[cabfpub] Subject field of Subordinate CAs
geoffk at apple.com
Sat Jan 16 00:03:20 UTC 2016
> On 15 Jan 2016, at 3:38 PM, Rick Andrews <Rick_Andrews at symantec.com> wrote:
> We think that the language in BR Section 126.96.36.199 h, which applies to the Subject field of Subordinate CA certificates, is vague and potentially misleading. It currently says:
> The Certificate Subject MUST contain the following:
> - countryName (OID 188.8.131.52). This field MUST contain the two-letter ISO 3166‐1 country code for the country in which the CA’s place of business is located.
> - organizationName (OID 184.108.40.206). This field MUST contain the name (or abbreviation thereof), trademark, or other meaningful identifier for the CA, provided that they accurately identify the CA.
> The field MUST NOT contain exclusively a generic designation such as “CA1”.
> The words “meaningful”, “accurately identify” and “generic” are subjective, and we think that allowing the use of a trademark further leads to confusion.
> We were recently approached by a customer who wanted a Subordinate CA certificate that contained one of their trademarks. Even though we were able to verify that they owned the trademark in their country, we felt it was generic and violated the spirit of 220.127.116.11.
> To clarify this section, we’re thinking of proposing a ballot to remove the word “trademark”, and require that the organizationName be vetted in accordance with Section 3.2.2. However, we see that 18.104.22.168 allows a DBA or Tradename to be used. We may also want to consider removing that from the BRs.
> By way of example, suppose a company gets a trademark for the term “Certification Authority” in their country, is that permissible to put in the Subject Organizational Name of an end-entity or Subordinate CA certificate?
It seems to me that the EV standard would probably be appropriate here: "the full legal name of the entity … as listed in the official records in the Subject’s Jurisdiction or as otherwise verified by the CA” and so on (including the part where you can have a DBA followed by the official name).
That would also reduce the number of standards for this field by one, which I think is a good thing!
It's quite different from the current rule, and there are technical reasons why existing ones can’t be changed, so there would need to be some kind of grandfathering provision.
I would be surprised if any company could trademark “Certification Authority”, you’re not supposed to be able to do that; trademarks have to be distinctive.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3321 bytes
Desc: not available
More information about the Public