[cabfpub] F2F Topic details: What should be represented in the "O" field?

Peter Bowen pzb at amzn.com
Thu Feb 4 22:53:19 UTC 2016


Dean,

Thanks for this background.  I would like to confirm a couple of things are correct as a precursor to the discussion.

1) BR Section 7.1.4.2.2 requires that the organizationName and other Subject attributes contain information verified as per 3.2.2.1

2) BR Section 3.2.2.1 says "If	the	Subject	Identity	Information	is	to	include	the	name	or	address	of	an	organization,	the	CA	SHALL	verify	the	identity	and	address	of	the	organization	and	that	the	address	is	the	Applicant’s	address	of	existence	or	operation.	The	CA	SHALL	verify	the	identity	and	address	of	the	Applicant[…]”

3) BR Section 1.6.1 has three definitions that are relevant:

"Applicant:	The	natural	person	or	Legal	Entity	that	applies	for	(or	seeks	renewal	of)	a	Certificate.	Once	the	Certificate	issues,	the	Applicant	is	referred	to	as	the	Subscriber.”

"Subject Identity Information:	Information	that	identifies	the	Certificate	Subject.	Subject	Identity	Information	does	not	include	a	domain	name	listed	in	the	subjectAltName	extension	or	the	Subject	commonName	field."

"Subscriber:	A	natural	person	or	Legal	Entity	to	whom	a	Certificate	is	issued	and	who	is	legally	bound	by	a Subscriber	or	Terms	of	Use	Agreement.”

4) BR Section 9.6.3 lays out obligations of the Subscriber

So, based on this, I think it is accurate that the Subject Identify Information, including the organizationName attribute, MUST identify the natural person or Legal Entity that is the Applicant and is required to meet the obligations of the Subscriber Agreement or Terms of Use.

Does this flow?  Is there a situation where the person or entity named in the certificate subject is not the Applicant and/or not the Subscriber?

Thanks,
Peter

> On Feb 4, 2016, at 2:26 PM, Dean Coclin <Dean_Coclin at symantec.com> wrote:
> 
> As requested on today’s call, please publish ahead of time any background reading material for a topic which has your name next to it.
>  
> On Day 2 the subject topic is scheduled. Here is some background:
>  
> At the last F2F meeting we discussed what should go in the certificate “O” field and what the definition of “applicant” should be. Ryan succinctly summarized it and I transformed into the following example:
>  
> Who can request a cert for dean.example.com <http://dean.example.com/>:
>  
> Dean Coclin, author of the content and logical operator of the dean.example.com <http://dean.example.com/> origin
> Example.com <http://example.com/>, provider of hosting services for Dean Coclin
> CDN Corp, a CDN that provides SSL/TLS front-end services for example.com <http://example.com/>, which does not offer them directly
> Marketing Inc, the firm responsible for designing and maintaining the website on behalf of Dean Coclin
> Payments LLC, the payment processing firm responsible for handling orders and financial details on dean.example.com <http://dean.example.com/>
> DNS Org, the company who operates the DNS services on behalf of Dean Coclin
> Mail Corp, the organization who handles the MX records that dean.example.com <http://dean.example.com/> responds to
>  
> At the last meeting, there was a debate between some who thought it should be #1 and those that thought it should be whoever holds the private key. 
>  
> My position (and those of some others at the meeting) is that it should be #1. The rationale is that this is what is of interest to relying parties. I don’t believe relying parties care who holds the private key nor who the site’s payment processor  or DNS operator are.  Relying parties want to know who is responsible for the site content and, in case of problems, who they should contact. 
>  
> I would like to open and continue a discussion of this topic (at the meeting, not here)so that we can try and come to some consensus on this issue. Of course, if you have a viewpoint that you’d like to elaborate ahead of time, please feel free to do so.
>  
> Thanks
> Dean
>  
> _______________________________________________
> Public mailing list
> Public at cabforum.org <mailto:Public at cabforum.org>
> https://cabforum.org/mailman/listinfo/public <https://cabforum.org/mailman/listinfo/public>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160204/1922d8c6/attachment-0003.html>


More information about the Public mailing list