[cabfpub] IV OID Ballot 150

Dean Coclin Dean_Coclin at symantec.com
Mon Jul 13 14:54:00 MST 2015


I have no idea. I didn't write that. It was in the original BRs and not part of the ballot.

-----Original Message-----
From: Rob Stradling [mailto:rob.stradling at comodo.com] 
Sent: Thursday, July 09, 2015 4:37 AM
To: Dean Coclin; public at cabforum.org
Cc: Mads Egil Henriksveen
Subject: Re: [cabfpub] IV OID Ballot 150

On 09/07/15 07:59, Mads Egil Henriksveen wrote:
> Hi Dean
>
> Section 7.1.4.2.2. Subject Distinguished Name Fields b) Certificate
> Field: subject:organizationName (OID 2.5.4.10) says:
>
> /Because Subject name attributes for individuals (e.g. givenName
> (2.5.4.42) and surname (2.5.4.4)) are not broadly supported by 
> application software,

Dean,

What does "not broadly supported by application software" actually mean here?

Do you have a list of specific application software that will reject a server certificate that contains givenName and surname in the Subject?

> _the CA MAY use the subject:organizationName_ field to convey a 
> natural person Subject’s name or DBA./
>
> This is apparently inconsistent with the last sentence in the ballot:
>
> /If the Certificate asserts the policy identifier of either
> 2.23.140.1.2.2 or 2.23.140.1.2.3 , then _it MUST also include 
> organizationName_, localityName, stateOrProvinceName (if applicable), 
> and countryName in the Subject field/.
>
> I assume it should still be possible to issue certificates to 
> individuals (natural persons) without requiring the use of 
> organizationName for holding the individuals name, but rather use 
> other subject attributes (?)
>
> Regards
>
> Mads
>
> *From:*public-bounces at cabforum.org 
> [mailto:public-bounces at cabforum.org]
> *On Behalf Of *Dean Coclin
> *Sent:* 8. juli 2015 23:12
> *To:* public at cabforum.org
> *Subject:* [cabfpub] IV OID Ballot 150
>
> I’m reintroducing this ballot based on the meeting in Zurich. I’ll 
> write a separate ballot for the EV, and EV Code Signing OIDs.
>
> I have highlighted changes to the existing language so hopefully 
> everyone can see the changes. I’ve also enclosed a pdf version.
>
> Endorsers: I assume you are still good with this? There are no changes.
>
> Thanks,
> Dean
>
> *Ballot 150-Addition of Optional OID for Individual Validation*
>
> The following motion has been proposed by Dean Coclin of Symantec and 
> endorsed by Jeremy Rowley of Digicert and Kirk Hall of Trend Micro
>
> -- MOTION BEGINS –
>
> Modify section 1.2 of Baseline Requirements as follows:
>
> *1.2 Document Name and Identification*
>
> This certificate policy (CP) contains the requirements for the 
> issuance and management of publicly‐trusted SSL certificates, as 
> adopted by the CA/Browser Forum.
>
> The following Certificate Policy identifiers are reserved for use by 
> CAs as an optional means of asserting compliance with this CP (OID arc
> 2.23.140.1.2) as follows:
>
> {joint‐iso‐itu‐t(2) international‐organizations(23)
> ca‐browser‐forum(140) certificate‐policies(1) baseline‐ 
> requirements(2) domain‐validated(1)} (2.23.140.1.2.1);
>
> {joint‐iso‐itu‐t(2) international‐organizations(23)
> ca‐browser‐forum(140) certificate‐policies(1) baseline‐ 
> requirements(2) organization-validated(2)} (2.23.140.1.2.2) and
>
> {joint‐iso‐itu‐t(2) international‐organizations(23)
> ca‐browser‐forum(140) certificate‐policies(1) baseline‐ 
> requirements(2) individual-validated(3)} (2.23.140.1.2.3).
>
> Modify section 7.1.6.1 as follows:
>
> *7.1.6.1. Reserved Certificate Policy Identifiers *
>
> This section describes the content requirements for the Root CA, 
> Subordinate CA, and Subscriber Certificates, as they relate to the 
> identification of Certificate Policy.
>
> The following Certificate Policy identifiers are reserved for use by 
> CAs as an optional means of asserting compliance with these 
> Requirements as
> follows:
>
> {joint‐iso‐itu‐t(2) international‐organizations(23)
> ca‐browser‐forum(140) certificate‐policies(1) baseline‐requirements(2) 
> domain‐validated(1)} (2.23.140.1.2.1), if the Certificate complies 
> with these Requirements but lacks Subject Identity Information that is 
> verified in accordance with either Section 3.2.2.1 or Section 3.2.3.
>
> If the Certificate asserts the policy identifier of 2.23.140.1.2.1, 
> then it MUST NOT include organizationName, streetAddress, 
> localityName, stateOrProvinceName, or postalCode in the Subject field.
>
> {joint‐iso‐itu‐t(2) international‐organizations(23)
> ca‐browser‐forum(140) certificate‐policies(1) baseline‐requirements(2) 
> organization-validated(2)} (2.23.140.1.2.2), if the Certificate 
> complies with these Requirements and includes Subject Identity 
> Information that is verified in accordance with Section 3.2.2.1.
>
> {joint‐iso‐itu‐t(2) international‐organizations(23)
> ca‐browser‐forum(140) certificate‐policies(1) baseline‐requirements(2) 
> individual-validated(3)} (2.23.140.1.2.3), if the Certificate complies 
> with these Requirements and includes Subject Identity Information that 
> is verified in accordance with Section 3.2.3.
>
> If the Certificate asserts the policy identifier of either 
> 2.23.140.1.2.2or 2.23.140.1.2.3 , then it MUST also include 
> organizationName, localityName, stateOrProvinceName (if applicable), 
> and countryName in the Subject field.
>
> If the ballot passes, the custodian of the Forum OIDs will be 
> instructed to obtain the new OID for IV as indicated above.
>
> -- MOTION ENDS –
>
> The review period for this ballot shall commence at 2200 UTC on 
> Thursday July 9, 2015, and will close at 2200 UTC on Thursday 16 July 2015.
> Unless the motion is withdrawn during the review period, the voting 
> period will start immediately thereafter and will close at 2200 UTC on 
> Thursday, 23 July 2015. Votes must be cast by posting an on-list reply 
> to this thread.
>
> A vote in favor of the motion must indicate a clear 'yes' in the 
> response. A vote against must indicate a clear 'no' in the response. A 
> vote to abstain must indicate a clear 'abstain' in the response. 
> Unclear responses will not be counted. The latest vote received from 
> any representative of a voting member before the close of the voting 
> period will be counted. Voting members are listed here:
> https://cabforum.org/members/
>
> In order for the motion to be adopted, two thirds or more of the votes 
> cast by members in the CA category and greater than 50% of the votes 
> cast by members in the browser category must be in favor. Quorum is 
> currently nine (9) members– at least nine members must participate in 
> the ballot, either by voting in favor, voting against, or abstaining.

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20150713/bef28149/attachment.bin 


More information about the Public mailing list