date:20180415

Transforming a trade name into ASCII in the O field of an OV cert

2018-04-15 Thread Henri Sivonen via dev-security-policy

(Mozilla hat off.)

After reading about the California versus Delaware thing when it comes
to the certificate for stripe.com, out of curiosity, I took a fresh
look at the ISO 3166-1 code in the EV certificates of some of the
banks that operate in Finland. (Result: https://www.nordea.fi/ is SE,
https://www.handelsbanken.fi/ is SE but https://danskebank.fi/ is FI
and not DK.)

While at it, I noticed that the certificate for
https://www.saastopankki.fi/ is an OV cert whose O field says
"Saastopankkiliitto osk". However, according to
https://tietopalvelu.ytj.fi/yritystiedot.aspx?yavain=25460&tarkiste=F663C7B776290379F1DAB6A4E251EE3FA727742A
, the trade name of the entity is "Säästöpankkiliitto osk". It also
has parallel trade names "Sparbanksförbundet anl" (Swedish translation
of the primary name) and "Savings Banks' Union Coop" (English
translation of the primary name) and auxiliary trade names
"Säästöpankkikeskus" and "Sparbankscentralen". But no
"Saastopankkiliitto osk".

While I don't think there is any risk of confusion in this particular
case[1], I'm wondering: What in the Baseline Requirements authorizes
DigiCert to omit the diaereses from the trade name?

The Baseline Requirements have this to say: "If present, the
subject:organizationName field MUST contain either the Subject’s name
or DBA as verified under Section 3.2.2.2. The CA may include
information in this field that differs slightly from the verified
name, such as common variations or abbreviations, provided that the CA
documents the difference and any abbreviations used are locally
accepted abbreviations; e.g., if the official record shows “Company
Name Incorporated”, the CA MAY use “Company Name Inc.” or “Company
Name”."

The variation covered by the example would have authorized the use of
the abbreviation "osk" had the registered name contained "osuuskunta"
(but it contained "osk" to begin with) or to drop "osk".

Is it documented anywhere what transformations other than ones that
are analogous to transforming "Incorporated" to "Inc." (or dropping
it) are acceptable as differing "slightly"? In the Finnish language, ä
and ö are considered to be distinct letters from a and o (so distinct
that they sort to the end of the alphabet), so from that perspective,
one could argue that the transformation is not "slight" for trade
names themselves even though it is customary for transforming trade
names into domain names[1].

Clearly, this isn't a matter of technical limitation, because DigiCert
was able to put "Ålandsbanken Abp" in the O field of the cert for
https://www.alandsbanken.fi/ .

[1] https://www.saastopankki.fi/ is the primary address to which
http://säästöpankki.fi/ (but not https!) redirects. Web site operators
in Finland generally prefer interoperability with non-IDN-cabable
usage over correct spelling.

-- 
Henri Sivonen
hsivo...@hsivonen.fi
https://hsivonen.fi/
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Transforming a trade name into ASCII in the O field of an OV cert

2018-04-15 Thread Ryan Sleevi via dev-security-policy

On Sun, Apr 15, 2018 at 9:13 AM Henri Sivonen via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> (Mozilla hat off.)
>
> After reading about the California versus Delaware thing when it comes
> to the certificate for stripe.com, out of curiosity, I took a fresh
> look at the ISO 3166-1 code in the EV certificates of some of the
> banks that operate in Finland. (Result: https://www.nordea.fi/ is SE,
> https://www.handelsbanken.fi/ is SE but https://danskebank.fi/ is FI
> and not DK.)
>
> While at it, I noticed that the certificate for
> https://www.saastopankki.fi/ is an OV cert whose O field says
> "Saastopankkiliitto osk". However, according to
>
> https://tietopalvelu.ytj.fi/yritystiedot.aspx?yavain=25460&tarkiste=F663C7B776290379F1DAB6A4E251EE3FA727742A
> , the trade name of the entity is "Säästöpankkiliitto osk". It also
> has parallel trade names "Sparbanksförbundet anl" (Swedish translation
> of the primary name) and "Savings Banks' Union Coop" (English
> translation of the primary name) and auxiliary trade names
> "Säästöpankkikeskus" and "Sparbankscentralen". But no
> "Saastopankkiliitto osk".
>
> While I don't think there is any risk of confusion in this particular
> case[1], I'm wondering: What in the Baseline Requirements authorizes
> DigiCert to omit the diaereses from the trade name?
>
> The Baseline Requirements have this to say: "If present, the
> subject:organizationName field MUST contain either the Subject’s name
> or DBA as verified under Section 3.2.2.2. The CA may include
> information in this field that differs slightly from the verified
> name, such as common variations or abbreviations, provided that the CA
> documents the difference and any abbreviations used are locally
> accepted abbreviations; e.g., if the official record shows “Company
> Name Incorporated”, the CA MAY use “Company Name Inc.” or “Company
> Name”."
>
> The variation covered by the example would have authorized the use of
> the abbreviation "osk" had the registered name contained "osuuskunta"
> (but it contained "osk" to begin with) or to drop "osk".
>
> Is it documented anywhere what transformations other than ones that
> are analogous to transforming "Incorporated" to "Inc." (or dropping
> it) are acceptable as differing "slightly"?


No. It is presently up to the CA and the Auditor, if the Auditor happens to
examine that certificate. Otherwise it’s left up to the RA and their
ability to follow the CA’s policies - presuming they have them documented,
and not just a blanket waiver like you cited.

In the Finnish language, ä
> and ö are considered to be distinct letters from a and o (so distinct
> that they sort to the end of the alphabet), so from that perspective,
> one could argue that the transformation is not "slight" for trade
> names themselves even though it is customary for transforming trade
> names into domain names[1].
>
> Clearly, this isn't a matter of technical limitation, because DigiCert
> was able to put "Ålandsbanken Abp" in the O field of the cert for
> https://www.alandsbanken.fi/ .
>
> [1] https://www.saastopankki.fi/ is the primary address to which
> http://säästöpankki.fi/  (but not
> https!) redirects. Web site operators
> in Finland generally prefer interoperability with non-IDN-cabable
> usage over correct spelling.
>
> --
> Henri Sivonen
> hsivo...@hsivonen.fi
> https://hsivonen.fi/
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Transforming a trade name into ASCII in the O field of an OV cert

Re: Transforming a trade name into ASCII in the O field of an OV cert

2 matches

Site Navigation

Mail list logo

Footer information