[Servercert-wg] FW: [cabfquest] BR 7.1.4.2.2.j Other Subject Attributes

Wed Feb 20 13:09:43 MST 2019

I think this is incorrect response. I think this is the semi-official
interpretation of the requirement based on unofficial discussion, but the
language in the BRs pretty clearly says "All other fields and
extensions...". IMO, Ilda's original interpretation is correct if anyone
considers just the language of the BRs.  The link cited by Dean doesn't
support the proposed interpretation. Instead, that discussion supports the
need to retain the section, even if that discussion does not apply to CN,
OU, etc.

Jeremy

-----Original Message-----
From: Questions <questions-bounces at cabforum.org> On Behalf Of Dean Coclin
Sent: Wednesday, February 20, 2019 11:35 AM
To: sts07065692175 at ezweb.ne.jp
Cc: questions at cabforum.org
Subject: Re: [cabfquest] BR 7.1.4.2.2.j Other Subject Attributes

Hello again,

The second sentence of 7.1.4.2.2(j) has previously been interpreted to apply
to all optional Subject attributes, including those listed in 7.1.4.2.2.
That means metadata such as "-" is not permitted in the OU field. Here is a
reference to those previous discussions:
https://cabforum.org/pipermail/public/2017-August/011849.html

Dean Coclin
for the CA/B Forum

-----Original Message-----
From: sts07065692175 at ezweb.ne.jp <sts07065692175 at ezweb.ne.jp>
Sent: Tuesday, February 19, 2019 9:30 PM
To: questions at cabforum.org
Cc: Dean Coclin <dean.coclin at digicert.com>
Subject: RE: [cabfquest] BR 7.1.4.2.2.j Other Subject Attributes

Thank you for your confirmation.

Is it possible that the value of OU of subject distinguished name in a BR
subscriber certificate is a single hyphen minus, provided that the value
satisfies conditions of 7.1.4.2.2.i?
--
  iida

>Hello,
>
>Thank you for contacting the CA/B Forum. You are correct. 7.1.4.2.2.j 
>applies to Subject attributes other than those listed in .a through .i, 
>and the Baseline Requirements permit CAs to include Subject attributes 
>that are not defined in 7.1.4.2.2 (Note that different rules apply to EV).
>
>Best regards,
>
>Dean Coclin
>for the CA/B Forum
>
>-----Original Message-----
>From: Questions <questions-bounces at cabforum.org> On Behalf Of 
>sts07065692175 at ezweb.ne.jp
>Sent: Friday, February 15, 2019 12:52 AM
>To: questions at cabforum.org
>Subject: [cabfquest] BR 7.1.4.2.2.j Other Subject Attributes
>
>Hello people.
>
>The title of subsection 7.1.4.2.2.j of BR is "Other Subject Attributes".
>
>I think the word "Other" means this article DOES NOT apply attributes 
>listed from 7.1.4.2.2.a to 7.1.4.2.2.i, namely CN, O, givenName, 
>surname, streetAddress, L, ST, postalCode, C nor OU.
>
>Am I right?
>--
>  iida

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4916 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190220/463bc2f5/attachment.p7s>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190220/463bc2f5/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190220/463bc2f5/attachment-0001.p7s>