Baseline Requirements: Clarify the allowed fields for issuer names

[sleevi]

This was originally raised on the servercert mailing list

Baseline Requirements 1.6.7, Section 7.1.4.3, sets the permitted fields and validation requirements.

As of 2019-12-09, set of unexpired, BR-audited CAs, trusted for TLS, and not listed as revoked within CCADB or the CA's CRL, aggregated by attribute type and issuer organization (or CN for when O is missing)

type	issuer	count
2.5.4.11	Total	823
	O=DigiCert Inc	162
	O=VeriSign, Inc.	78
	O=The USERTRUST Network	72
	O=GeoTrust Inc.	41
	O=AddTrust AB	33
	O=Unizeto Technologies S.A.	30
	O=COMODO CA Limited	26
	O=Orion Health Inc.	24
	O=Baltimore	23
	O=AffirmTrust	17
	O=Dhimyotis	16
	O=GlobalSign nv-sa	16
	O=eMudhra Inc	14
	O=eMudhra Technologies Limited	14
	O=TrustCor Systems S. de R.L.	13
	O=Entrust, Inc.	13
	O=certSIGN	12
	O=Entrust.net	12
	O=WISeKey	11
	O=Government Root Certification Authority	11
	O=NetLock Kft.	11
	O=GlobalSign	10
	O=DigiCert, Inc	10
	O=thawte, Inc.	10
	O=Chunghwa Telecom Co., Ltd.	9
	O=SECOM Trust Systems CO.,LTD.	9
	O=Amazon	8
	O=IZENPE S.A.	8
	O=FNMT-RCM	8
	O=Agencia Catalana de Certificacio (NIF Q-0801176-I)	7
	O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş.	7
	O=ACCV	7
	O=Actalis S.p.A./03358520967	7
	O=TAIWAN-CA	7
	O=QuoVadis Limited	6
	O=Starfield Technologies, Inc.	6
	CN=Autoridad de Certificacion Firmaprofesional CIF A62634068	6
	O=SECOM Trust.net	5
	O=T-Systems Enterprise Services GmbH	5
	O=Trustis Limited	5
	O=AC Camerfirma S.A.	4
	O=Thawte Consulting cc	4
	O=ValiCert, Inc.	4
	O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.	3
	O=The Go Daddy Group, Inc.	3
	O=IdenTrust	3
	O=AS Sertifitseerimiskeskus	3
	O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK	2
	O=Unizeto Sp. z o.o.	2
	O=ATT Services Inc	2
	O=Comodo CA Limited	2
	O=U.S. Government	2
	O=Verizon Business	2
	O=XRamp Security Services Inc	1
	O=Staat der Nederlanden	1
	O=MULTICERT - Serviços de Certificação Electrónica S.A.	1
	O=Cybertrust, Inc	1
	O=Swiss Government PKI	1
	O=GoDaddy.com, Inc.	1
	O=JIPDEC	1
2.5.4.7	Total	512
	O=The USERTRUST Network	168
	O=COMODO CA Limited	60
	O=AddTrust AB	49
	O=GlobalSign nv-sa	24
	O=SSL Corporation	20
	O=NetLock Kft.	20
	O=Microsec Ltd.	17
	O=Actalis S.p.A./03358520967	16
	CN=Belgium Root CA4	12
	O=Hellenic Academic and Research Institutions Cert. Authority	12
	O=Comodo CA Limited	12
	O=AC Camerfirma S.A.	11
	O=SecureTrust Corporation	10
	O=DigiCert Inc	9
	O=Baltimore	9
	O=Starfield Technologies, Inc.	8
	O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş.	7
	O=TrustCor Systems S. de R.L.	6
	O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.	6
	O=Hongkong Post	5
	O=GlobalSign	4
	O=SSL X Y & Z Corp.	4
	O=SECOM Trust Systems CO.,LTD.	3
	O=Disig a.s.	3
	O=The Go Daddy Group, Inc.	3
	O=InterCloud Ventures Inc	3
	O=T-Systems Enterprise Services GmbH	2
	O=Unizeto Technologies S.A.	2
	O=GoDaddy.com, Inc.	2
	O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK	2
	O=Agencia Catalana de Certificacio (NIF Q-0801176-I)	2
	O=QuoVadis Limited	1
	O=SECOM Trust.net	1
	O=XRamp Security Services Inc	1
	O=Network Solutions L.L.C.	1
	CN=Autoridad de Certificacion Firmaprofesional CIF A62634068	1
2.5.4.8	Total	437
	O=The USERTRUST Network	166
	O=COMODO CA Limited	56
	O=AddTrust AB	51
	O=GlobalSign nv-sa	24
	O=SSL Corporation	20
	O=QuoVadis Limited	16
	O=Comodo CA Limited	14
	O=TrustCor Systems S. de R.L.	13
	O=DigiCert Inc	10
	O=SecureTrust Corporation	10
	O=Actalis S.p.A./03358520967	8
	O=Starfield Technologies, Inc.	8
	O=Baltimore	7
	O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.	6
	O=Hongkong Post	5
	O=SSL X Y & Z Corp.	4
	O=GlobalSign	4
	O=InterCloud Ventures Inc	3
	O=The Go Daddy Group, Inc.	3
	O=ATT Services Inc	2
	O=GoDaddy.com, Inc.	2
	O=Unizeto Technologies S.A.	2
	O=T-Systems Enterprise Services GmbH	2
	O=UniTrust	1
	O=XRamp Security Services Inc	1
	O=Network Solutions L.L.C.	1
2.5.4.5	Total	123
	CN=Belgium Root CA4	55
	CN=Belgium Root CA3	39
	O=AC Camerfirma S.A.	13
	CN=Autoridad de Certificacion Firmaprofesional CIF A62634068	5
	CN=Belgium Root CA2	4
	O=Baltimore	3
	O=FNMT-RCM	2
	O=The Go Daddy Group, Inc.	1
	O=Starfield Technologies, Inc.	1
	O=QuoVadis Limited	1
2.5.4.97	Total	38
	O=Dhimyotis	14
	O=Microsec Ltd.	9
	O=Staat der Nederlanden	6
	O=QuoVadis Limited	4
	O=QuoVadis Trustlink B.V.	2
	O=Entrust, Inc.	1
	O=D-Trust GmbH	1
	O=AS Sertifitseerimiskeskus	1
1.2.840.113549.1.9.1	Total	22
	O=Microsec Ltd.	8
	O=SecureTrust Corporation	7
	O=AS Sertifitseerimiskeskus	5
	O=XRamp Security Services Inc	1
	CN=Autoridad de Certificacion Firmaprofesional CIF A62634068	1
2.5.4.17	Total	3
	O=T-Systems Enterprise Services GmbH	2
	O=Baltimore	1
2.5.4.9	Total	3
	O=T-Systems Enterprise Services GmbH	2
	O=Baltimore	1
1.3.6.1.4.1.519.1	Total	1
	O=DigiCert Inc	1
1.3.6.1.4.1.52266.1	Total	1
	O=DigiCert Inc	1

As of 2019-12-08, set of unexpired CAs present within Browser Members' root stores, capable of TLS, including those **without BR audits**, and not listed as revoked within CCADB or the CA's CRL, aggregated by attribute type and issuer organization (or CN for when O is missing)

type	issuer	count
2.5.4.11	Total	1525
	O=VeriSign, Inc.	214
	O=DigiCert Inc	162
	O=U.S. Government	78
	O=The USERTRUST Network	72
	O=Symantec Corporation	48
	O=GeoTrust Inc.	41
	O=ICP-Brasil	38
	O=Unizeto Technologies S.A.	35
	O=AddTrust AB	33
	O=Microsoft Corporation	30
	O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH	27
	O=COMODO CA Limited	26
	O=Orion Health Inc.	24
	O=Baltimore	23
	O=AffirmTrust	17
	O=StartCom Ltd.	17
	O=Apple Inc.	17
	O=GlobalSign nv-sa	16
	O=Dhimyotis	16
	O=British Telecommunications plc	15
	O=VISA	14
	O=Entrust, Inc.	14
	O=eMudhra Technologies Limited	14
	O=eMudhra Inc	14
	O=Swisscom	14
	O=TrustCor Systems S. de R.L.	12
	O=certSIGN	12
	O=Entrust.net	12
	O=NetLock Kft.	12
	O=Certinomis	11
	O=WISeKey	11
	O=Government Root Certification Authority	11
	O=Skaitmeninio sertifikavimo centras	11
	O=thawte, Inc.	10
	O=DigiCert, Inc	10
	O=GlobalSign	10
	O=Government of Korea	9
	O=CertiPath LLC	9
	O=SECOM Trust Systems CO.,LTD.	9
	O=OpenTrust	9
	O=IdenTrust	9
	O=ARGE DATEN - Austrian Society for Data Protection	9
	O=Chunghwa Telecom Co., Ltd.	9
	O=Entrust	8
	O=Vaestorekisterikeskus CA	8
	O=Thawte Consulting cc	8
	O=CertiSur S.A.	8
	O=e-commerce monitoring GmbH	8
	O=FNMT-RCM	8
	O=Amazon	8
	O=IZENPE S.A.	8
	O=ANF Autoridad de Certificacion	7
	O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş.	7
	O=The Federal Authorities of the Swiss Confederation	7
	O=Unizeto Sp. z o.o.	7
	O=Agencia Catalana de Certificacio (NIF Q-0801176-I)	7
	O=ACCV	7
	O=ANSSI	7
	O=DIRECCION GENERAL DE LA POLICIA	7
	O=Actalis S.p.A./03358520967	7
	O=TAIWAN-CA	7
	CN=Autoridad de Certificacion Firmaprofesional CIF A62634068	6
	O=India PKI	6
	O=WoSign CA Limited	6
	O=Starfield Technologies, Inc.	6
	O=Trustis Limited	5
	O=T-Systems Enterprise Services GmbH	5
	O=SECOM Trust.net	5
	O=MULTICERT - Serviços de Certificação Electrónica S.A.	5
	O=Secretaria de Economia	5
	CN=E-ME PSI (PCA)	5
	O=AC CAMERFIRMA S.A.	5
	O=D-Trust GmbH	5
	O=Consejo General de la Abogacia NIF:Q-2863006I	5
	O=Colegio de Registradores de la Propiedad y Mercantiles de España	5
	O=Sistema Nacional de Certificacion Electronica	4
	O=AC Camerfirma S.A.	4
	O=Japanese Government	4
	O=DigiCert, Inc.	4
	O=TSCP Inc.	4
	O=QuoVadis Limited	4
	O=Agence Nationale des Titres Sécurisés	4
	O=Carillon Information Security Inc.	4
	O=Swiss Government PKI	4
	O=ValiCert, Inc.	4
	O=ANF Autoridad de Certificación	4
	O=Echoworx Corporation	4
	O=KISA	4
	O=South African Post Office Limited	4
	O=GOV	3
	O=KEYNECTIS	3
	O=Certeurope	3
	O=SERVICE-PUBLIC GOUV MINISTERE EN CHARGE DE L'AGRICULTURE	3
	O=The Go Daddy Group, Inc.	3
	O=MINISTERE INTERIEUR	3
	CN=E-ME SSI (RCA)	3
	O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.	3
	O=Republika Slovenija	3
	O=StartCom CA	3
	O=VI Registru Centras - I.k. 124110246	3
	O=Telekomunikacja Polska S.A.	3
	O=AS Sertifitseerimiskeskus	3
	O=SAFE-Biopharma	2
	O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK	2
	O=Comodo CA Limited	2
	O=ADMINISTRACION NACIONAL DE CORREOS	2
	O=MSC Trustgate.com Sdn.	2
	O=Verizon	2
	O=TM	2
	O=Verizon Business	2
	CN=Microsoft Root Certificate Authority	2
	O=APMM A/S	2
	O=Netrust Pte Ltd	2
	O=ATT Services Inc	2
	O=Certisign Certificadora Digital S.A.	2
	O=Lockheed Martin Corporation	2
	O=ADACOM S.A.	2
	O=National Center for Digital Certification	2
	O=PersonalID Ltd.	2
	O=VeriSign Japan K.K.	2
	O=Exostar LLC	2
	O=AC Camerfirma SA CIF A82743287	2
	O=Oracle Corporation	2
	O=state-institutions	2
	O=MINISTERE DES AFFAIRES ETRANGERES	2
	O=PM/SGDN	2
	O=WidePoint	1
	O=GoDaddy.com, Inc.	1
	O=CONSEJO GENERAL DE LA ABOGACIA	1
	O=Trans Sped SRL	1
	CN=Microsoft Root Authority	1
	O=Northrop Grumman Corporation	1
	O=AGESIC	1
	O=VI Registru centras- i.k. 124110246	1
	O=JIPDEC	1
	O=POSTA	1
	O=Deutscher Sparkassen Verlag GmbH	1
	O=Digidentity B.V.	1
	O=CAs	1
	O=XRamp Security Services Inc	1
	O=EDICOM	1
	O=Digicert Sdn. Bhd.	1
	O=CERTSIGN SA	1
	O=Boeing	1
	O=Gendarmerie nationale	1
	O=ORC PKI	1
	O=Cybertrust, Inc	1
	O=VAS Latvijas Pasts - Vien.reg.Nr.40003052790	1
	O=Foundation for Trusted Identity	1
	O=Apple Computer, Inc.	1
	O=STRAC	1
	O=Staat der Nederlanden	1
	O=admin	1
	O=Generalitat Valenciana	1
	O=Electronic Transactions Development Agency (Public Organization)	1
	CN=Configuration	1
2.5.4.7	Total	674
	O=The USERTRUST Network	168
	O=Microsoft Corporation	61
	O=COMODO CA Limited	55
	O=AddTrust AB	49
	O=NetLock Kft.	22
	O=SSL Corporation	22
	O=GlobalSign nv-sa	19
	O=Actalis S.p.A./03358520967	17
	O=Microsec Ltd.	17
	CN=Belgium Root CA4	12
	O=ARGE DATEN - Austrian Society for Data Protection	12
	O=Hellenic Academic and Research Institutions Cert. Authority	12
	O=AC Camerfirma S.A.	11
	O=SecureTrust Corporation	10
	O=Agencia Notarial de Certificacion S.L.U. - CIF B83395988	10
	O=Comodo CA Limited	10
	CN=Microsoft Root Certificate Authority	9
	O=DigiCert Inc	9
	O=e-commerce monitoring GmbH	9
	O=Network Solutions L.L.C.	9
	O=Baltimore	9
	O=Trustwave Holdings, Inc.	9
	O=Starfield Technologies, Inc.	8
	O=NISZ Nemzeti Infokommunikációs Szolgáltató Zrt.	8
	O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş.	7
	O=TrustCor Systems S. de R.L.	6
	O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.	6
	O=ANF Autoridad de Certificacion	6
	O=Secretaria de Economia	5
	O=Hongkong Post	5
	O=AC CAMERFIRMA S.A.	5
	O=TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş.	4
	O=Echoworx Corporation	4
	O=ComSign Ltd.	4
	O=GlobalSign	4
	O=Disig a.s.	4
	O=South African Post Office Limited	4
	O=Thawte Consulting cc	4
	O=Sistema Nacional de Certificacion Electronica	4
	O=SSL X Y & Z Corp.	4
	O=ANF Autoridad de Certificación	3
	O=Open Access Technology International Inc	3
	O=AC Camerfirma SA CIF A82743287	3
	O=SECOM Trust Systems CO.,LTD.	3
	O=The Go Daddy Group, Inc.	3
	O=InterCloud Ventures Inc	3
	O=Agencia Notarial de Certificacion S.L. Unipersonal - CIF B83395988	2
	O=T-Systems Enterprise Services GmbH	2
	O=GoDaddy.com, Inc.	2
	O=Unizeto Technologies S.A.	2
	O=Agencia Catalana de Certificacio (NIF Q-0801176-I)	2
	O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK	2
	CN=Autoridad de Certificacion Firmaprofesional CIF A62634068	1
	O=QuoVadis Limited	1
	O=XRamp Security Services Inc	1
	O=SECOM Trust.net	1
	O=PM/SGDN	1
	O=AGESIC	1
	O=CertiPath LLC	1
	O=AC Camerfirma SA	1
	O=EDICOM	1
2.5.4.8	Total	571
	O=The USERTRUST Network	166
	O=Microsoft Corporation	61
	O=COMODO CA Limited	51
	O=AddTrust AB	51
	O=SSL Corporation	22
	O=GlobalSign nv-sa	19
	O=TrustCor Systems S. de R.L.	12
	O=Comodo CA Limited	12
	O=ARGE DATEN - Austrian Society for Data Protection	11
	O=DigiCert Inc	10
	O=SecureTrust Corporation	10
	O=Network Solutions L.L.C.	9
	O=e-commerce monitoring GmbH	9
	CN=Microsoft Root Certificate Authority	9
	O=Trustwave Holdings, Inc.	9
	O=Actalis S.p.A./03358520967	8
	O=Starfield Technologies, Inc.	8
	O=Baltimore	7
	O=ANF Autoridad de Certificacion	6
	O=UniTrust	6
	O=India PKI	6
	O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.	6
	O=AC CAMERFIRMA S.A.	5
	O=Secretaria de Economia	5
	O=Hongkong Post	5
	O=GlobalSign	4
	O=Thawte Consulting cc	4
	O=Echoworx Corporation	4
	O=StartCom Ltd.	4
	O=South African Post Office Limited	4
	O=Sistema Nacional de Certificacion Electronica	4
	O=SSL X Y & Z Corp.	4
	O=Vaestorekisterikeskus CA	3
	O=ANF Autoridad de Certificación	3
	O=Open Access Technology International Inc	3
	O=The Go Daddy Group, Inc.	3
	O=InterCloud Ventures Inc	3
	O=Unizeto Technologies S.A.	2
	O=GoDaddy.com, Inc.	2
	O=ATT Services Inc	2
	O=Agencia Notarial de Certificacion S.L. Unipersonal - CIF B83395988	2
	O=T-Systems Enterprise Services GmbH	2
	O=CertiPath LLC	1
	O=XRamp Security Services Inc	1
	O=QuoVadis Limited	1
	O=ICP-Brasil	1
	O=PM/SGDN	1
2.5.4.5	Total	158
	CN=Belgium Root CA4	55
	CN=Belgium Root CA3	39
	O=AC Camerfirma S.A.	13
	O=ANF Autoridad de Certificacion	7
	O=První certifikační autorita, a.s.	5
	O=AC CAMERFIRMA S.A.	5
	CN=Autoridad de Certificacion Firmaprofesional CIF A62634068	5
	O=Consejo General de la Abogacia NIF:Q-2863006I	4
	CN=Belgium Root CA2	4
	O=Agence Nationale des Titres Sécurisés	4
	O=ANF Autoridad de Certificación	4
	O=Baltimore	3
	O=AC Camerfirma SA CIF A82743287	3
	O=FNMT-RCM	2
	O=CONSEJO GENERAL DE LA ABOGACIA	1
	O=The Go Daddy Group, Inc.	1
	O=EDICOM	1
	O=QuoVadis Limited	1
	O=Starfield Technologies, Inc.	1
	O=ANSSI	1
	O=Secretaria de Economia	1
	O=AC Camerfirma SA	1
2.5.4.97	Total	79
	O=Dhimyotis	14
	O=Microsec Ltd.	9
	O=Republika Slovenija	6
	O=Staat der Nederlanden	6
	O=AC CAMERFIRMA S.A.	5
	O=Halcom d.d.	5
	O=Česká pošta, s.p.	5
	O=SwissSign AG	4
	O=Symantec Corporation	4
	O=QuoVadis Limited	3
	O=CERTSIGN SA	3
	O=První certifikační autorita, a.s.	2
	O=D-Trust GmbH	2
	O=Certinomis	2
	O=Swisscom	2
	O=QuoVadis Trustlink B.V.	2
	O=CONSEJO GENERAL DE LA ABOGACIA	1
	O=state-institutions	1
	O=Entrust, Inc.	1
	O=NISZ Nemzeti Infokommunikációs Szolgáltató Zrt.	1
	O=AS Sertifitseerimiskeskus	1
1.2.840.113549.1.9.1	Total	54
	O=Microsec Ltd.	8
	O=SecureTrust Corporation	7
	O=ARGE DATEN - Austrian Society for Data Protection	7
	O=ANF Autoridad de Certificacion	6
	O=AS Sertifitseerimiskeskus	5
	O=Secretaria de Economia	5
	O=Sistema Nacional de Certificacion Electronica	4
	O=Thawte Consulting cc	4
	O=VeriSign, Inc.	4
	O=South African Post Office Limited	4
	O=AC Camerfirma SA CIF A82743287	3
	O=XRamp Security Services Inc	1
	O=PM/SGDN	1
	O=AC Camerfirma SA	1
	CN=Autoridad de Certificacion Firmaprofesional CIF A62634068	1
	O=Consejo General de la Abogacia NIF:Q-2863006I	1
0.9.2342.19200300.100.1.25	Total	15
	CN=Configuration	4
	O=CAs	2
	O=Verizon	2
	O=VISA	2
	CN=Microsoft Root Certificate Authority	1
	O=CertiPath LLC	1
	O=U.S. Government	1
	O=Exostar LLC	1
	O=Carillon Information Security Inc.	1
2.5.4.9	Total	14
	O=India PKI	6
	O=Secretaria de Economia	5
	O=T-Systems Enterprise Services GmbH	2
	O=Baltimore	1
2.5.4.17	Total	14
	O=India PKI	6
	O=Secretaria de Economia	5
	O=T-Systems Enterprise Services GmbH	2
	O=Baltimore	1
2.5.4.51	O=India PKI	6
	Total	6
1.3.6.1.4.1.519.1	O=DigiCert Inc	1
	Total	1
1.3.6.1.4.1.52266.1	O=DigiCert Inc	1
	Total	1

[sleevi]

@timfromdigicert I'm drafting a ballot to explicitly only allow those fields from the first set. I wanted to include the second set for completeness, if folks had questions as to "what about weird attribute type X".

Note that this still overcounts for fields, in both cases, because I haven't worked out a way to exclude those CAs that have failed ALV, indicating that they may not actually be covered by the scope of the BR audit and may not be intended for TLS, even if they are capable of such.

I've got draft language worked up, but am working to make it clearer based on early feedback on some ambiguities.

[sleevi]

Oh, and I should note: The above is all extant certificates. That is, it does not filter based on the effective date of the BRs' provision on subject, precisely to cover the entire spectrum. However, this also leads to overcounts, as several CAs have since been retired and do not issue new certificates.

[barrini]

F2F 60 decision to assign to Tim to check if can be closed