[cabfpub] [cabfquest] BR 7.1.4.2.2.j Other Subject Attributes

Wayne Thayer wthayer at mozilla.com
Thu Feb 21 01:52:00 UTC 2019


On Wed, Feb 20, 2019 at 3:26 PM Geoff Keating via Public <
public at cabforum.org> wrote:

> My response would be that the OU could be a single hyphen minus, but this
> does not mean ‘absent’ or ’none provided’, it means the organization unit’s
> name is ‘-’.  (Perhaps other units are called ‘•’, ‘▷’, and ‘◆’.)
>
> It’s definitely the case that 7.1.4.2.2j does not apply to 7.1.4.2.2i,
> this was intentional because we did not want to require CAs to verify the
> names of organization units.
>
> I agree with you but I also think this contradicts a lot of the
discussions that have happened over the past few years, such as the one
Dean referenced.

I also agree with Jeremy's statement that this is "the semi-official
interpretation of the requirement based on unofficial discussion", but from
a practical perspective, this has been treated as misissuance [1][2], so I
think the conservative reponse I provided to Dean is appropriate.

This issue is related to the ambiguity in EVGL section 9.2.8, and if no one
beats me to it, I will propose a ballot to clarify both of these sections.

- Wayne

[1] https://misissued.com/batch/5/
[2]
https://bugzilla.mozilla.org/buglist.cgi?list_id=14577117&short_desc_type=allwordssubstr&short_desc=metadata&resolution=---&resolution=FIXED&resolution=INVALID&resolution=WONTFIX&resolution=INACTIVE&resolution=DUPLICATE&resolution=WORKSFORME&resolution=INCOMPLETE&resolution=SUPPORT&resolution=EXPIRED&resolution=MOVED&classification=Client%20Software&classification=Developer%20Infrastructure&classification=Components&classification=Server%20Software&classification=Other&query_format=advanced&component=CA%20Certificate%20Compliance




> > On Feb 19, 2019, at 6:30 PM, sts07065692175 at ezweb.ne.jp wrote:
> >
> > Thank you for your confirmation.
> >
> > Is it possible that the value of OU of subject distinguished
> > name in a BR subscriber certificate is a single hyphen minus,
> > provided that the value satisfies conditions of 7.1.4.2.2.i?
> > --
> >  iida
> >
> >> Hello,
> >>
> >> Thank you for contacting the CA/B Forum. You are correct. 7.1.4.2.2.j
> >> applies to Subject attributes other than those listed in .a through .i,
> and
> >> the Baseline Requirements permit CAs to include Subject attributes that
> are
> >> not defined in 7.1.4.2.2 (Note that different rules apply to EV).
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20190220/bcbafff2/attachment-0003.html>


More information about the Public mailing list