[cabfpub] [cabfquest] BR Other Subject Attributes

Tim Hollebeek tim.hollebeek at digicert.com
Thu Feb 21 15:55:11 UTC 2019

Would be happy to see a ballot clarifying this.


It would be an improvement if “not actually misissued, but treated as misissuance” became an ex-thing.  If people want certain things to not happen, there needs to be a discussion culminating in a successful ballot that expresses clear rules about what is or isn’t allowed, because the devil is often in the details.


Arbitrary prohibitions based on interpretations gleaned from unofficial discussions do more harm than good.




From: Public <public-bounces at cabforum.org> On Behalf Of Wayne Thayer via Public
Sent: Wednesday, February 20, 2019 8:52 PM
To: Geoff Keating <geoffk at apple.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] [cabfquest] BR Other Subject Attributes


On Wed, Feb 20, 2019 at 3:26 PM Geoff Keating via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:

My response would be that the OU could be a single hyphen minus, but this does not mean ‘absent’ or ’none provided’, it means the organization unit’s name is ‘-’.  (Perhaps other units are called ‘•’, ‘▷’, and ‘◆’.)

It’s definitely the case that does not apply to, this was intentional because we did not want to require CAs to verify the names of organization units.

I agree with you but I also think this contradicts a lot of the discussions that have happened over the past few years, such as the one Dean referenced.


I also agree with Jeremy's statement that this is "the semi-official interpretation of the requirement based on unofficial discussion", but from a practical perspective, this has been treated as misissuance [1][2], so I think the conservative reponse I provided to Dean is appropriate.


This issue is related to the ambiguity in EVGL section 9.2.8, and if no one beats me to it, I will propose a ballot to clarify both of these sections.


- Wayne


[1] https://misissued.com/batch/5/

[2] https://bugzilla.mozilla.org/buglist.cgi?list_id=14577117&short_desc_type=allwordssubstr&short_desc=metadata&resolution=---&resolution=FIXED&resolution=INVALID&resolution=WONTFIX&resolution=INACTIVE&resolution=DUPLICATE&resolution=WORKSFORME&resolution=INCOMPLETE&resolution=SUPPORT&resolution=EXPIRED&resolution=MOVED&classification=Client%20Software&classification=Developer%20Infrastructure&classification=Components&classification=Server%20Software&classification=Other&query_format=advanced&component=CA%20Certificate%20Compliance




> On Feb 19, 2019, at 6:30 PM, sts07065692175 at ezweb.ne.jp <mailto:sts07065692175 at ezweb.ne.jp>  wrote:
> Thank you for your confirmation.
> Is it possible that the value of OU of subject distinguished
> name in a BR subscriber certificate is a single hyphen minus,
> provided that the value satisfies conditions of
> --
>  iida
>> Hello,
>> Thank you for contacting the CA/B Forum. You are correct.
>> applies to Subject attributes other than those listed in .a through .i, and
>> the Baseline Requirements permit CAs to include Subject attributes that are
>> not defined in (Note that different rules apply to EV).

Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20190221/6f9e569b/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20190221/6f9e569b/attachment-0003.p7s>

More information about the Public mailing list