[cabf_validation] Revision to OU requirements

Richard Smith rich at sectigo.com
Mon Aug 24 09:28:11 MST 2020


Here's what the BR currently has regarding requirements for the OU field:
7.1.4.2.2
i. Certificate Field: subject:organizationalUnitName (OID: 2.5.4.11) Required/Optional: Optional.
Contents: The CA SHALL implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section 3.2 and the Certificate also contains subject:organizationName, subject:givenName, subject:surname, subject:localityName, and subject:countryName attributes, also verified in accordance with Section 3.2.2.1.

9.6.1
3.            Accuracy of Information: That, at the time of issuance, the CA (i) implemented a procedure for verifying the accuracy of all of the information contained in the Certificate (with the exception of the subject:organizationalUnitName attribute); (ii) followed the procedure when issuing the Certificate; and (iii) accurately described the procedure in the CA's Certificate Policy and/or Certification Practice Statement;
4.            No Misleading Information: That, at the time of issuance, the CA (i) implemented a procedure for reducing the likelihood that the information contained in the Certificate's subject:organizationalUnitName attribute would be misleading; (ii) followed the procedure when issuing the Certificate; and (iii) accurately described the procedure in the CA's Certificate Policy and/or Certification Practice Statement;

I propose to reword:
7.1.4.2.2
i. Certificate Field: subject:organizationalUnitName (OID: 2.5.4.11) Required/Optional: Optional.
Contents: The CA SHALL implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section 3.2 and the Certificate also contains the following attributes, verified in accordance with section 3.2.2.1:

  1.  subject:organizationName, OR;
  2.  subject:givenName AND subject:surname

Because currently any cert that does not contain subject:organization AND subject:givenName AND subject:surname but does include an OU field is arguably non-compliant. That is certainly not the intent of the section, but the fact that it can be read that way needs to be fixed.

I also think we should remove the exception for OU from 9.6.1 (3), strike 9.6.1 (4) completely.  As has been discussed ad nauseum in other contexts, what does "misleading" actually mean? It's not auditable and provides no meaningful normative guidance.  IMO we should implement ACTUAL verification requirements for the OU field in 3.2.2.1.

Regards,

Rich Smith
Sr. Compliance Manager
[cid:image001.png at 01D67A08.ABEECF90][cid:image002.png at 01D67A08.ABEECF90]<https://www.linkedin.com/company/sectigo/>[cid:image003.png at 01D67A08.ABEECF90]<https://twitter.com/SectigoHQ>[cid:image004.png at 01D67A08.ABEECF90]<https://www.youtube.com/channel/UCpBIBygkjPsEdrGkkWNGOsQ>

W: Sectigo.com<http://www.sectigo.com/>     E: rich at sectigo.com

This message and any files associated with it may contain legally privileged, confidential, or propriety information. If you are not the intended recipient, you are not permitted to use, copy, or forward it, in whole or in part without the express consent of the sender. Please notify the sender by reply email, disregard the foregoing messages, and delete it immediately.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200824/d173e1aa/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 10532 bytes
Desc: image001.png
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200824/d173e1aa/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 2603 bytes
Desc: image002.png
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200824/d173e1aa/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 2744 bytes
Desc: image003.png
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200824/d173e1aa/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 2561 bytes
Desc: image004.png
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200824/d173e1aa/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 184 bytes
Desc: image007.png
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200824/d173e1aa/attachment-0009.png>


More information about the Validation mailing list