CA/Browser Forum
Home » All CA/Browser Forum Posts » Ballot 88 – BR_9_2_4_Errata-ISO3166

Ballot 88 – BR_9_2_4_Errata-ISO3166

Ballot 88 – BR_9_2_4_Errata-ISO3166 (Passed)

Motion

Jeremy Rowley made the following motion and Rick Andrews and Rich Smith endorsed it:

… Motion begins…

Effective immediately

Erratum begins

  1. Add a new Definition: Country: Either a member of the United Nations OR a geographic region recognized as a sovereign nation by at least two UN member nations.

  2. Modify the following sections as indicated below:

9.2 Subject Information

By issuing the Certificate, the CA represents that it followed the procedure set forth in its Certificate Policy and/or Certification Practice Statement to verify that, as of the Certificate’s issuance date, all of the Subject Information was accurate. CAs SHALL NOT include a Domain Name in a Subject attribute except as specified in Sections 9.2.1 and 9.2.2 below.

9.2.4 Subject Organization Distinguished Name Fields

a. Certificate Fields:

  • Organization name: subject:organizationName (OID 2.5.4.10)

Optional.

Contents: If present, the subject:organizationName field MUST contain either the Subject’s name or DBA as verified under Section 11.2. The CA may include information in this field that differs slightly from the verified name, such as common variations or abbreviations, provided that the CA documents the difference and any abbreviations used are locally accepted abbreviations; e.g., if the official record shows “Company Name Incorporated”, the CA MAY use “Company Name Inc.” or “Company Name”. Because Subject name attributes for individuals (e.g. givenName (2.5.4.42) and surname (2.5.4.4)) are not broadly supported by application software, the CA MAY use the subject:organizationName field to convey a natural person Subject’s name or DBA.

b. Certificate Field: subject:streetAddress (OID: 2.5.4.9)

Optional if the subject:organizationName field is present.

Prohibited if the subject:organizationName field is absent.

Contents: If present, the subject:streetAddress field MUST contain the Subject’s street address information as verified under Section 11.2.

c.

  • City or town Certificate Field: subject:localityName (OID: 2.5.4.7)

Required if the subject:organizationName field is present and the subject:stateOrProvinceName field is absent.

Optional if the subject:organizationName field and subject:stateOrProvinceName fields are present.

Prohibited if the subject:organizationName field is absent.

Contents: If present, the subject:localityName field MUST contain the Subject’s locality information as verified under Section 11.2. If the subject:countryName field specifies the ISO 3166-1 user-assigned code of XX in accordance with Section 9.2.5, the localityName field MAY contain the Subject’s locality and/or state or province information as verified under Section 11.2.

d. Certificate Field: State or province (where applicable) subject:stateOrProvinceName (OID: 2.5.4.8)

Required if subject:organizationName field is present and subject:localityName field is absent.

Optional if subject:organizationName and subject:localityName fields are present.

Prohibited if subject:organizationName field is absent.

Contents: If present, the subject:stateOrProvinceName field MUST contain the Subject’s state or province information as verified under Section 11.2. If the subject:countryName field specifies the ISO 3166-1 user-assigned code of XX in accordance with Section 9.2.5, the subject:stateOrProvinceName field MAY contain the full name of the Subject’s country information as verified under Section 11.2.5.

Country subject:countryName (OID: 2.5.46)

e. Certificate Field: subject:postalCode (OID: 2.5.4.17)

Optional if subject:organizationName field is present.

Prohibited if subject:organizationName field is absent.

Contents: If present, the subject:postalCode field MUST contain the Subject’s zip or postal information as verified under Section 11.2.

9.2.5 Subject Country Name Field

Certificate Field: subject:countryName (OID: 2.5.4.6)

Required/Optional: Optional.

Required if the subject:organizationName field is present.

Optional if the subject:organizationName field is absent.

Contents: If the subject:countryName field is present, then the CA SHALL verify the country associated with the Subject in accordance with Section 11.2.5 and use its two-letter ISO 3166-1 country code subject:organizationName field is present, the subject:countryName MUST contain the two-letter ISO 3166-1 country code associated with the location of the Subject verified under Section 11.2. If the subject:organizationName field is absent, the subject:countryName field MAY contain the two-letter ISO 3166-1 country code associated with the Subject as verified in accordance with Section 11.2.5. If a Country is not represented by an official ISO 3166-1 country code, the CA MAY specify the ISO 3166-1 user-assigned code of XX indicating that an official ISO 3166-1 alpha-2 code has not been assigned.

  1. Change the heading of Section 9.2.6 as follows:

9.2.6 Other Subject Organizational Unit Field Attributes

  1. Replace the following sentences of Section 9.2.6:

With the exception of the subject:organizationalUnitName (OU) attribute, optional attributes, when present within the subject field, MUST contain information that has been verified by the CA. Metadata such as ‘.’, ‘-‘, and ‘ ‘ (i.e. space) characters, and/or any other indication that the value is absent, incomplete, or not applicable, SHALL NOT be used. CAs SHALL NOT include Fully-Qualified Domain Names in Subject attributes except as specified in Sections 9.2.1 and 9.2.2, above.

With:

Certificate Field: subject:organizationalUnitName

Optional.

  1. Add Section 9.2.7:

9.2.7 Other Subject Attributes

All other optional attributes, when present within the subject field, MUST contain information that has been verified by the CA. Optional attributes MUST NOT contain metadata such as ‘.’, ‘-‘, and ‘ ‘ (i.e. space) characters, and/or any other indication that the value is absent, incomplete, or not applicable.

…. Erratum ends …

The review period for this ballot already occurred when it was presented as Ballot 86. Therefore, the voting period will start immediately and will close at 24:00 UTC on 12 September 2012. Votes must be cast by posting an on-list reply to this thread.

… Motions ends …

A vote in favor of the motion must indicate a clear ‘yes’ in the response.

A vote against must indicate a clear ‘no’ in the response. A vote to abstain must indicate a clear ‘abstain’ in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.6 - Ballot SMC08 - Aug 29, 2024

This ballot sets a date by which issuance of certificates following the Legacy generation profiles must cease. It also includes the following minor updates: Pins the domain validation procedures to v 2.0.5 of the TLS Baseline Requirements while the ballot activity for multi-perspective validation is concluded, and the SMCWG determines its corresponding course of action; Updates the reference for SmtpUTF8Mailbox from RFC 8398 to RFC 9598; and Small text corrections in the Reference section

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).