[cabf_validation] Other Subject Attributes

[Wayne Thayer]

On Thu, Feb 21, 2019 at 5:41 PM Kirk Hall <Kirk.Hall at entrustdatacard.com>
wrote:

> Wayne – your ballot has this distinction between the BRs and the EVGL
> (this is the text as you would amend it):
>
>
>
> BR 7.1.4.2.2.j. Other Subject Attributes
>
> Other optional attributes MAY be present within the subject field.  If
> present, other optional attributes MUST contain information that has been
> verified by the CA.
>
>
>
> EVGL 9.2.9. Other Subject Attributes
>
> CAs SHALL NOT include any Subject attributes except as specified in
> Section 9.2.
>
>
>
> Why the difference?  Many of us think that the word “other” in EVGL 9.2.8
> today means that other subject attributes **are** permitted (the word
> “other” means other than 9.2.1 through 9.2.7), so long as they are verified
> (i.e., many of us believe that the current EVGL allow other subject
> attributes beyond 9.2.1 through 9.2.7).
>
>
>
EVGL 9.2.8 also says "CAs ... SHALL NOT include any Subject Organization
Information except as specified in Section 9.2." The point of this ballot
is to resolve this inconsistency.

If we simply adopt your change to BR 7.1.4.2.2.j in BOTH the BRs AND the
> EVGL, that would be consistent with what (I believe) was originally
> intended in EVGL 9.2.8, and would clarify the matter completely.  Why
> should verified Subject DN in EV certs be more restricted than in DV and OV
> certs?
>
>
>
We discussed this in London. EV certificates promise to provide a high
level of assurance that the information about the Subject is reliable. They
back that promise with rigorous methods in which the information is
verified. If an attribute can be included in the Subject of an EV
certificate, the EVGLs must define how to validate it.

>
>
> *From:* Validation [mailto:validation-bounces at cabforum.org] *On Behalf Of
> *Wayne Thayer via Validation
> *Sent:* Thursday, February 21, 2019 1:59 PM
> *To:* CA/Browser Forum Validation WG List <validation at cabforum.org>
> *Subject:* [EXTERNAL][cabf_validation] Other Subject Attributes
>
>
>
> We've recently had discussions about the meaning of EVGL section 9.2.8 in
> the context of adding Subject:organizationIdentifier for LEIs and the
> eIDAS/PSD2 identifier. There is also uncertainty if the OU field is
> currently permitted to be included in EV certificates. I drafted a change
> that would clarify this by explicitly permitting OU and forbidding any
> Subject attributes not defined in the EVGLs, but I had been holding off on
> proposing this because I didn't want to do something that would conflict
> with any proposal from ETSI on organizationIdentifier.
>
>
>
> Today there has been discussion on the Questions and Management lists
> about BR section 7.1.2.2.4(i) and (j). Those sections suffer from a similar
> problem.
>
>
>
> Here is a proposal to fix both issues:
> https://github.com/wthayer/documents/compare/master...wthayer:EV-Subject-Information
>
>
>
> The intent is:
>
> * Subject attributes other than those defined on the BRs are allowed in DV
> and OV certs, as long as the information is validated
>
> * Metadata is prohibited in any Subject field in any type of cert
>
> * For EV, OU is explicitly permitted, just like DV and OV
>
> * For EV, only Subject fields that are explicitly defined are permitted
>
>
>
> Any comments on this?
>
>
>
> Would anyone like to endorse?
>
>
>
> Do we need a future effective date for these changes? I believe they're
> already being enforced.
>
>
>
> Thanks,
>
>
>
> Wayne
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20190222/6fd51470/attachment.html>