On Wed, Feb 20, 2019 at 3:26 PM Geoff Keating via Public < public@cabforum.org> wrote:
> My response would be that the OU could be a single hyphen minus, but this > does not mean ‘absent’ or ’none provided’, it means the organization unit’s > name is ‘-’. (Perhaps other units are called ‘•’, ‘▷’, and ‘◆’.) > > It’s definitely the case that 7.1.4.2.2j does not apply to 7.1.4.2.2i, > this was intentional because we did not want to require CAs to verify the > names of organization units. > > I agree with you but I also think this contradicts a lot of the discussions that have happened over the past few years, such as the one Dean referenced. I also agree with Jeremy's statement that this is "the semi-official interpretation of the requirement based on unofficial discussion", but from a practical perspective, this has been treated as misissuance [1][2], so I think the conservative reponse I provided to Dean is appropriate. This issue is related to the ambiguity in EVGL section 9.2.8, and if no one beats me to it, I will propose a ballot to clarify both of these sections. - Wayne [1] https://misissued.com/batch/5/ [2] https://bugzilla.mozilla.org/buglist.cgi?list_id=14577117&short_desc_type=allwordssubstr&short_desc=metadata&resolution=---&resolution=FIXED&resolution=INVALID&resolution=WONTFIX&resolution=INACTIVE&resolution=DUPLICATE&resolution=WORKSFORME&resolution=INCOMPLETE&resolution=SUPPORT&resolution=EXPIRED&resolution=MOVED&classification=Client%20Software&classification=Developer%20Infrastructure&classification=Components&classification=Server%20Software&classification=Other&query_format=advanced&component=CA%20Certificate%20Compliance > > On Feb 19, 2019, at 6:30 PM, sts07065692...@ezweb.ne.jp wrote: > > > > Thank you for your confirmation. > > > > Is it possible that the value of OU of subject distinguished > > name in a BR subscriber certificate is a single hyphen minus, > > provided that the value satisfies conditions of 7.1.4.2.2.i? > > -- > > iida > > > >> Hello, > >> > >> Thank you for contacting the CA/B Forum. You are correct. 7.1.4.2.2.j > >> applies to Subject attributes other than those listed in .a through .i, > and > >> the Baseline Requirements permit CAs to include Subject attributes that > are > >> not defined in 7.1.4.2.2 (Note that different rules apply to EV). > > _______________________________________________ > Public mailing list > Public@cabforum.org > https://cabforum.org/mailman/listinfo/public >
_______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public