[cabf_validation] Other Subject Attributes

Wayne Thayer wthayer at mozilla.com
Mon Feb 25 17:17:49 MST 2019 

Here is a pre-ballot incorporating feedback from Tim & Doug:

Ballot SC16: Other Subject Attributes

Purpose of Ballot:

This ballot intends to clarify requirements placed on Subject attributes in
Subscriber certificates  in BR section 7.1.4.2 and EVGL section 9.2.8.
Specifically, Subject fields must contain more than just metadata if they
are present in a certificate. OU field are permitted in EV certificates,
but no unspecified Subject attributes are permitted.


The following motion has been proposed by Wayne Thayer of Mozilla and
endorsed by Doug Beattie of GlobalSign and Tim Hollebeek of DigiCert.


-- MOTION BEGINS --

This ballot modifies the “Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates” as follows, based on Version
1.6.3:

* Capitalize the heading of Baseline Requirements section 7.1.4 Name Forms

* Add a second paragraph to Baseline Requirements section 7.1.4.2 as
follows:

Subject attributes MUST NOT contain metadata such as '.', '-', and ' '
(i.e. space) characters, and/or any other indication that the value is
absent, incomplete, or not applicable.

* Replace Baseline Requirements section 7.1.4.2.1(j.), in its entirety,
with the following text:

j. Other Subject Attributes

Other optional attributes MAY be present within the subject field. If
present, other optional attributes MUST contain information that has been
verified by the CA.

----

This ballot modifies the “Guidelines For The Issuance And Management Of
Extended Validation Certificates” as follows, based on Version 1.6.8:

* Replace EV Guidelines section 9.2.8, in its entirety, with the following
text:

9.2.8. Subject Organizational Unit Name Field

Certificate field: subject:organizationalUnitName (OID 2.5.4.11)

Required/Optional: Optional

Contents: The CA SHALL implement a process that prevents an OU attribute
from including a name, DBA, tradename, trademark, address, location, or
other text that refers to a specific natural person or Legal Entity unless
the CA has verified this information in accordance with Section 11.
Metadata such as '.', '-', and ' ' (i.e. space) characters, and/or any
other indication that this field is empty, absent or incomplete, MUST NOT
be used.

* Add EV Guidelines section 9.2.9, with the following text:

9.2.9. Other Subject Attributes

CAs SHALL NOT include any Subject attributes except as specified in Section
9.2.


-- MOTION ENDS --


*** WARNING ***: USE AT YOUR OWN RISK.  THE REDLINE BELOW IS NOT THE
OFFICIAL VERSION OF THE CHANGES (CABF Bylaws, Section 2.4(a)):

A comparison of the changes can be found at:
https://github.com/wthayer/documents/compare/master...wthayer:EV-Subject-Information

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: TBD UTC

End Time: TBD UTC

Vote for approval (7 days)

Start Time: TBD

End Time: TBD

On Thu, Feb 21, 2019 at 3:10 PM Doug Beattie <doug.beattie at globalsign.com>
wrote:

> Hi Wayne,
>
>
>
> I’ll endorse.
>
>
>
> I think you should add “only” to this:
>
>    - Subject attributes MUST NOT contain only metadata…
>
>
>
> For “j,”, I think you should remove “optional” because, if they are
> outside of the designated list, by definition they are optional.  Suggest:
>
>
>
> Other attributes MAY be present within the subject field. If present,
> these attributes MUST contain information that has been verified by the CA.
>
>
>
> *From:* Validation <validation-bounces at cabforum.org> *On Behalf Of *Wayne
> Thayer via Validation
> *Sent:* Thursday, February 21, 2019 4:59 PM
> *To:* CA/Browser Forum Validation WG List <validation at cabforum.org>
> *Subject:* [cabf_validation] Other Subject Attributes
>
>
>
> We've recently had discussions about the meaning of EVGL section 9.2.8 in
> the context of adding Subject:organizationIdentifier for LEIs and the
> eIDAS/PSD2 identifier. There is also uncertainty if the OU field is
> currently permitted to be included in EV certificates. I drafted a change
> that would clarify this by explicitly permitting OU and forbidding any
> Subject attributes not defined in the EVGLs, but I had been holding off on
> proposing this because I didn't want to do something that would conflict
> with any proposal from ETSI on organizationIdentifier.
>
>
>
> Today there has been discussion on the Questions and Management lists
> about BR section 7.1.2.2.4(i) and (j). Those sections suffer from a similar
> problem.
>
>
>
> Here is a proposal to fix both issues:
> https://github.com/wthayer/documents/compare/master...wthayer:EV-Subject-Information
>
>
>
> The intent is:
>
> * Subject attributes other than those defined on the BRs are allowed in DV
> and OV certs, as long as the information is validated
>
> * Metadata is prohibited in any Subject field in any type of cert
>
> * For EV, OU is explicitly permitted, just like DV and OV
>
> * For EV, only Subject fields that are explicitly defined are permitted
>
>
>
> Any comments on this?
>
>
>
> Would anyone like to endorse?
>
>
>
> Do we need a future effective date for these changes? I believe they're
> already being enforced.
>
>
>
> Thanks,
>
>
>
> Wayne
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20190225/1004a931/attachment.html>

More information about the Validation mailing list