[cabfpub] Subject information in website certificates

Peter Bowen pzb at amzn.com
Sun Feb 26 23:30:11 UTC 2017


There has been a lot of discussion about what should go in the subject of server authentication (“website”) certificates issued by CAs that are part of the WebPKI.  I think much of the discussion is because of confusion due to the many different ways to identify a single organization.

First, you can identify a physical location for an office (any office) of the organization.  Second, you can identify an address for postal mail delivery (using the primary/official postal service in the country) to the organization.  Third you can identify the jurisdiction of incorporation of the entities.

For example, there is a building with a sign on the top  that says “Amazon Web Services” and a similar sign in the lobby.  It has the address:

12900 WORLDGATE DR
HERNDON VA 20170-6039
UNITED STATES

The website for Amazon Web Services has the following mailing address:

PO BOX 81226
SEATTLE WA 98108-1300
UNITED STATES

And AMAZON WEB SERVICES, INC. is a Corporation registered with the state of Delaware in the United States (based on the online system provided by the Delaware Division of Corporations).

I believe that organizations in other counties are similar.  For example, Cathay United Bank has a location at 屏東市中正路125號 with postal code 900 in Taiwan.  This can also be written as No.125, Zhong Zheng Road, Ping Tung City, Ping Tung County 900, Taiwan.

The registration for the domain cathaybk.com.tw gives an address of 台北市內湖區瑞光路510號2樓(高祖謙) which is 2Fl , No.510 , Rueiguang Rd. Taipei Taiwan.

I’m sure a QGIS will provide yet another address for Cathay United Bank.

How does this relate to certificates?  

Certificate subjects are made up of attributes; each attribute has a type and a value.  Types are things like “countryName”, “locality”, or “telephoneNumber”.  While some standards and PKIs define a relationship between the attributes (for example making up entries in a tree), the BRs do not assign any such relationship at the attribute level.  Instead the attributes in the Subject are taken as an unordered set of data elements.  The BRs require that, for non-EV certificates, the attributes represent a place of business ("address of existence or operation”) of the organization named in the subject.  

In the United States, Taiwan, Nauru, Bermuda, every other country I’ve seen, there is at least one postal address element after the street address that is not the postal code.  This takes on different names in different counties (state, province, territory, district, city, etc).  In the addresses above, these include “Herndon VA”, “Seattle WA”, “Ping Tung City, Ping Tung County”, and “Taipei”.  In three countries (the Holy See, Monaco, and Singapore), the country name is included for domestic mail as they do not have subordinate city names.  Everywhere else there is at least one district element.

The requirement in the BRs is to include these address elements in the certificate subject.  Put another way, from the subject of the certificate, one should be able to identify a city, town, or village that contains an office of the named organization.

There has been some confusion about how to handle organizations that are registered at a state, provincial, or national level.  Do these need to include a city, town or village name?  The answer is yes, as the information in the subject is to identify the place of business not just registration location.  In fact, in the Amazon Web Services example above, it might not even be acceptable to include Delaware, as I don’t think AWS has an office in Delaware.

I hope that this helps clarify the BR requirements and intent, at least as I see it.

Thanks,
Peter


More information about the Public mailing list