If the Certificate asserts the policy identifier of either
> 2.23.140.1.2.2 or 2.23.140.1.2.3 , then _it MUST also include
> organizationName_, localityName, stateOrProvinceName (if applicable),
> and countryName in the Subject field/.
>
> I assume it should still be possible to issue certificates to
> individuals (natural persons) without requiring the use of
> organizationName for holding the individuals name, but rather use
> other subject attributes (?)
>
> Regards
>
> Mads
>
> *From:*public-bounces at cabforum.org
> [mailto:public-bounces at cabforum.org]
> *On Behalf Of *Dean Coclin
> *Sent:* 8. juli 2015 23:12
> *To:* public at cabforum.org
> *Subject:* [cabfpub] IV OID Ballot 150
>
> I’m reintroducing this ballot based on the meeting in Zurich. I’ll
> write a separate ballot for the EV, and EV Code Signing OIDs.
>
> I have highlighted changes to the existing language so hopefully
> everyone can see the changes. I’ve also enclosed a pdf version.
>
> Endorsers: I assume you are still good with this? There are no changes.
>
> Thanks,
> Dean
>
> *Ballot 150-Addition of Optional OID for Individual Validation*
>
> The following motion has been proposed by Dean Coclin of Symantec and
> endorsed by Jeremy Rowley of Digicert and Kirk Hall of Trend Micro
>
> -- MOTION BEGINS –
>
> Modify section 1.2 of Baseline Requirements as follows:
>
> *1.2 Document Name and Identification*
>
> This certificate policy (CP) contains the requirements for the
> issuance and management of publicly‐trusted SSL certificates, as
> adopted by the CA/Browser Forum.
>
> The following Certificate Policy identifiers are reserved for use by
> CAs as an optional means of asserting compliance with this CP (OID arc
> 2.23.140.1.2) as follows:
>
> {joint‐iso‐itu‐t(2) international‐organizations(23)
> ca‐browser‐forum(140) certificate‐policies(1) baseline‐
> requirements(2) domain‐validated(1)} (2.23.140.1.2.1);
>
> {joint‐iso‐itu‐t(2) international‐organizations(23)
> ca‐browser‐forum(140) certificate‐policies(1) baseline‐
> requirements(2) organization-validated(2)} (2.23.140.1.2.2) and
>
> {joint‐iso‐itu‐t(2) international‐organizations(23)
> ca‐browser‐forum(140) certificate‐policies(1) baseline‐
> requirements(2) individual-validated(3)} (2.23.140.1.2.3).
>
> Modify section 7.1.6.1 as follows:
>
> *7.1.6.1. Reserved Certificate Policy Identifiers *
>
> This section describes the content requirements for the Root CA,
> Subordinate CA, and Subscriber Certificates, as they relate to the
> identification of Certificate Policy.
>
> The following Certificate Policy identifiers are reserved for use by
> CAs as an optional means of asserting compliance with these
> Requirements as
> follows:
>
> {joint‐iso‐itu‐t(2) international‐organizations(23)
> ca‐browser‐forum(140) certificate‐policies(1) baseline‐requirements(2)
> domain‐validated(1)} (2.23.140.1.2.1), if the Certificate complies
> with these Requirements but lacks Subject Identity Information that is
> verified in accordance with either Section 3.2.2.1 or Section 3.2.3.
>
> If the Certificate asserts the policy identifier of 2.23.140.1.2.1,
> then it MUST NOT include organizationName, streetAddress,
> localityName, stateOrProvinceName, or postalCode in the Subject field.
>
> {joint‐iso‐itu‐t(2) international‐organizations(23)
> ca‐browser‐forum(140) certificate‐policies(1) baseline‐requirements(2)
> organization-validated(2)} (2.23.140.1.2.2), if the Certificate
> complies with these Requirements and includes Subject Identity
> Information that is verified in accordance with Section 3.2.2.1.
>
> {joint‐iso‐itu‐t(2) international‐organizations(23)
> ca‐browser‐forum(140) certificate‐policies(1) baseline‐requirements(2)
> individual-validated(3)} (2.23.140.1.2.3), if the Certificate complies
> with these Requirements and includes Subject Identity Information that
> is verified in accordance with Section 3.2.3.
>
> If the Certificate asserts the policy identifier of either
> 2.23.140.1.2.2or 2.23.140.1.2.3 , then it MUST also include
> organizationName, localityName, stateOrProvinceName (if applicable),
> and countryName in the Subject field.
>
> If the ballot passes, the custodian of the Forum OIDs will be
> instructed to obtain the new OID for IV as indicated above.
>
> -- MOTION ENDS –
>
> The review period for this ballot shall commence at 2200 UTC on
> Thursday July 9, 2015, and will close at 2200 UTC on Thursday 16 July 2015.
> Unless the motion is withdrawn during the review period, the voting
> period will start immediately thereafter and will close at 2200 UTC on
> Thursday, 23 July 2015. Votes must be cast by posting an on-list reply
> to this thread.
>
> A vote in favor of the motion must indicate a clear 'yes' in the
> response. A vote against must indicate a clear 'no' in the response. A
> vote to abstain must indicate a clear 'abstain' in the response.
> Unclear responses will not be counted. The latest vote received from
> any representative of a voting member before the close of the voting
> period will be counted. Voting members are listed here:
> https://cabforum.org/members/
>
> In order for the motion to be adopted, two thirds or more of the votes
> cast by members in the CA category and greater than 50% of the votes
> cast by members in the browser category must be in favor. Quorum is
> currently nine (9) members– at least nine members must participate in
> the ballot, either by voting in favor, voting against, or abstaining.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20150713/bef28149/attachment.bin
More information about the Public
mailing list