[cabfpub] Assumed names and organization names

Rich Smith richard.smith at comodo.com
Tue Mar 10 05:56:21 MST 2015


I'm not necessarily opposed, but I do get customers who specifically buy OV
rather than EV certs because they operate different and competing brands as
DBAs under a common corporate ownership, and don't want the relationship
between the two brands disclosed.  Generally tends to be something along the
lines of a budget brand operating as DBA1 and a premium brand as DBA2.  I
guess this could be classified under misleading, but I don't think it's
necessarily what we are talking about in terms of this thread.  As I said,
I'm not really opposed to this, and we've already adopted this for code
signing for the reasons you've mentioned, but I do think that there may be
some legitimate or at least semi-legitimate use cases which merit further
discussion before making this a hard and fast rule to which every CA MUST
adhere in every situation.  Thoughts?

 

-Rich

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Jeremy Rowley
Sent: Tuesday, March 10, 2015 12:05 AM
To: CABFPub
Subject: [cabfpub] Assumed names and organization names

 

In the code signing working group, we've discussed abuses associated with
assumed names and organization names. Names like "Click Here" or deceptive
names like "Facebook" (when it's not Facebook) can trick users into trusting
a cert they otherwise wouldn't use. 

 

One suggestion to mitigate this issue is to require org names in certs be
entered just like EV certificates - ie, the org name (including the Inc.,
LLC, etc) must be included along with an optional assumed name. Although
this would primarily benefit code signing certificates (where names are
readily displayed), this suggestion makes sense as a baseline requirement
amendment since we really don't want deceptive names in any certificates.

 

What does everyone think about amending the baseline requirements so that
certs including an org name must include the validated organization name in
the O field?

 

Jeremy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150310/1478ac7c/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6378 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20150310/1478ac7c/attachment-0001.bin 


More information about the Public mailing list