[cabf_validation] Proposed ballot - EV State Optional

Jeremy Rowley jeremy.rowley at digicert.com
Thu Dec 15 12:13:12 MST 2016 

I agree with this. I don't like the idea of the CAB Forum maintaining long
lists of information because of the maintenance burden it adds.

 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Bruce
Morton via Validation
Sent: Thursday, December 15, 2016 11:54 AM
To: Tim Hollebeek <THollebeek at trustwave.com>; Kirk Hall
<Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Validation WG List
<validation at cabforum.org>
Cc: Bruce Morton <Bruce.Morton at entrustdatacard.com>
Subject: Re: [cabf_validation] Proposed ballot - EV State Optional

 

My concern with the list is that it will take some time to evaluate and come
to agreement on 249 countries. Once that is completed, then we will have to
maintain the list forever.

 

I think that the CAs have been verifying Place of Business appropriately,
but the guidelines are just poorly worded. The result is we do not know how
to handle countries with no states and countries that have states, but do
not use them as part of the address. This also means that the auditor can
state that we have problems when we either do not include the state field or
falsely put information in the state field. 

 

I would prefer that we just change the wording to as Tim put it, "if it's in
the address, it's required." If moving forward, we see a vulnerability with
this method, then let's at that time to consider the other method.

 

Thanks, Bruce.

 

From: Tim Hollebeek [mailto:THollebeek at trustwave.com] 
Sent: Thursday, December 15, 2016 1:41 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com
<mailto:Kirk.Hall at entrustdatacard.com> >; CA/Browser Forum Validation WG
List <validation at cabforum.org <mailto:validation at cabforum.org> >; Bruce
Morton <Bruce.Morton at entrustdatacard.com
<mailto:Bruce.Morton at entrustdatacard.com> >
Subject: RE: Proposed ballot - EV State Optional

 

Yes I like that even better as we can all debate the merits of each case and
agree on the correct handling so there is absolutely no ambiguity.  Each
country does tend to have subtle differences when we've previously discussed
this on the policy calls.

 

But people don't seem to want to do that, and if they still don't, I think
"if it's in the address, it's required" is a reasonable low effort solution
to move forward.

 

From: Kirk Hall [mailto:Kirk.Hall at entrustdatacard.com] 
Sent: Thursday, December 15, 2016 1:35 PM
To: CA/Browser Forum Validation WG List; Bruce Morton
Cc: Tim Hollebeek
Subject: RE: Proposed ballot - EV State Optional

 

Another possibility is to leave state or province as required, but then add:

 

"State or province is not required for the countries listed on Appendix X"

 

Then we add places (Taiwan, Monaco, Vatican City, Germany, United Kingdom)
as people bring them forward.  We could include an initial list with this
ballot to avoid having to prepare another ballot to add places.

 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Tim
Hollebeek via Validation
Sent: Thursday, December 15, 2016 10:26 AM
To: Bruce Morton <Bruce.Morton at entrustdatacard.com
<mailto:Bruce.Morton at entrustdatacard.com> >; CA/Browser Forum Validation WG
List <validation at cabforum.org <mailto:validation at cabforum.org> >
Cc: Tim Hollebeek <THollebeek at trustwave.com
<mailto:THollebeek at trustwave.com> >
Subject: Re: [cabf_validation] Proposed ballot - EV State Optional

 

Yes, I like something along those lines.

 

From: Bruce Morton [mailto:Bruce.Morton at entrustdatacard.com] 
Sent: Thursday, December 15, 2016 1:25 PM
To: Tim Hollebeek; CA/Browser Forum Validation WG List
Subject: RE: Proposed ballot - EV State Optional

 

How about this?

 

Required/Optional: 

City and country - Required; 

State - Required, if verified per Section 11.4.1 as part of the address for
the Place of Business;

Street and postal code - Optional

 

If there is no state or the state is not used as part of the address, then
it is not required.

 

Bruce.

 

From: Tim Hollebeek [mailto:THollebeek at trustwave.com] 
Sent: Thursday, December 15, 2016 10:19 AM
To: CA/Browser Forum Validation WG List <validation at cabforum.org
<mailto:validation at cabforum.org> >
Cc: Bruce Morton <Bruce.Morton at entrustdatacard.com
<mailto:Bruce.Morton at entrustdatacard.com> >
Subject: RE: Proposed ballot - EV State Optional

 

But City + Country is not unique in many common, important cases
("Springfield, United States"), and the state is also important since state
laws tend to vary quite a bit in the US . I think something more in the
spirit of the current BRs that does a better job of tightening up what
"where applicable" means would be better.

 

I don't want to lose the requirement that US EV certificates MUST include
the state.

 

-Tim

 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Bruce
Morton via Validation
Sent: Thursday, December 15, 2016 9:28 AM
To: CA/Browser Forum Validation WG List
Cc: Bruce Morton
Subject: [cabf_validation] Proposed ballot - EV State Optional

 

Here is a proposed ballot per my action.

Thanks, Bruce.

Background: 

There is confusion on whether the state or province OID MUST be included in
an EV certificate. EV section 9.2.7 states in one place "State or province
(where applicable)" and also "City, state and country - Required."

Since many countries do not have states or provinces and some that do have
states or provinces do not use them for their address, it is proposed that
inclusion of the state or province OID should be optional.

-- MOTION BEGINS -- 

Current section 9.2.7 of EV Guidelines:

Required/Optional: City, state, and country - Required; Street and postal
code - Optional

Proposed section 9.2.7 of EV Guidelines: 

Required/Optional: City and country - Required; Street, state and postal
code - Optional

-- MOTION ENDS -- 

The review period for this ballot shall commence at 2200 UTC on XX, and will
close at 2200 UTC on XX. Unless the motion is withdrawn during the review
period, the voting period will start immediately thereafter and will close
at 2200 UTC on XX. Votes must be cast by posting an on-list reply to this
thread. 

A vote in favor of the motion must indicate a clear 'yes' in the response. A
vote against must indicate a clear 'no' in the response. A vote to abstain
must indicate a clear 'abstain' in the response. Unclear responses will not
be counted. The latest vote received from any representative of a voting
member before the close of the voting period will be counted. Voting members
are listed here:
<https://scanmail.trustwave.com/?c=4062&d=4uLS2LctdUselJfNN_qKqhlUiQGKRBR1Rn
DgtqpA8A&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmembers%2f>
https://cabforum.org/members/ 

In order for the motion to be adopted, two thirds or more of the votes cast
by members in the CA category and greater than 50% of the votes cast by
members in the browser category must be in favor. Quorum is currently nine
(9) members- at least nine members must participate in the ballot, either by
voting in favor, voting against, or abstaining. 

 

 

 

  _____  


This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is strictly prohibited. If you received this transmission
in error, please immediately contact the sender and destroy the material in
its entirety, whether in electronic or hard copy format.

 

  _____  


This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is strictly prohibited. If you received this transmission
in error, please immediately contact the sender and destroy the material in
its entirety, whether in electronic or hard copy format.

 

  _____  


This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is strictly prohibited. If you received this transmission
in error, please immediately contact the sender and destroy the material in
its entirety, whether in electronic or hard copy format.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20161215/df23a435/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20161215/df23a435/attachment-0001.bin>

More information about the Validation mailing list