[Servercert-wg] [EXTERNAL] Clarification about EVG 9.2.4

Ryan Sleevi sleevi at google.com
Tue Dec 3 08:25:43 MST 2019 

Right,

I think I'm in agreement with Jeremy here, but I'm still trying to work
through and understand how people arrived at different interpretations and
conclusions.

We know that different Countries subdivide their administrative boundaries
in different ways. Some may or may not operate at stateOrProvince level
with respect to jurisdictional boundaries, and just as importantly, some
Countries may or may not guarantee the uniqueness of the Locality within
the Country absent other qualifiers.

I think there's consistency and core understanding of the two 'simple'
cases:
C
and ST (which also includes C)

The question of whether or not L requires ST is going to be
jurisdictionally dependent, but I suspect far and away the common case is
that it is required, and the exceptions to this are truly exceptional (in
the global scheme of things).

We know that the entire point of the jurisdictionOf* information is to
ensure we can link with the serialNumber to the registration source. If
Locality and Country are not sufficient to identify that, i.e. because
there's a state administrative boundary, that fundamentally means the state
regulates at the locality level if only because two different states with
different locality names are two different regulatory entities, and thus
the selection of state is inherent to the regulatory oversight regime.

Obviously, including misleading or unnecessary information - such as a
state when regulation is done at a country - is silly nonsense, because it
not only does not serve to disambiguate, but it's actually false with
respect to how that jurisdiction is administered. I'm glad to see now one
questioning that.

On Mon, Dec 2, 2019 at 12:50 PM Jeremy Rowley via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> I disagree as that's not what the language says. It says to include the
> state field if the state regulates registration of the locality. I can't
> speak to Toronto and how it incorporates entities (if it does), but I think
> the answer depends heavily on the locality, the type of entity, and how
> registration occurs.
> ------------------------------
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of
> Bruce Morton via Servercert-wg <servercert-wg at cabforum.org>
> *Sent:* Monday, December 2, 2019 10:45:32 AM
> *To:* Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>; CA/B Forum
> Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
> *Subject:* Re: [Servercert-wg] [EXTERNAL] Clarification about EVG 9.2.4
>
>
> I guess I am saying that you must include the jurisdiction level where the
> organization was registered. If the organization was registered at the
> locality level, then the certificate must include jL and jC. If the country
> has no states or provinces, then jST must not be used. If the country has
> states or provinces, then jST must be used, where jST is the state/province
> for jL.
>
>
>
> Let’s say that we have a company based in Toronto, Ontario, Canada; if it
> was registered in:
>
>    1. Canada, then the certificate must only have jC=CA
>    2. Ontario, then the certificate must only have jST=Ontario and jC=CA.
>    It cannot have jL=Toronto as the company was not registered by a registrar
>    at the locality level.
>    3. Toronto, then the certificate must have all 3, jL=Toronto,
>    jST=Ontario and jC=CA. jST must be included to help identity where the
>    locality is.
>
>
>
> Bruce
>
>
>
> *From:* Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
> *Sent:* Monday, December 2, 2019 12:26 PM
> *To:* Bruce Morton <Bruce.Morton at entrustdatacard.com>; CA/B Forum Server
> Certificate WG Public Discussion List <servercert-wg at cabforum.org>
> *Subject:* Re: [EXTERNAL][Servercert-wg] Clarification about EVG 9.2.4
>
>
>
>
>
> On 2019-12-02 7:12 μ.μ., Bruce Morton wrote:
>
> Hi Dimitris,
>
>
>
> My interpretation is the following:
>
>
>
>    1. If the organization is registered at the country level, then the
>    certificate must include the *subject:jurisdictionCountryName.*
>    2. *If *the organization is *registered as the state/province level, *then
>    the certificate must include the
>    *subject:jurisdictionStateOrProvinceName* and the
>    *subject:jurisdictionCountryName.*
>    3. *If *the organization is *registered at the locality level, *then
>    the certificate must include the *subject:jurisdictionLocalityName*
>    and the *subject:jurisdictionCountryName;** and must include the **subject:jurisdictionStateOrProvinceName,
>    **only if the locality is in a state/province.*
>
>
> Hi Bruce, thanks for your reply.
>
> The first two are quite clear.
>
> The following:
> "*and must include the **subject:jurisdictionStateOrProvinceName, **only
> if the locality is in a state/province"*
>
> is not so clear to me. Perhaps you could elaborate with a couple of
> theoretical examples? I seems that the StateOrProvince is mixed with
> Locality in your description but I might have misunderstood.
>
>
> Dimitris.
>
>
>
>
>    1.
>
>
>
> *Bruce.*
>
>
>
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org>
> <servercert-wg-bounces at cabforum.org> *On Behalf Of *Dimitris
> Zacharopoulos (HARICA) via Servercert-wg
> *Sent:* Monday, December 2, 2019 12:02 PM
> *To:* CA/B Forum Server Certificate WG Public Discussion List
> <servercert-wg at cabforum.org> <servercert-wg at cabforum.org>
> *Subject:* [EXTERNAL][Servercert-wg] Clarification about EVG 9.2.4
>
>
>
> *WARNING:* This email originated outside of Entrust Datacard.
> *DO NOT CLICK* links or attachments unless you trust the sender and know
> the content is safe.
> ------------------------------
>
>
> Dear members,
>
> I would like to ask for a clarification/interpretation about section 9.2.4
> of the EV Guidelines and please forgive me if this has been discussed in
> the past.
> 9.2.4. Subject Jurisdiction of Incorporation or Registration Field
>
> "*Contents:* These fields MUST NOT contain information that is not
> relevant to the level of the Incorporating Agency or Registration Agency.
> For example, the Jurisdiction of Incorporation for an Incorporating Agency
> or Jurisdiction of Registration for a Registration Agency that operates at
> the country level MUST include the country information but MUST NOT include
> the state or province or locality information. Similarly, the jurisdiction
> for the applicable Incorporating Agency or Registration Agency at the state
> or province level MUST include both country and state or province
> information, but MUST NOT include locality information. And, the
> jurisdiction for the applicable Incorporating Agency or Registration Agency
> at the locality level MUST include the country and state or province
> information, where the state or province regulates the registration of the
> entities at the locality level, as well as the locality information.
> Country information MUST be specified using the applicable ISO country
> code. State or province or locality information (where applicable) for the
> Subject's Jurisdiction of Incorporation or Registration MUST be specified
> using the full name of the applicable jurisdiction."
>
> Is it allowed to include a * subject:jurisdictionLocalityName* without
> providing a *subject:jurisdictionStateOrProvinceName*?
>
> The requirement says "And, the jurisdiction for the applicable
> Incorporating Agency or Registration Agency at the locality level MUST
> include the country and state or province information, where the state or
> province regulates the registration of the entities at the locality level,
> as well as the locality information."
>
> In one interpretation, if there is no "state or province" that regulates
> the registration of entities but this registration is done at the locality
> level, then the *subject:jurisdictionStateOrProvinceName* can be omitted
> and only the *subject:jurisdictionLocalityName* is included along with
> the *subject:jurisdictionCountryName*. Is this an accurate and valid
> interpretation?
>
>
> Thank you,
> Dimitris.
>
>
>
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191203/64d66173/attachment.html>

More information about the Servercert-wg mailing list