[cabfpub] Naming rules

Tue Mar 14 12:24:01 UTC 2017

I think the real question to be answered is what is the purpose of the naming rules in the BR.  If the requirement for locality and states are to be able to locate the organization who owns the certificate and if the current naming conventions of a given PKI, whether government or not allows one to be able to do this, why impose arbitrary naming conventions that require a PKI that has long been in operation with specified naming conventions change?

Just a personal opinion.

Thanks,
   wendy

-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen via Public
Sent: Tuesday, March 14, 2017 8:13 AM
To: 陳立群 <realsky at cht.com.tw>
Cc: Peter Bowen <pzb at amzn.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Naming rules

> On Mar 14, 2017, at 3:20 AM, 陳立群 <realsky at cht.com.tw> wrote:
>
> Peter, please see responses inline below.
>
> -----Original Message-----
> From: Peter Bowen [mailto:pzb at amzn.com]
> Sent: Friday, March 10, 2017 11:33 PM
>
>> Is the DIT hierarchy defined in law?  I understand that the >designers of the DIT naming rules look at at the various laws, >but do any of them refer to the names in a X.500 directory >and/or in Certificates?
>
>> Thanks,
>> Peter=
>
>
> => No, the DIT hierarchy is not directly defined in law. Those laws have already existed before we start to develop the Government PKI in 1997. As I mentioned, the design of the DIT naming rules of the Government PKI was based on the existing laws, and then the naming rules were incorporated into the CPS and Certificate Profiles. Therefore, government CA needs to follow the naming rules specified in the CPS and Certificate Profiles.

With all due respect to the government CA, it would appear to be in a very similar situation to PKIs operated by governments and private organizations around the world.  Many of them have naming rules, validation methods, or other policies that do not meet the CA/Browser Forum requirements.  Many members of the Forum have been in similar positions and had to change their naming rules if they wanted to meet the Baseline reqirements.

Respectfully, I do not see this as an appropriate application of 9.16.3.  The only paths forward are either to change the BRs to accommodate the naming rules of the Government PKI on Taiwan or for you to negotiate with each browser to accept a qualified audit.

Based on everything you have provided so far, there is no evidence that Taiwan does not have localities (cities, towns, villages, or similar) or that they are not used in postal addressing.  Much to the contrary, every postal address example you have provided has included a locality.  Therefore this appears to be a situation where the PKI does not want to change (possibly for quite valid reasons) rather than cannot change.

Thanks,
Peter
_______________________________________________
Public mailing list
Public at cabforum.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__cabforum.org_mailman_listinfo_public&d=DwIGaQ&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=CBPcrHveVS6JeW8_gWG0NRDQwKKDbvlAqGnuc-opZ58&m=pDpzUIF6uG7bK3iLVUu6oM9ozENNRB0w98e-PXP_xoE&s=wD6sK8bBy2LaL8du6hnuvEKDsbHM7vPm2_Lv3w_AaFk&e=
NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you.