[cabf_validation] Draft Ballot SCXX: Improve OU validation requirements

[Paul van Brouwershaven]

As discussed on the last CA/Browser Forum call last week, we would like to retain the OU field. Our enterprise customers have indicated (using a survey) to rely on this field for identifying certificate owners in large organizations and governments.

With this (draft) ballot we try to align the `subject:organizationalUnitName` with the purpose as described by the ITU-T X.520 section 6.4.2 Organizational Unit Name.

A few explanations, this ballot:

  1.  introduces a requirement to verify the existence and affiliation of the unit with the Applicant
  2.  prevents misinterpretations by requiring self-reported values to be preceded or followed by a whitespace and the well-known words “department”, “division”, “unit” or ...
  3.  supports automation by linking to a directory system of the applicant and by allowing well-known pre-approved values such as “information technology”, “marketing” or “sales”.
  4.  supports manual validation using authoritative sources, an organization charts or public directory (e.g. https://www.gov.ie/en/help/departments/)
  5.  allows values or series as defined by a government, standard, or regulatory body
  6.  allows certificate tracking using numerals which can be preceded or followed by two alphabetical characters for easier identification.

Entrust provided a draft ballot redline [1] to improve the OU validation requirements. This is created as a Draft Pull Request to allow others to point out issues, and the current fixed commit version is [2], since [1] will be updated if/as feedback is received.

I'm curious for feedback on these proposed changes and looking for potential endorsers for providing a ballot to the CA/Browser Forum's Server Certificate Working Group as a whole.

[1] https://github.com/cabforum/documents/pull/225
[2] https://github.com/cabforum/documents/pull/225/commits/33ac251f0105f4ebb55ac22ce0c198796da685c3

Thanks,

Paul van Brouwershaven
Entrust


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20201019/7c456484/attachment.html>