[cabfpub] FW: Naming rules

Gervase Markham gerv at mozilla.org
Mon Mar 6 10:59:04 UTC 2017


On 06/03/17 06:51, Kirk Hall wrote:
> Gerv – we worked on BR 9.16.3 together – the whole point was to ALLOW
> CAs to deviate from (modify) the BRs if required by applicable law 

Yes, if _required_ by applicable _law_. I may be misunderstanding the
situation, but if Peter's summary is correct:

"I believe the government on Taiwan falls into the latter case.  They
have a PKI which has the policy that names must be taken from an
existing Directory Information Tree operated by the government.  Many of
the Names in the existing DIT don’t include attributes that are required
by the BRs."

...then this is not a 9.16.3 situation. There is no law anyone has
quoted which requires Chunghwa Telecom to issue certificates for this
PKI from publicly-trusted roots. So they can solve the "problem" either
by not issuing certificates for this PKI, or by issuing them from
private roots. The fact that they might _want_ to issue certificates for
it from publicly-trusted roots for convenience is not in itself enough
to allow them to use 9.16.3.

Let's imagine this DIT was operated by a private company. Would they
then be allowed to use 9.16.3? Of course not. The fact that the
government is operating it doesn't make any difference, unless there's a
law which says that all Taiwanese CAs _must_ issue for it from any root
the government chooses. The government doesn't get a special carve-out
from the BRs for its PKIs just be virtue of being the government.

As I said, I may have misunderstood the situation, but that's how I see
it at the moment.

Gerv



More information about the Public mailing list