Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistency between 3.2.3.1 and 7.1.4.2.2 regarding the OU attribute #226

Closed
defacto64 opened this issue Nov 27, 2023 · 4 comments
Closed

Inconsistency between 3.2.3.1 and 7.1.4.2.2 regarding the OU attribute #226

defacto64 opened this issue Nov 27, 2023 · 4 comments
Labels
SMC06

Comments

@defacto64
Copy link

There is an inconsistency between section 3.2.3.1 (Attribute collection of organization identity) and section 7.1.4.2.2 (Subject distinguished name fields).

In 3.2.3.1 it is specified that:

The CA or RA SHALL collect and retain evidence supporting the following identity attributes for the Organization

and the list of identity attributes includes...

3. An organizational unit of the Legal Entity (if included in the Subject);

But according to §7.1.4.2.2 organizational units (properly speaking) cannot be included in certificates.

In fact, section 7.1.4.2.2 (Subject distinguished name fields) reads like follows regarding the organizationalUnitName attribute:

If present, the CA SHALL confirm that the subject:organizationalUnitName is the full legal organization name of an Affiliate of the subject:organizationName

So, if present, the organizationalUnitName attribute cannot really contain the name of an organizational unit (e.g. department, division, etc.) but only the name of an Affiliate organization, which is quite a different thing.

To sum up, I believe that we should either remove item 3 from the list in 3.2.3.1 or reword it to make it consistent with 7.1.4.2.2 letter c).
@srdavidson
Copy link
Contributor

Thanks - how's this?

3. An organizational unit of the Legal Entity as described in Section 7.1.4.2.2 (if included in the Subject);

@defacto64
Copy link
Author

Your proposal does not seem to me to fix the problem, as it still suggests that an "organizational unit" may still appear in the certificate (subject to Section 7.1.4.2.2). The problem is, no "organizational unit" can ever appear in the Subject according to Section 7.1.4.2.2, to my understanding. So it's one or the other:

  • if you agree that an Affiliate is not an Organizational Unit, then it is misleading to mention an "organizational unit" in that bullet (as Section 7.1.4.2.2 only allows an Affiliate);
  • otherwise, please explain to me what the real meaning of Section 7.1.4.2.2 would be, possibly with a practical example.

In the first case, the only correct way of fixing the problem would be replacing the third bullet in section 3.2.3.1 with the following:

3. An Affiliate of the Legal Entity as described in Section 7.1.4.2.2 (if included in the Subject);

On the other hand, if in reality there was no intention to ban OUs, but unfortunately the SMBRs came out badly, then the language of section 7.1.4.2.2 needs to be revised.

@srdavidson
Copy link
Contributor

How's that? srdavidson@397e8e1

@defacto64
Copy link
Author

That's okay ! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
SMC06
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@defacto64 @srdavidson