(Mozilla hat off.) After reading about the California versus Delaware thing when it comes to the certificate for stripe.com, out of curiosity, I took a fresh look at the ISO 3166-1 code in the EV certificates of some of the banks that operate in Finland. (Result: https://www.nordea.fi/ is SE, https://www.handelsbanken.fi/ is SE but https://danskebank.fi/ is FI and not DK.)
While at it, I noticed that the certificate for https://www.saastopankki.fi/ is an OV cert whose O field says "Saastopankkiliitto osk". However, according to https://tietopalvelu.ytj.fi/yritystiedot.aspx?yavain=25460&tarkiste=F663C7B776290379F1DAB6A4E251EE3FA727742A , the trade name of the entity is "Säästöpankkiliitto osk". It also has parallel trade names "Sparbanksförbundet anl" (Swedish translation of the primary name) and "Savings Banks' Union Coop" (English translation of the primary name) and auxiliary trade names "Säästöpankkikeskus" and "Sparbankscentralen". But no "Saastopankkiliitto osk". While I don't think there is any risk of confusion in this particular case[1], I'm wondering: What in the Baseline Requirements authorizes DigiCert to omit the diaereses from the trade name? The Baseline Requirements have this to say: "If present, the subject:organizationName field MUST contain either the Subject’s name or DBA as verified under Section 3.2.2.2. The CA may include information in this field that differs slightly from the verified name, such as common variations or abbreviations, provided that the CA documents the difference and any abbreviations used are locally accepted abbreviations; e.g., if the official record shows “Company Name Incorporated”, the CA MAY use “Company Name Inc.” or “Company Name”." The variation covered by the example would have authorized the use of the abbreviation "osk" had the registered name contained "osuuskunta" (but it contained "osk" to begin with) or to drop "osk". Is it documented anywhere what transformations other than ones that are analogous to transforming "Incorporated" to "Inc." (or dropping it) are acceptable as differing "slightly"? In the Finnish language, ä and ö are considered to be distinct letters from a and o (so distinct that they sort to the end of the alphabet), so from that perspective, one could argue that the transformation is not "slight" for trade names themselves even though it is customary for transforming trade names into domain names[1]. Clearly, this isn't a matter of technical limitation, because DigiCert was able to put "Ålandsbanken Abp" in the O field of the cert for https://www.alandsbanken.fi/ . [1] https://www.saastopankki.fi/ is the primary address to which http://säästöpankki.fi/ (but not https!) redirects. Web site operators in Finland generally prefer interoperability with non-IDN-cabable usage over correct spelling. -- Henri Sivonen hsivo...@hsivonen.fi https://hsivonen.fi/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy