[Servercert-wg] [EXTERNAL] Clarification about EVG 9.2.4

Richard Smith rich at sectigo.com
Tue Dec 3 09:53:23 MST 2019


Ah, ok.  I agree.

Regards,
Rich

From: Jeremy Rowley <jeremy.rowley at digicert.com>
Sent: Tuesday, December 3, 2019 10:46 AM
To: Richard Smith <rich at sectigo.com>; Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>; Cynthia Revström <me at cynthia.re>
Subject: Re: [Servercert-wg] [EXTERNAL] Clarification about EVG 9.2.4

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

I mean make the requirements on when to include state and when not to include state the same. Sure they are different fields but whether you include the info in the cert can follow the same rules.
________________________________
From: Richard Smith <rich at sectigo.com<mailto:rich at sectigo.com>>
Sent: Tuesday, December 3, 2019 6:42:14 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>>; Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr<mailto:dzacharo at harica.gr>>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>; Cynthia Revström <me at cynthia.re<mailto:me at cynthia.re>>
Subject: RE: [Servercert-wg] [EXTERNAL] Clarification about EVG 9.2.4


?



I don’t understand what you’re getting at.  JoI and place of business are two different things and, at least potentially, have absolutely nothing to do w/one another, hence the requirement in Section 11 to obtain a legal opinion in cases where the JoI is a different country from the place of business.



Regards,

Rich



From: Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>>
Sent: Tuesday, December 3, 2019 10:31 AM
To: Richard Smith <rich at sectigo.com<mailto:rich at sectigo.com>>; Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr<mailto:dzacharo at harica.gr>>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>; Cynthia Revström <me at cynthia.re<mailto:me at cynthia.re>>
Subject: Re: [Servercert-wg] [EXTERNAL] Clarification about EVG 9.2.4



CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.



I agree with revising it, but it'd be better to just match how the place of business works. Make it simple and keep the rules the same for Joi and place of business.

________________________________

From: Richard Smith <rich at sectigo.com<mailto:rich at sectigo.com>>
Sent: Tuesday, December 3, 2019 6:26:07 AM
To: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr<mailto:dzacharo at harica.gr>>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>; Cynthia Revström <me at cynthia.re<mailto:me at cynthia.re>>; Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>>
Subject: RE: [Servercert-wg] [EXTERNAL] Clarification about EVG 9.2.4



When talking about JoILocality field I don’t think it has anything to do with whether or not the country offers registration at the state or provincial level.  I think the intent of the wording is solely to disambiguate.  JoILocality should not be populated in any case that the registration authority is not at the locality level, so whether or not registration may or may not be offered at the state or provincial level (or the country level for that matter) is irrelevant.  The intent of all JoI info is to capture at what level the registration of the certificate Subject ACTUALLY took place.  As Cynthia points out that is different from jurisdiction to jurisdiction and may be different depending upon entity type.



As Dmitris points out, the current wording seems to require JoIST to be populated if JoIL is populated.  That can only be an oversite/mistake because as we are all aware there are some countries which are simply not broken down into states or provinces, so to populate the field in such case you must basically make something up, most likely by repeating the locality name.  Bruce’s interpretation therefore is the only rational one and we should revise the EVG to make that clear.



Regards,

Rich



From: Servercert-wg <servercert-wg-bounces at cabforum.org<mailto:servercert-wg-bounces at cabforum.org>> On Behalf Of Dimitris Zacharopoulos (HARICA) via Servercert-wg
Sent: Tuesday, December 3, 2019 2:29 AM
To: Cynthia Revström <me at cynthia.re<mailto:me at cynthia.re>>; Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Subject: Re: [Servercert-wg] [EXTERNAL] Clarification about EVG 9.2.4



CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.



Hi Cynthia,

I think your comment is not so much related to the issue at hand. The language for JoI-Locality is the one that needs to be clarified. We are very clear about the other cases.

My original interpretation was that no matter what, if an organization is registered at the locality level, the subjectDN MUST always include subject:jurisdictionLocalityName AND subject:jurisdictionStateOrProvinceName AND the subject:jurisdictionCountryName. After reading it more carefully I came to the conclusion that there is a different interpretation which was confirmed by Jeremy.

Now, all we need to do is confirm that this was the original intent and if so, we may be able to improve this part of the EVG to make it more clear that it is allowed to include subject:jurisdictionLocalityName without a subject:jurisdictionStateOrProvinceName entry, for the case where the Country doesn't offer registration at the State or Province level.

Is there anyone that objects to this interpretation?


Thank you,
Dimitris.

On 2019-12-02 7:58 μ.μ., Cynthia Revström wrote:

Hello,

My interpretation would be that for example if we take Apple as an example, it would be jC=US, jST=California but no locality.

I understand that this will get very complicated, as for example, in Sweden, limited companies are at a national level while for example sole proprietorships are at a county level.

- Cynthia



On Mon, Dec 2, 2019 at 6:50 PM Jeremy Rowley via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:

I disagree as that's not what the language says. It says to include the state field if the state regulates registration of the locality. I can't speak to Toronto and how it incorporates entities (if it does), but I think the answer depends heavily on the locality, the type of entity, and how registration occurs.

________________________________

From: Servercert-wg <servercert-wg-bounces at cabforum.org<mailto:servercert-wg-bounces at cabforum.org>> on behalf of Bruce Morton via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Sent: Monday, December 2, 2019 10:45:32 AM
To: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr<mailto:dzacharo at harica.gr>>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Subject: Re: [Servercert-wg] [EXTERNAL] Clarification about EVG 9.2.4



I guess I am saying that you must include the jurisdiction level where the organization was registered. If the organization was registered at the locality level, then the certificate must include jL and jC. If the country has no states or provinces, then jST must not be used. If the country has states or provinces, then jST must be used, where jST is the state/province for jL.



Let’s say that we have a company based in Toronto, Ontario, Canada; if it was registered in:

  1.  Canada, then the certificate must only have jC=CA
  2.  Ontario, then the certificate must only have jST=Ontario and jC=CA. It cannot have jL=Toronto as the company was not registered by a registrar at the locality level.
  3.  Toronto, then the certificate must have all 3, jL=Toronto, jST=Ontario and jC=CA. jST must be included to help identity where the locality is.



Bruce



From: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr<mailto:dzacharo at harica.gr>>
Sent: Monday, December 2, 2019 12:26 PM
To: Bruce Morton <Bruce.Morton at entrustdatacard.com<mailto:Bruce.Morton at entrustdatacard.com>>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Subject: Re: [EXTERNAL][Servercert-wg] Clarification about EVG 9.2.4





On 2019-12-02 7:12 μ.μ., Bruce Morton wrote:

Hi Dimitris,



My interpretation is the following:



  1.  If the organization is registered at the country level, then the certificate must include the subject:jurisdictionCountryName.
  2.  If the organization is registered as the state/province level, then the certificate must include the subject:jurisdictionStateOrProvinceName and the subject:jurisdictionCountryName.
  3.  If the organization is registered at the locality level, then the certificate must include the subject:jurisdictionLocalityName and the subject:jurisdictionCountryName; and must include the subject:jurisdictionStateOrProvinceName, only if the locality is in a state/province.

Hi Bruce, thanks for your reply.

The first two are quite clear.

The following:
"and must include the subject:jurisdictionStateOrProvinceName, only if the locality is in a state/province"

is not so clear to me. Perhaps you could elaborate with a couple of theoretical examples? I seems that the StateOrProvince is mixed with Locality in your description but I might have misunderstood.


Dimitris.

  1.



Bruce.



From: Servercert-wg <servercert-wg-bounces at cabforum.org><mailto:servercert-wg-bounces at cabforum.org> On Behalf Of Dimitris Zacharopoulos (HARICA) via Servercert-wg
Sent: Monday, December 2, 2019 12:02 PM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org><mailto:servercert-wg at cabforum.org>
Subject: [EXTERNAL][Servercert-wg] Clarification about EVG 9.2.4



WARNING: This email originated outside of Entrust Datacard.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

________________________________

Dear members,

I would like to ask for a clarification/interpretation about section 9.2.4 of the EV Guidelines and please forgive me if this has been discussed in the past.

9.2.4. Subject Jurisdiction of Incorporation or Registration Field

"Contents: These fields MUST NOT contain information that is not relevant to the level of the Incorporating Agency or Registration Agency. For example, the Jurisdiction of Incorporation for an Incorporating Agency or Jurisdiction of Registration for a Registration Agency that operates at the country level MUST include the country information but MUST NOT include the state or province or locality information. Similarly, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the state or province level MUST include both country and state or province information, but MUST NOT include locality information. And, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the locality level MUST include the country and state or province information, where the state or province regulates the registration of the entities at the locality level, as well as the locality information. Country information MUST be specified using the applicable ISO country code. State or province or locality information (where applicable) for the Subject's Jurisdiction of Incorporation or Registration MUST be specified using the full name of the applicable jurisdiction."

Is it allowed to include a subject:jurisdictionLocalityName without providing a subject:jurisdictionStateOrProvinceName?

The requirement says "And, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the locality level MUST include the country and state or province information, where the state or province regulates the registration of the entities at the locality level, as well as the locality information."

In one interpretation, if there is no "state or province" that regulates the registration of entities but this registration is done at the locality level, then the subject:jurisdictionStateOrProvinceName can be omitted and only the subject:jurisdictionLocalityName is included along with the subject:jurisdictionCountryName. Is this an accurate and valid interpretation?


Thank you,
Dimitris.




_______________________________________________
Servercert-wg mailing list
Servercert-wg at cabforum.org<mailto:Servercert-wg at cabforum.org>
http://cabforum.org/mailman/listinfo/servercert-wg


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191203/528b1606/attachment-0001.html>


More information about the Servercert-wg mailing list