You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is an inconsistency between section 3.2.3.1 (Attribute collection of organization identity) and section 7.1.4.2.2 (Subject distinguished name fields).
In 3.2.3.1 it is specified that:
The CA or RA SHALL collect and retain evidence supporting the following identity attributes for the Organization
and the list of identity attributes includes...
3. An organizational unit of the Legal Entity (if included in the Subject);
But according to §7.1.4.2.2 organizational units (properly speaking) cannot be included in certificates.
In fact, section 7.1.4.2.2 (Subject distinguished name fields) reads like follows regarding the organizationalUnitName attribute:
If present, the CA SHALL confirm that the subject:organizationalUnitName is the full legal organization name of an Affiliate of the subject:organizationName
So, if present, the organizationalUnitName attribute cannot really contain the name of an organizational unit (e.g. department, division, etc.) but only the name of an Affiliate organization, which is quite a different thing.
To sum up, I believe that we should either remove item 3 from the list in 3.2.3.1 or reword it to make it consistent with 7.1.4.2.2 letter c).
The text was updated successfully, but these errors were encountered:
Your proposal does not seem to me to fix the problem, as it still suggests that an "organizational unit" may still appear in the certificate (subject to Section 7.1.4.2.2). The problem is, no "organizational unit" can ever appear in the Subject according to Section 7.1.4.2.2, to my understanding. So it's one or the other:
if you agree that an Affiliate is not an Organizational Unit, then it is misleading to mention an "organizational unit" in that bullet (as Section 7.1.4.2.2 only allows an Affiliate);
otherwise, please explain to me what the real meaning of Section 7.1.4.2.2 would be, possibly with a practical example.
In the first case, the only correct way of fixing the problem would be replacing the third bullet in section 3.2.3.1 with the following:
3. An Affiliate of the Legal Entity as described in Section 7.1.4.2.2 (if included in the Subject);
On the other hand, if in reality there was no intention to ban OUs, but unfortunately the SMBRs came out badly, then the language of section 7.1.4.2.2 needs to be revised.
There is an inconsistency between section 3.2.3.1 (Attribute collection of organization identity) and section 7.1.4.2.2 (Subject distinguished name fields).
In 3.2.3.1 it is specified that:
The CA or RA SHALL collect and retain evidence supporting the following identity attributes for the Organization
and the list of identity attributes includes...
3. An organizational unit of the Legal Entity (if included in the Subject);
But according to §7.1.4.2.2 organizational units (properly speaking) cannot be included in certificates.
In fact, section 7.1.4.2.2 (Subject distinguished name fields) reads like follows regarding the organizationalUnitName attribute:
If present, the CA SHALL confirm that the subject:organizationalUnitName is the full legal organization name of an Affiliate of the subject:organizationName
So, if present, the organizationalUnitName attribute cannot really contain the name of an organizational unit (e.g. department, division, etc.) but only the name of an Affiliate organization, which is quite a different thing.
To sum up, I believe that we should either remove item 3 from the list in 3.2.3.1 or reword it to make it consistent with 7.1.4.2.2 letter c).
The text was updated successfully, but these errors were encountered: