[cabfpub] Naming rules

[Peter Bowen]

> On Mar 6, 2017, at 2:59 AM, Gervase Markham via Public <public at cabforum.org> wrote:
> 
> On 06/03/17 06:51, Kirk Hall wrote:
>> Gerv – we worked on BR 9.16.3 together – the whole point was to ALLOW
>> CAs to deviate from (modify) the BRs if required by applicable law 
> 
> Yes, if _required_ by applicable _law_. I may be misunderstanding the
> situation, but if Peter's summary is correct:
> 
> "I believe the government on Taiwan falls into the latter case.  They
> have a PKI which has the policy that names must be taken from an
> existing Directory Information Tree operated by the government.  Many of
> the Names in the existing DIT don’t include attributes that are required
> by the BRs."
> 
> ...then this is not a 9.16.3 situation. There is no law anyone has
> quoted which requires Chunghwa Telecom to issue certificates for this
> PKI from publicly-trusted roots. So they can solve the "problem" either
> by not issuing certificates for this PKI, or by issuing them from
> private roots. The fact that they might _want_ to issue certificates for
> it from publicly-trusted roots for convenience is not in itself enough
> to allow them to use 9.16.3.
> 
> Let's imagine this DIT was operated by a private company. Would they
> then be allowed to use 9.16.3? Of course not. The fact that the
> government is operating it doesn't make any difference, unless there's a
> law which says that all Taiwanese CAs _must_ issue for it from any root
> the government chooses. The government doesn't get a special carve-out
> from the BRs for its PKIs just be virtue of being the government.
> 
> As I said, I may have misunderstood the situation, but that's how I see
> it at the moment.

Li-Chun: Can you clarify? Is there any law in Taiwan that requires specific name forms or is this discussion about getting an existing established PKI to be BR-compliant by changing the BRs instead of changing the PKI?

Thanks,
Peter