[cabfpub] Question on BR BR 7.1.4.2.2(j) - Other Subject Attributes

Kirk Hall Kirk.Hall at entrustdatacard.com
Fri Aug 18 00:54:07 UTC 2017


There has been a discussion on a Mozilla list Certificates with Metadata-Only Subject Fields, https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/Sae5lpT02Ng, that concerns BR 7.1.4.2.2. Subject Distinguished Name Fields:

j. Other Subject Attributes
All other optional attributes, when present within the subject field, MUST contain information that has
been verified by the CA. Optional attributes MUST NOT contain metadata such as ‘.’, ‘‐‘, and ‘ ‘ (i.e. space)
characters, and/or any other indication that the value is absent, incomplete, or not applicable.

My question to the Forum is - where did this language come from?  An RFC?  Some other standard?  Does this prohibition actually make sense (especially for the OU field, which is optional but must be verified by the CA if it includes identity-type information)?  Can we consider deleting sub (j) or clarifying it only applies to certain fields?

Ballot 33 - Subject attribute requirements (4 August 2009)

Vote

Yes: Entrust, VeriSign, GlobalSign, DigiCert, T-Systems, QuoVadis, StartCom, Buypass, Trustwave, Comodo, SSC and Microsoft.

No: None.

Abstain: None.

Result: Accepted.

Motion:

Steve Roylance made the following motion, and Johnathan Nightingale and Jay Schiavo endorsed it:

________________________________

Motion begins

________________________________

The Guidelines should be amended by the following erratum.

________________________________

Erratum begins

________________________________

Delete the following paragraph from Section 6.



6. EV Certificate Content Requirements This section sets forth minimum requirements for the content of the EV Certificate as they relate to the identity of the CA and the Subject of the EV Certificate.



Insert the following paragraph:



6. EV Certificate Content Requirements This section sets forth minimum requirements for the content of the EV Certificate as they relate to the identity of the CA and the Subject of the EV Certificate. Optional data fields within the subject DN should contain either information verified by the CA or be left empty. Meta data such as ‘.’, ‘-‘ and ‘ ‘ characters and or any other indication that the field is not applicable should not be used.



Delete the following paragraph from Section 6(a)(4).



Contents These fields MUST contain information only at and above the level of the Incorporating Agency or Registration Agency - e.g., the Jurisdiction of Incorporation for an Incorporating Agency or Jurisdiction of Registration for a Registration Agency at the country level would include country information but not state or province or locality information; the Jurisdiction of Incorporation for the applicable Incorporating Agency or Registration Agency at the state or province level would include both country and state or province information, but not locality information; and so forth. Country information MUST be specified using the applicable ISO country code. State or province information, and locality information (where applicable), for the Subject’s Jurisdiction of Incorporation or Registration MUST be specified using the full name of the applicable jurisdiction.

Insert the following paragraph:

Contents These fields MUST contain information only relevant to the level of the Incorporating Agency or Registration Agency - e.g., the Jurisdiction of Incorporation for an Incorporating Agency or Jurisdiction of Registration for a Registration Agency at the country level would include country information but not state or province or locality information; the Jurisdiction of Incorporation for the applicable Incorporating Agency or Registration Agency at the state or province level would include both country and state or province information, but not locality information ; the Jurisdiction of Incorporation for the applicable Incorporating Agency or Registration Agency at locality level would include country and also state or province information where the state or province regulates the registration of the entities at the locality level. Country information MUST be specified using the applicable ISO country code. State or province or locality information (where applicable), for the Subject’s Jurisdiction of Incorporation or Registration MUST be specified using the full name of the applicable jurisdiction.

Delete the following paragraph from the Definitions Section.

41. Jurisdiction of Incorporation: In the case of a Private Organization, the country and (where applicable) the state or province where the organization’s legal existence was established by a filing with (or an act of) an appropriate government agency or entity (e.g., where it was incorporated). In the case of a Government Entity, the country and (where applicable) the state or province where the Entity’s legal existence was created by law.

Insert the following paragraph:

41. Jurisdiction of Incorporation: In the case of a Private Organization, the country and (where applicable) the state or province or locality where the organization’s legal existence was established by a filing with (or an act of) an appropriate government agency or entity (e.g., where it was incorporated). In the case of a Government Entity, the country and (where applicable) the state or province where the Entity’s legal existence was created by law.

________________________________

Erratum ends

________________________________
________________________________

Motion ends

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170818/9aeae4ed/attachment.html>


More information about the Public mailing list