Would be happy to see a ballot clarifying this.
It would be an improvement if “not actually misissued, but treated as misissuance” became an ex-thing. If people want certain things to not happen, there needs to be a discussion culminating in a successful ballot that expresses clear rules about what is or isn’t allowed, because the devil is often in the details. Arbitrary prohibitions based on interpretations gleaned from unofficial discussions do more harm than good. -Tim From: Public <[email protected]> On Behalf Of Wayne Thayer via Public Sent: Wednesday, February 20, 2019 8:52 PM To: Geoff Keating <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Subject: Re: [cabfpub] [cabfquest] BR 7.1.4.2.2.j Other Subject Attributes On Wed, Feb 20, 2019 at 3:26 PM Geoff Keating via Public <[email protected] <mailto:[email protected]> > wrote: My response would be that the OU could be a single hyphen minus, but this does not mean ‘absent’ or ’none provided’, it means the organization unit’s name is ‘-’. (Perhaps other units are called ‘•’, ‘▷’, and ‘◆’.) It’s definitely the case that 7.1.4.2.2j does not apply to 7.1.4.2.2i, this was intentional because we did not want to require CAs to verify the names of organization units. I agree with you but I also think this contradicts a lot of the discussions that have happened over the past few years, such as the one Dean referenced. I also agree with Jeremy's statement that this is "the semi-official interpretation of the requirement based on unofficial discussion", but from a practical perspective, this has been treated as misissuance [1][2], so I think the conservative reponse I provided to Dean is appropriate. This issue is related to the ambiguity in EVGL section 9.2.8, and if no one beats me to it, I will propose a ballot to clarify both of these sections. - Wayne [1] https://misissued.com/batch/5/ [2] https://bugzilla.mozilla.org/buglist.cgi?list_id=14577117&short_desc_type=allwordssubstr&short_desc=metadata&resolution=---&resolution=FIXED&resolution=INVALID&resolution=WONTFIX&resolution=INACTIVE&resolution=DUPLICATE&resolution=WORKSFORME&resolution=INCOMPLETE&resolution=SUPPORT&resolution=EXPIRED&resolution=MOVED&classification=Client%20Software&classification=Developer%20Infrastructure&classification=Components&classification=Server%20Software&classification=Other&query_format=advanced&component=CA%20Certificate%20Compliance > On Feb 19, 2019, at 6:30 PM, [email protected] > <mailto:[email protected]> wrote: > > Thank you for your confirmation. > > Is it possible that the value of OU of subject distinguished > name in a BR subscriber certificate is a single hyphen minus, > provided that the value satisfies conditions of 7.1.4.2.2.i? > -- > iida > >> Hello, >> >> Thank you for contacting the CA/B Forum. You are correct. 7.1.4.2.2.j >> applies to Subject attributes other than those listed in .a through .i, and >> the Baseline Requirements permit CAs to include Subject attributes that are >> not defined in 7.1.4.2.2 (Note that different rules apply to EV). _______________________________________________ Public mailing list [email protected] <mailto:[email protected]> https://cabforum.org/mailman/listinfo/public
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
