There has been a lot of discussion about what should go in the subject of
server authentication (“website”) certificates issued by CAs that are part of
the WebPKI. I think much of the discussion is because of confusion due to the
many different ways to identify a single organization.
First, you can identify a physical location for an office (any office) of the
organization. Second, you can identify an address for postal mail delivery
(using the primary/official postal service in the country) to the organization.
Third you can identify the jurisdiction of incorporation of the entities.
For example, there is a building with a sign on the top that says “Amazon Web
Services” and a similar sign in the lobby. It has the address:
12900 WORLDGATE DR
HERNDON VA 20170-6039
UNITED STATES
The website for Amazon Web Services has the following mailing address:
PO BOX 81226
SEATTLE WA 98108-1300
UNITED STATES
And AMAZON WEB SERVICES, INC. is a Corporation registered with the state of
Delaware in the United States (based on the online system provided by the
Delaware Division of Corporations).
I believe that organizations in other counties are similar. For example,
Cathay United Bank has a location at 屏東市中正路125號 with postal code 900 in Taiwan.
This can also be written as No.125, Zhong Zheng Road, Ping Tung City, Ping
Tung County 900, Taiwan.
The registration for the domain cathaybk.com.tw gives an address of
台北市內湖區瑞光路510號2樓(高祖謙) which is 2Fl , No.510 , Rueiguang Rd. Taipei Taiwan.
I’m sure a QGIS will provide yet another address for Cathay United Bank.
How does this relate to certificates?
Certificate subjects are made up of attributes; each attribute has a type and a
value. Types are things like “countryName”, “locality”, or “telephoneNumber”.
While some standards and PKIs define a relationship between the attributes (for
example making up entries in a tree), the BRs do not assign any such
relationship at the attribute level. Instead the attributes in the Subject are
taken as an unordered set of data elements. The BRs require that, for non-EV
certificates, the attributes represent a place of business ("address of
existence or operation”) of the organization named in the subject.
In the United States, Taiwan, Nauru, Bermuda, every other country I’ve seen,
there is at least one postal address element after the street address that is
not the postal code. This takes on different names in different counties
(state, province, territory, district, city, etc). In the addresses above,
these include “Herndon VA”, “Seattle WA”, “Ping Tung City, Ping Tung County”,
and “Taipei”. In three countries (the Holy See, Monaco, and Singapore), the
country name is included for domestic mail as they do not have subordinate city
names. Everywhere else there is at least one district element.
The requirement in the BRs is to include these address elements in the
certificate subject. Put another way, from the subject of the certificate, one
should be able to identify a city, town, or village that contains an office of
the named organization.
There has been some confusion about how to handle organizations that are
registered at a state, provincial, or national level. Do these need to include
a city, town or village name? The answer is yes, as the information in the
subject is to identify the place of business not just registration location.
In fact, in the Amazon Web Services example above, it might not even be
acceptable to include Delaware, as I don’t think AWS has an office in Delaware.
I hope that this helps clarify the BR requirements and intent, at least as I
see it.
Thanks,
Peter
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
