[cabfpub] givenName and surname revived
Moudrick M. Dadashov
md at ssc.lt
Wed Aug 24 06:05:56 MST 2016
eIDAS Article 3 (38):
‘certificate for website authentication’ means an attestation that makes
it possible to authenticate a website and links the website to the
natural or legal person to whom the certificate is issued;
Thanks,
M.D.
On 8/24/2016 1:08 PM, Adriano Santoni wrote:
>
> But givenName and surname are not sufficient to specify an identity.
> How many Robert Smiths exist in UK/US/CA ? (or Mario Rossi in Italy,
> as to that).
>
> If I would like to know who's behind a web site whose SSL cert
> contains giveName=John, surname=Doe, I am none the wiser.
>
>
> Il 23/08/2016 20:02, Bruce Morton ha scritto:
>>
>> OK, thanks.
>>
>> Bruce.
>>
>> *From:* Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
>> *Sent:* Monday, August 22, 2016 6:16 PM
>> *To:* Bruce Morton <Bruce.Morton at entrust.com>; public at cabforum.org
>> *Subject:* RE: givenName and surname revived
>>
>> What do you mean by definition? I consider IV v. OV well defined
>> because of the meaning associated with the OID inserted into the
>> cert. Section 7.1.6.1 states “ {joint‐iso‐itu‐t(2)
>> international‐organizations(23) ca‐browser‐forum(140)
>> certificate‐policies(1) baseline‐requirements(2)
>> individual‐validated(3)} (2.23.140.1.2.3), if the Certificate
>> complies with these Requirements and includes Subject Identity
>> Information that is verified in accordance with Section 3.2.3.”
>> Section 3.2.3 is verification of an individual whereas Section 3.2.2
>> is verification of an organization.
>>
>> Jeremy
>>
>> *From:* Bruce Morton [mailto:Bruce.Morton at entrust.com]
>> *Sent:* Monday, August 22, 2016 6:11 AM
>> *To:* Jeremy Rowley <jeremy.rowley at digicert.com
>> <mailto:jeremy.rowley at digicert.com>>; public at cabforum.org
>> <mailto:public at cabforum.org>
>> *Subject:* RE: givenName and surname revived
>>
>> Hi Jeremy,
>>
>> My apologies, but can you clarify the section where IV certs are well
>> defined? I see that “individual-validated” is stated twice in
>> sections 1.2 and 7.1.6.1 (the same for domain-validated and
>> organization-validated), but I can’t find the definition.
>>
>> Thanks, Bruce.
>>
>> *From:* Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
>> *Sent:* Saturday, August 20, 2016 10:41 AM
>> *To:* Bruce Morton <Bruce.Morton at entrust.com
>> <mailto:Bruce.Morton at entrust.com>>; public at cabforum.org
>> <mailto:public at cabforum.org>
>> *Subject:* RE: givenName and surname revived
>>
>> Hey Bruce – IV certs are well defined. The goal of the ballot isn’t
>> to further define IV certs but to permit use of the givenName and
>> surname fields for IV certs. giveName and surname in the org field
>> would be allowed. They’d still use the IV OIDs as they were validated
>> under the IV section of the CP.
>>
>> *From:* Bruce Morton [mailto:Bruce.Morton at entrust.com]
>> *Sent:* Friday, August 19, 2016 6:41 AM
>> *To:* Jeremy Rowley <jeremy.rowley at digicert.com
>> <mailto:jeremy.rowley at digicert.com>>; public at cabforum.org
>> <mailto:public at cabforum.org>
>> *Subject:* RE: givenName and surname revived
>>
>> Hi Jeremy,
>>
>> Would like some clarification. On the call yesterday, it was said
>> that IV certificates were not defined, so this ballot will help
>> resolve this.
>>
>> Per 7.1.4.2.2 b, the current BRs allow givenName and surname to be
>> included in the organizationName field. Will this still be allowed?
>> If so, what would the certificate type be? OV or IV? I would prefer
>> that these be OV certificates.
>>
>> If we do make the changes and the CAs have to meet Microsoft’s
>> requirement to put a DV, OV, or IV certificate policy in the
>> certificate, I think we should clearly define each certificate type.
>>
>> Also, the stateOrProvinceName field appears to currently have an
>> issue as it does not have any language to address the case where
>> there is no state or province in the address.
>>
>> Thanks, Bruce.
>>
>> *From:* public-bounces at cabforum.org
>> <mailto:public-bounces at cabforum.org>
>> [mailto:public-bounces at cabforum.org] *On Behalf Of *Jeremy Rowley
>> *Sent:* Thursday, August 18, 2016 12:09 PM
>> *To:* public at cabforum.org <mailto:public at cabforum.org>
>> *Subject:* [cabfpub] givenName and surname revived
>>
>> Looking for two endorsers for the following revisions the baseline
>> requirements adding support for givenName and surname:
>>
>> Insert a new (C) under 7.1.4.2.2, renumbering all subsequent bullets.
>>
>> _c. *Certificate Field*: subject:givenName (2.5.4.42) and
>> subject:surname (2.5.4.4)_
>>
>> *_Optional. _*
>>
>> *_Contents: _*_If present, the subject:givenName field and
>> subject:surname field MUST contain an natural person Subject’s name
>> as verified under Section 3.2.3. A Certificate containing a
>> subject:givenName field or subject:surname field MUST contain the
>> (2.23.140.1.2.3) Certificate Policy OID_.__
>>
>> _d._ Certificate Field: Number and street: subject:streetAddress
>> (OID: 2.5.4.9)
>>
>> Optional if the subject:organizationName field_, subject:
>> givenName field, or subject:surname field are_ is present. Prohibited
>> if the subject:organizationName field_, subject:givenName, and
>> subject:surname field are_is absent.
>>
>> Contents: If present, the subject:streetAddress field MUST contain
>> the Subject’s street address information as verified under Section
>> 3.2.2.1.
>>
>> _e_. Certificate Field: subject:localityName (OID: 2.5.4.7)
>>
>> Required if the subject:organizationName field, _subject:givenName
>> field, or subject:surname field are_ is present and the
>> subject:stateOrProvinceName field is absent. Optional if
>> the_subject:stateOrProvinceName field and the
>> subject:organizationName field, subject:givenName field, or
>> subject:surname _field are present. Prohibited if the
>> subject:organizationName field, _subject:givenName, and
>> subject:surname field are _is absent.
>>
>> Contents: If present, the subject:localityName field MUST contain the
>> Subject’s locality information as verified under Section 3.2.2.1. If
>> the subject:countryName field specifies the ISO 3166‐1 user‐assigned
>> code of XX in accordance with Section 7.1.4.2.2(g), the localityName
>> field MAY contain the Subject’s locality and/or state or province
>> information as verified under Section 3.2.2.1.
>>
>> _f_. Certificate Field: subject:stateOrProvinceName (OID: 2.5.4.8)
>>
>> Required if the subject:organizationName field field,
>> _subject:givenName field, or subject:surname field are_ is present
>> and _the _subject:localityName field is absent. Optional if the
>> _subject:localityName field and the subject:organizationName field,
>> the subject:givenName field, or subject:surname field_ are present.
>> Prohibited if the subject:organizationName field, _subject:givenName
>> field , or subject:surname field _areis absent. Contents: If present,
>> the subject:stateOrProvinceName field MUST contain the Subject’s
>> state or province information as verified under Section 3.2.2.1. If
>> the subject:countryName field specifies the ISO 3166‐1 user‐assigned
>> code of XX in accordance with Section 7.1.4.2.2(g), the
>> subject:stateOrProvinceName field MAY contain the full name of the
>> Subject’s country information as verified under Section 3.2.2.1.
>>
>> _g_. Certificate Field: subject:postalCode (OID: 2.5.4.17)
>>
>> Optional if the subject:organizationName, _subject:givenName field,
>> or subject:surname_ fields _are_ is present. Prohibited if the
>> subject:organizationName field, _subject:givenName field, or
>> subject:surname field are _is absent.
>>
>> Contents: If present, the subject:postalCode field MUST contain the
>> Subject’s zip or postal information as verified under Section 3.2.2.1.
>>
>> _h_. Certificate Field: subject:countryName (OID: 2.5.4.6)
>>
>> Required if the subject:organizationName field, _subject:givenName ,
>> or subject:surname field_ is present. Optional if the
>> subject:organizationName field, _subject:givenName field_, and
>> _subject:surname field are_ is absent.
>>
>> Contents: If the subject:organizationName field is present, the
>> subject:countryName MUST contain the two‐letter ISO 3166‐1 country
>> code associated with the location of the Subject verified under
>> Section 3.2.2.1. If the subject:organizationName, _subject:givenName
>> field, and subject:surname_ field _are_ is absent, the
>> subject:countryName field MAY contain the two‐letter ISO 3166‐1
>> country code associated with the Subject as verified in accordance
>> with Section 3.2.2.3. If a Country is not represented by an official
>> ISO 3166‐1 country code, the CA MAY specify the ISO 3166‐1
>> user‐assigned code of XX indicating that an official ISO 3166‐1
>> alpha‐2 code has not been assigned.
>>
>> _i_. Certificate Field: subject:organizationalUnitName
>>
>> Optional.
>>
>> _Contents: _The CA SHALL implement a process that prevents an OU
>> attribute from including a name, DBA, tradename, trademark, address,
>> location, or other text that refers to a specific natural person or
>> Legal Entity unless the CA has verified this information in
>> accordance with Section 3.2 and the Certificate also contains
>> subject:organizationName, _subject:givenName, subject:surname,
>> _subject:localityName, and subject:countryName attributes, also
>> verified in accordance with Section 3.2.2.1.
>>
>> 7.1.6.1
>>
>> …
>>
>> If the Certificate asserts the policy identifier of 2.23.140.1.2.1,
>> then it MUST NOT include organizationName, _givenName, surname,_
>> streetAddress, localityName, stateOrProvinceName, or postalCode in
>> the Subject field.
>>
>> …
>>
>>
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>
> --
>
> Cordiali saluti,
>
> Adriano Santoni
> ACTALIS S.p.A.
> (Aruba Group)
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160824/f4429c13/attachment-0001.html
More information about the Public
mailing list