[cabfpub] Assumed names and organization names

Dean Coclin Dean_Coclin at symantec.com
Tue Mar 10 18:28:15 UTC 2015

We also get similar requests and have an existing base of customers which
fall into this category. We agree that this change is necessary for code
signing certs but are not aware of similar abuses for SSL certs and hence
don't think a change should be contemplated for BRs at this time.


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rich Smith
Sent: Tuesday, March 10, 2015 5:56 AM
To: 'Jeremy Rowley'; 'CABFPub'
Subject: Re: [cabfpub] Assumed names and organization names


I'm not necessarily opposed, but I do get customers who specifically buy OV
rather than EV certs because they operate different and competing brands as
DBAs under a common corporate ownership, and don't want the relationship
between the two brands disclosed.  Generally tends to be something along the
lines of a budget brand operating as DBA1 and a premium brand as DBA2.  I
guess this could be classified under misleading, but I don't think it's
necessarily what we are talking about in terms of this thread.  As I said,
I'm not really opposed to this, and we've already adopted this for code
signing for the reasons you've mentioned, but I do think that there may be
some legitimate or at least semi-legitimate use cases which merit further
discussion before making this a hard and fast rule to which every CA MUST
adhere in every situation.  Thoughts?




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Jeremy Rowley
Sent: Tuesday, March 10, 2015 12:05 AM
Subject: [cabfpub] Assumed names and organization names


In the code signing working group, we've discussed abuses associated with
assumed names and organization names. Names like "Click Here" or deceptive
names like "Facebook" (when it's not Facebook) can trick users into trusting
a cert they otherwise wouldn't use. 


One suggestion to mitigate this issue is to require org names in certs be
entered just like EV certificates - ie, the org name (including the Inc.,
LLC, etc) must be included along with an optional assumed name. Although
this would primarily benefit code signing certificates (where names are
readily displayed), this suggestion makes sense as a baseline requirement
amendment since we really don't want deceptive names in any certificates.


What does everyone think about amending the baseline requirements so that
certs including an org name must include the validated organization name in
the O field?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150310/00db78bf/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6130 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150310/00db78bf/attachment-0001.p7s>

More information about the Public mailing list