Section 9.2.1 of the EVGLs is stricter, only permitting abbreviations. If this were an EV cert I would argue that it was misissued.
On Mon, Apr 23, 2018 at 12:13 PM, Ryan Sleevi via dev-security-policy < [email protected]> wrote: > On Mon, Apr 23, 2018 at 1:11 PM, Henri Sivonen via dev-security-policy < > [email protected]> wrote: > > > First, it seems to me that the Baseline Requirements allow > > transformations of the organization's name only if the CA documents > > such transformations. I am unable to find such documentation in > > DigiCert's CP and CPS documents. Am I missing something? > > > > At present, these are not required to be in the public documentation. > Merely, the requirement is that the CA "documents" - i.e. it is presently > acceptable to only include this documentation in information provided to > the auditors. > > > > Second, while verifying that the applicant indeed represents a > > specific real organization is a difficult problem, in the case where > > the country that the certificate designates operates an > > online-queryable database of registered businesses, associations, > > etc., it should be entirely feasible to eliminate the failure mode > > where the certificate's organization field is (absent documented > > transformations permitted under the Baseline Requirements) not > > canonically equivalent (in the Unicode sense) to the name of any > > organization registered in the country that the certificates > > designates. That (inferring from the certificate for > > www.alandsbanken.fi) there isn't technical process that would by > > necessity remove diacritical marks from the organization field and > > that the certificate for www.saastopankki.fi has them removed is > > strongly suggestive that DigiCert's process for validating > > Finland-based organization does not include as a mandatory part either > > the retrieval of the organization's name via an online API to the > > business registry or a human CA representative copying and pasting the > > organization's name from a browser view to the business registry. > > > > The Baseline Requirements do not dictate the datasource used in various > jurisdictions. Thus even when there is a canonical source through > legislation, the BRs do not require its use. > > > > I wonder: When a given country > > has an online-queryable business registry, why isn't it either > > recommended or required to import names digitally from the business > > registry into certificates? Such practice would eliminate the failure > > mode of the certificate designating a name that doesn't match any > > entry in the business registry for such country. (Obviously, if it was > > _required_, the BRs would need to include a list of countries whose > > business registry is considered online-queryable in the sense that the > > requirement would apply, but unwillingness to maintain such a list > > does not explain why it isn't even recommended.) > > > > "Recommended" is pointless. Required is the only thing that makes sense, > and the complexities and overhead involved precisely explain why it isn't > required. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
