[cabf_validation] OrganisationIdentifier mandated by ETSI TS 119 495

Jeremy Rowley jeremy.rowley at digicert.com
Mon Nov 19 23:17:21 MST 2018


Why do we forbid other subject attributes? I’ve never really been sure why we prohibit additional fields, so why not permit other subjects if they are covered by an RFC? 

 

 

From: Validation <validation-bounces at cabforum.org> On Behalf Of Wayne Thayer via Validation
Sent: Monday, November 19, 2018 2:35 PM
To: Ryan Sleevi <sleevi at google.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: Re: [cabf_validation] OrganisationIdentifier mandated by ETSI TS 119 495

 

On Thu, Nov 15, 2018 at 2:00 PM Wayne Thayer <wthayer at mozilla.com <mailto:wthayer at mozilla.com> > wrote:


I would propose that the best solution to OU issue is a ballot that clarifies section 9.2.8’s language forbidding subject fields other than those listed in section 9.2. If there is consensus, that ballot could also explicitly add organizationUnit to section 9.2. My opinion is that we should tightly control what information is included in the subject of EV certificates, but OU fields - if validated and not misleading - are okay.

Here's a simple proposal for clarifying section 9.2.8 and explicitly permitting OU: https://github.com/wthayer/documents/commit/d0b3da38b3a7d950f48661dce5a9f0a0d90b50ae

 

Comments appreciated.

 

Defining a new extension provides a clear path forward for ETSI without any CAB Forum dependencies. It also allows the information to be properly structured as Ryan described. I would encourage ETSI to adopt this approach and to get busy updating 119 495. If ETSI representatives want to continue to pursue the use of the organizationIdentifier attribute, I would like to request a detailed explanation of why the "new extension" alternative is inferior and unworkable.

Four days have gone by without any response to my request for more information about this **urgent** issue.

 

- Wayne

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20181120/e3f70f0b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20181120/e3f70f0b/attachment-0001.p7s>


More information about the Validation mailing list