On Monday, April 23, 2018 at 3:34:38 PM UTC-4, Wayne Thayer wrote: > Section 9.2.1 of the EVGLs is stricter, only permitting abbreviations. If > this were an EV cert I would argue that it was misissued. > > On Mon, Apr 23, 2018 at 12:13 PM, Ryan Sleevi via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On Mon, Apr 23, 2018 at 1:11 PM, Henri Sivonen via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > > > First, it seems to me that the Baseline Requirements allow > > > transformations of the organization's name only if the CA documents > > > such transformations. I am unable to find such documentation in > > > DigiCert's CP and CPS documents. Am I missing something? > > > > > > > At present, these are not required to be in the public documentation. > > Merely, the requirement is that the CA "documents" - i.e. it is presently > > acceptable to only include this documentation in information provided to > > the auditors. > > > > > > > Second, while verifying that the applicant indeed represents a > > > specific real organization is a difficult problem, in the case where > > > the country that the certificate designates operates an > > > online-queryable database of registered businesses, associations, > > > etc., it should be entirely feasible to eliminate the failure mode > > > where the certificate's organization field is (absent documented > > > transformations permitted under the Baseline Requirements) not > > > canonically equivalent (in the Unicode sense) to the name of any > > > organization registered in the country that the certificates > > > designates. That (inferring from the certificate for > > > www.alandsbanken.fi) there isn't technical process that would by > > > necessity remove diacritical marks from the organization field and > > > that the certificate for www.saastopankki.fi has them removed is > > > strongly suggestive that DigiCert's process for validating > > > Finland-based organization does not include as a mandatory part either > > > the retrieval of the organization's name via an online API to the > > > business registry or a human CA representative copying and pasting the > > > organization's name from a browser view to the business registry. > > > > > > > The Baseline Requirements do not dictate the datasource used in various > > jurisdictions. Thus even when there is a canonical source through > > legislation, the BRs do not require its use. > > > > > > > I wonder: When a given country > > > > has an online-queryable business registry, why isn't it either > > > recommended or required to import names digitally from the business > > > registry into certificates? Such practice would eliminate the failure > > > mode of the certificate designating a name that doesn't match any > > > entry in the business registry for such country. (Obviously, if it was > > > _required_, the BRs would need to include a list of countries whose > > > business registry is considered online-queryable in the sense that the > > > requirement would apply, but unwillingness to maintain such a list > > > does not explain why it isn't even recommended.) > > > > > > > "Recommended" is pointless. Required is the only thing that makes sense, > > and the complexities and overhead involved precisely explain why it isn't > > required. > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > >
Appendix D of the EV Guidelines (https://cabforum.org/wp-content/uploads/CA-Browser-Forum-EV-Guidelines-v1.6.8.pdf) describes additional allowances for the Organization Name to be written with Latin letters. Section 1.2 of Appendix D is especially relevant here, as it appears that the organization names that are mentioned by Henri are transliterations of the original Finnish names. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy