[cabfpub] F2F Topic details: What should be represented in the "O" field?
pzb at amzn.com
Thu Feb 4 22:53:19 UTC 2016
Thanks for this background. I would like to confirm a couple of things are correct as a precursor to the discussion.
1) BR Section 220.127.116.11.2 requires that the organizationName and other Subject attributes contain information verified as per 18.104.22.168
2) BR Section 22.214.171.124 says "If the Subject Identity Information is to include the name or address of an organization, the CA SHALL verify the identity and address of the organization and that the address is the Applicant’s address of existence or operation. The CA SHALL verify the identity and address of the Applicant[…]”
3) BR Section 1.6.1 has three definitions that are relevant:
"Applicant: The natural person or Legal Entity that applies for (or seeks renewal of) a Certificate. Once the Certificate issues, the Applicant is referred to as the Subscriber.”
"Subject Identity Information: Information that identifies the Certificate Subject. Subject Identity Information does not include a domain name listed in the subjectAltName extension or the Subject commonName field."
4) BR Section 9.6.3 lays out obligations of the Subscriber
Does this flow? Is there a situation where the person or entity named in the certificate subject is not the Applicant and/or not the Subscriber?
> On Feb 4, 2016, at 2:26 PM, Dean Coclin <Dean_Coclin at symantec.com> wrote:
> As requested on today’s call, please publish ahead of time any background reading material for a topic which has your name next to it.
> On Day 2 the subject topic is scheduled. Here is some background:
> At the last F2F meeting we discussed what should go in the certificate “O” field and what the definition of “applicant” should be. Ryan succinctly summarized it and I transformed into the following example:
> Who can request a cert for dean.example.com <http://dean.example.com/>:
> Dean Coclin, author of the content and logical operator of the dean.example.com <http://dean.example.com/> origin
> Example.com <http://example.com/>, provider of hosting services for Dean Coclin
> CDN Corp, a CDN that provides SSL/TLS front-end services for example.com <http://example.com/>, which does not offer them directly
> Marketing Inc, the firm responsible for designing and maintaining the website on behalf of Dean Coclin
> Payments LLC, the payment processing firm responsible for handling orders and financial details on dean.example.com <http://dean.example.com/>
> DNS Org, the company who operates the DNS services on behalf of Dean Coclin
> Mail Corp, the organization who handles the MX records that dean.example.com <http://dean.example.com/> responds to
> At the last meeting, there was a debate between some who thought it should be #1 and those that thought it should be whoever holds the private key.
> My position (and those of some others at the meeting) is that it should be #1. The rationale is that this is what is of interest to relying parties. I don’t believe relying parties care who holds the private key nor who the site’s payment processor or DNS operator are. Relying parties want to know who is responsible for the site content and, in case of problems, who they should contact.
> I would like to open and continue a discussion of this topic (at the meeting, not here)so that we can try and come to some consensus on this issue. Of course, if you have a viewpoint that you’d like to elaborate ahead of time, please feel free to do so.
> Public mailing list
> Public at cabforum.org <mailto:Public at cabforum.org>
> https://cabforum.org/mailman/listinfo/public <https://cabforum.org/mailman/listinfo/public>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public