[Servercert-wg] Fwd: Re: [EXTERNAL] Clarification about EVG 9.2.4
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Mon Dec 2 22:35:17 MST 2019
This didn't go through the servercert-wg list. Cynthia now has posting
rights after becoming an Interested Party.
Dimitris.
-------- Forwarded Message --------
Subject: Re: [Servercert-wg] [EXTERNAL] Clarification about EVG 9.2.4
Date: Mon, 2 Dec 2019 18:58:53 +0100
From: Cynthia Revström <me at cynthia.re>
To: Jeremy Rowley <jeremy.rowley at digicert.com>, CA/B Forum Server
Certificate WG Public Discussion List <servercert-wg at cabforum.org>
CC: Bruce Morton <Bruce.Morton at entrustdatacard.com>, Dimitris
Zacharopoulos (HARICA) <dzacharo at harica.gr>
Hello,
My interpretation would be that for example if we take Apple as an
example, it would be jC=US, jST=California but no locality.
I understand that this will get very complicated, as for example, in
Sweden, limited companies are at a national level while for example sole
proprietorships are at a county level.
- Cynthia
On Mon, Dec 2, 2019 at 6:50 PM Jeremy Rowley via Servercert-wg
<servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>> wrote:
I disagree as that's not what the language says. It says to include
the state field if the state regulates registration of the locality.
I can't speak to Toronto and how it incorporates entities (if it
does), but I think the answer depends heavily on the locality, the
type of entity, and how registration occurs.
------------------------------------------------------------------------
*From:* Servercert-wg <servercert-wg-bounces at cabforum.org
<mailto:servercert-wg-bounces at cabforum.org>> on behalf of Bruce
Morton via Servercert-wg <servercert-wg at cabforum.org
<mailto:servercert-wg at cabforum.org>>
*Sent:* Monday, December 2, 2019 10:45:32 AM
*To:* Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr
<mailto:dzacharo at harica.gr>>; CA/B Forum Server Certificate WG
Public Discussion List <servercert-wg at cabforum.org
<mailto:servercert-wg at cabforum.org>>
*Subject:* Re: [Servercert-wg] [EXTERNAL] Clarification about EVG 9.2.4
I guess I am saying that you must include the jurisdiction level
where the organization was registered. If the organization was
registered at the locality level, then the certificate must include
jL and jC. If the country has no states or provinces, then jST must
not be used. If the country has states or provinces, then jST must
be used, where jST is the state/province for jL.
Let’s say that we have a company based in Toronto, Ontario, Canada;
if it was registered in:
1. Canada, then the certificate must only have jC=CA
2. Ontario, then the certificate must only have jST=Ontario and
jC=CA. It cannot have jL=Toronto as the company was not
registered by a registrar at the locality level.
3. Toronto, then the certificate must have all 3, jL=Toronto,
jST=Ontario and jC=CA. jST must be included to help identity
where the locality is.
Bruce
*From:* Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr
<mailto:dzacharo at harica.gr>>
*Sent:* Monday, December 2, 2019 12:26 PM
*To:* Bruce Morton <Bruce.Morton at entrustdatacard.com
<mailto:Bruce.Morton at entrustdatacard.com>>; CA/B Forum Server
Certificate WG Public Discussion List <servercert-wg at cabforum.org
<mailto:servercert-wg at cabforum.org>>
*Subject:* Re: [EXTERNAL][Servercert-wg] Clarification about EVG 9.2.4
On 2019-12-02 7:12 μ.μ., Bruce Morton wrote:
Hi Dimitris,
My interpretation is the following:
1. If the organization is registered at the country level, then
the certificate must include the
/subject:jurisdictionCountryName./
2. /If /the organization is /registered as the state/province
level, /then the certificate must include the
/subject:jurisdictionStateOrProvinceName/ and the
/subject:jurisdictionCountryName./
3. /If /the organization is /registered at the locality level,
/then the certificate must include the
/subject:jurisdictionLocalityName/ and the
/subject:jurisdictionCountryName;//and must include the
//subject:jurisdictionStateOrProvinceName, //only if the
locality is in a state/province./
Hi Bruce, thanks for your reply.
The first two are quite clear.
The following:
"/and must include the //subject:jurisdictionStateOrProvinceName,
//only if the locality is in a state/province"/
is not so clear to me. Perhaps you could elaborate with a couple of
theoretical examples? I seems that the StateOrProvince is mixed with
Locality in your description but I might have misunderstood.
Dimitris.
4.
//
/Bruce./
*From:* Servercert-wg <servercert-wg-bounces at cabforum.org>
<mailto:servercert-wg-bounces at cabforum.org> *On Behalf Of
*Dimitris Zacharopoulos (HARICA) via Servercert-wg
*Sent:* Monday, December 2, 2019 12:02 PM
*To:* CA/B Forum Server Certificate WG Public Discussion List
<servercert-wg at cabforum.org> <mailto:servercert-wg at cabforum.org>
*Subject:* [EXTERNAL][Servercert-wg] Clarification about EVG 9.2.4
*WARNING:* This email originated outside of Entrust Datacard.
*DO NOT CLICK* links or attachments unless you trust the sender
and know the content is safe.
------------------------------------------------------------------------
Dear members,
I would like to ask for a clarification/interpretation about
section 9.2.4 of the EV Guidelines and please forgive me if this
has been discussed in the past.
9.2.4. Subject Jurisdiction of Incorporation or
Registration Field
"*Contents:* These fields MUST NOT contain information that is
not relevant to the level of the Incorporating Agency or
Registration Agency. For example, the Jurisdiction of
Incorporation for an Incorporating Agency or Jurisdiction of
Registration for a Registration Agency that operates at the
country level MUST include the country information but MUST NOT
include the state or province or locality information.
Similarly, the jurisdiction for the applicable Incorporating
Agency or Registration Agency at the state or province level
MUST include both country and state or province information, but
MUST NOT include locality information. And, the jurisdiction for
the applicable Incorporating Agency or Registration Agency at
the locality level MUST include the country and state or
province information, where the state or province regulates the
registration of the entities at the locality level, as well as
the locality information. Country information MUST be specified
using the applicable ISO country code. State or province or
locality information (where applicable) for the Subject's
Jurisdiction of Incorporation or Registration MUST be specified
using the full name of the applicable jurisdiction."
Is it allowed to include a /subject:jurisdictionLocalityName/
without providing a /subject:jurisdictionStateOrProvinceName/?
The requirement says "And, the jurisdiction for the applicable
Incorporating Agency or Registration Agency at the locality
level MUST include the country and state or province
information, where the state or province regulates the
registration of the entities at the locality level, as well as
the locality information."
In one interpretation, if there is no "state or province" that
regulates the registration of entities but this registration is
done at the locality level, then the
/subject:jurisdictionStateOrProvinceName/ can be omitted and
only the /subject:jurisdictionLocalityName/ is included along
with the /subject:jurisdictionCountryName/. Is this an accurate
and valid interpretation?
Thank you,
Dimitris.
_______________________________________________
Servercert-wg mailing list
Servercert-wg at cabforum.org <mailto:Servercert-wg at cabforum.org>
http://cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191203/438b1f94/attachment-0001.html>
More information about the Servercert-wg
mailing list