That is correct. We use transliteration of non-latin names through a system recognized by ISO per Appendix D(1)(3)
-----Original Message----- From: dev-security-policy <dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org> On Behalf Of cbonnell--- via dev-security-policy Sent: Tuesday, April 24, 2018 7:12 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Transforming a trade name into ASCII in the O field of an OV cert On Monday, April 23, 2018 at 3:34:38 PM UTC-4, Wayne Thayer wrote: > Section 9.2.1 of the EVGLs is stricter, only permitting abbreviations. > If this were an EV cert I would argue that it was misissued. > > On Mon, Apr 23, 2018 at 12:13 PM, Ryan Sleevi via dev-security-policy > < dev-security-policy@lists.mozilla.org> wrote: > > > On Mon, Apr 23, 2018 at 1:11 PM, Henri Sivonen via > > dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > > > First, it seems to me that the Baseline Requirements allow > > > transformations of the organization's name only if the CA > > > documents such transformations. I am unable to find such > > > documentation in DigiCert's CP and CPS documents. Am I missing something? > > > > > > > At present, these are not required to be in the public documentation. > > Merely, the requirement is that the CA "documents" - i.e. it is > > presently acceptable to only include this documentation in > > information provided to the auditors. > > > > > > > Second, while verifying that the applicant indeed represents a > > > specific real organization is a difficult problem, in the case > > > where the country that the certificate designates operates an > > > online-queryable database of registered businesses, associations, > > > etc., it should be entirely feasible to eliminate the failure mode > > > where the certificate's organization field is (absent documented > > > transformations permitted under the Baseline Requirements) not > > > canonically equivalent (in the Unicode sense) to the name of any > > > organization registered in the country that the certificates > > > designates. That (inferring from the certificate for > > > www.alandsbanken.fi) there isn't technical process that would by > > > necessity remove diacritical marks from the organization field and > > > that the certificate for www.saastopankki.fi has them removed is > > > strongly suggestive that DigiCert's process for validating > > > Finland-based organization does not include as a mandatory part > > > either the retrieval of the organization's name via an online API > > > to the business registry or a human CA representative copying and > > > pasting the organization's name from a browser view to the business registry. > > > > > > > The Baseline Requirements do not dictate the datasource used in > > various jurisdictions. Thus even when there is a canonical source > > through legislation, the BRs do not require its use. > > > > > > > I wonder: When a given country > > > > has an online-queryable business registry, why isn't it either > > > recommended or required to import names digitally from the > > > business registry into certificates? Such practice would eliminate > > > the failure mode of the certificate designating a name that > > > doesn't match any entry in the business registry for such country. > > > (Obviously, if it was _required_, the BRs would need to include a > > > list of countries whose business registry is considered > > > online-queryable in the sense that the requirement would apply, > > > but unwillingness to maintain such a list does not explain why it > > > isn't even recommended.) > > > > > > > "Recommended" is pointless. Required is the only thing that makes > > sense, and the complexities and overhead involved precisely explain > > why it isn't required. > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://clicktime.symantec.com/a/1/BvQKGKG-atiF6qzY2ACOk9yeXt5fmZNpd > > -faQX5l0PY=?d=0s1t1MPwIPG9XkHuYF2WEA8S7E5P0how6g9pm8AbMsID3Vu4VG4b4d > > cVTpsXAtxoPHgF9wjrujQ0OOr4Qn6NNec-jNZYeJoVX5m6FtONVBOqnpptVuxrSnbzbN > > mjtVrSrgW9MjFpB_PV_GA0a6d9CDPW00YSAN5s19pKxQFY4khaGT4tGsNBPV82wJ57B- > > 0V-gd5e-1RY-WPPfqqiSVefSEHM3CbmoTYvMcDfItqF15BC0QZabSo1qReVcnLtpkA07 > > NalO1afKP9pBC8NHIaF2qytDuUbZ-0_7wZVecDePdhfK4ghowJT_2N6v2KHnCG1cElhU > > 822SsjxhXhwrQTBMTCLXhqVFTQqZtfPfRLDYzl0PcS-PLbsh2A96Dr_Y2gQ_rxoeIKIc > > z5ln_0I189aAACvwnBtEFieiU0dIZxR3_s0ZN8Zp7MAS_0DY8i7xp0YGMCEiaC-X0rpJ > > 5VXKItovyxmoIN7_63_vr5ObrP47_KLALVV-eG2OCX&u=https%3A%2F%2Flists.moz > > illa.org%2Flistinfo%2Fdev-security-policy > > Appendix D of the EV Guidelines (https://clicktime.symantec.com/a/1/k5LVvsTsn1aOD8kIgUl5TxWF-s1BWAyIy_p_gHjK 8OE=?d=0s1t1MPwIPG9XkHuYF2WEA8S7E5P0how6g9pm8AbMsID3Vu4VG4b4dcVTpsXAtxoPHgF9 wjrujQ0OOr4Qn6NNec-jNZYeJoVX5m6FtONVBOqnpptVuxrSnbzbNmjtVrSrgW9MjFpB_PV_GA0a 6d9CDPW00YSAN5s19pKxQFY4khaGT4tGsNBPV82wJ57B-0V-gd5e-1RY-WPPfqqiSVefSEHM3Cbm oTYvMcDfItqF15BC0QZabSo1qReVcnLtpkA07NalO1afKP9pBC8NHIaF2qytDuUbZ-0_7wZVecDe PdhfK4ghowJT_2N6v2KHnCG1cElhU822SsjxhXhwrQTBMTCLXhqVFTQqZtfPfRLDYzl0PcS-PLbs h2A96Dr_Y2gQ_rxoeIKIcz5ln_0I189aAACvwnBtEFieiU0dIZxR3_s0ZN8Zp7MAS_0DY8i7xp0Y GMCEiaC-X0rpJ5VXKItovyxmoIN7_63_vr5ObrP47_KLALVV-eG2OCX&u=https%3A%2F%2Fcabf orum.org%2Fwp-content%2Fuploads%2FCA-Browser-Forum-EV-Guidelines-v1.6.8.pdf) describes additional allowances for the Organization Name to be written with Latin letters. Section 1.2 of Appendix D is especially relevant here, as it appears that the organization names that are mentioned by Henri are transliterations of the original Finnish names. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://clicktime.symantec.com/a/1/BvQKGKG-atiF6qzY2ACOk9yeXt5fmZNpd-faQX5l0 PY=?d=0s1t1MPwIPG9XkHuYF2WEA8S7E5P0how6g9pm8AbMsID3Vu4VG4b4dcVTpsXAtxoPHgF9w jrujQ0OOr4Qn6NNec-jNZYeJoVX5m6FtONVBOqnpptVuxrSnbzbNmjtVrSrgW9MjFpB_PV_GA0a6 d9CDPW00YSAN5s19pKxQFY4khaGT4tGsNBPV82wJ57B-0V-gd5e-1RY-WPPfqqiSVefSEHM3Cbmo TYvMcDfItqF15BC0QZabSo1qReVcnLtpkA07NalO1afKP9pBC8NHIaF2qytDuUbZ-0_7wZVecDeP dhfK4ghowJT_2N6v2KHnCG1cElhU822SsjxhXhwrQTBMTCLXhqVFTQqZtfPfRLDYzl0PcS-PLbsh 2A96Dr_Y2gQ_rxoeIKIcz5ln_0I189aAACvwnBtEFieiU0dIZxR3_s0ZN8Zp7MAS_0DY8i7xp0YG MCEiaC-X0rpJ5VXKItovyxmoIN7_63_vr5ObrP47_KLALVV-eG2OCX&u=https%3A%2F%2Flists .mozilla.org%2Flistinfo%2Fdev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy