Re: ISSUE-237: Augmented Assurance Certificate Elements [wsc-xit] from Mary Ellen Zurko on 2010-02-26 (public-wsc-wg@w3.org from February 2010)

From: Mary Ellen Zurko <mzurko@us.ibm.com>
Date: Fri, 26 Feb 2010 14:12:21 -0500
To: "Thomas Roessler <tlr" <tlr@w3.org>
Cc: Web Security Context Working Group WG <public-wsc-wg@w3.org>,public-wsc-wg-request@w3.org
Message-ID: <OF212A6D26.F933643D-ON852576D6.0069511A-852576D6.00695A58@LocalDomain>

I agree with this change.

Thanks for noticing the typo (thinko?) Stephen!

          Mez





From:   Thomas Roessler <tlr@w3.org>
To:     Thomas Roessler <tlr@w3.org>
Cc:     Web Security Context Working Group WG <public-wsc-wg@w3.org>
Date:   02/23/2010 05:30 AM
Subject:        Re: ISSUE-237: Augmented Assurance Certificate Elements 
[wsc-xit]
Sent by:        public-wsc-wg-request@w3.org



Stephen Farrell notes that I was sloppy enough to write CN for "Common 
Name" instead of C for "Country".  Fixed in the editor's draft; and thanks 
to Stephen for noticing.
--
Thomas Roessler, W3C  <tlr@w3.org>







On 23 Feb 2010, at 00:09, Thomas Roessler wrote:

> On 23 Feb 2010, at 00:07, Web Security Context Working Group Issue 
Tracker wrote:
> 
>> 
>> ISSUE-237: Augmented Assurance Certificate Elements [wsc-xit]
>> 
>> http://www.w3.org/2006/WSC/track/issues/237
>> 
>> Raised by: Thomas Roessler
>> On product: wsc-xit
>> 
>> During CR, it was observed that:
>> - implementations commonly display O and CN
>> - if O is not present, extended validation certificates are still 
recognized (against conformance claim III), and CN is displayed
>> 
>> Proposed:
>> 
>> - to augment the conformance claim by a statement that identifies "What 
broadly accepted practices are considered sufficient for a trust anchor to 
be deemed augmented assurance qualified (see 5.1.2 Augmented Assurance 
Certificates), and what data elements are deemed assured by those 
certificates."
>> - to change conformance claims II and III into the following:
>> "To derive a human-readable subject name from an augmented assurance 
certificate, user agents SHOULD use the Subject field's Organization (O) 
and Country (CN) attributes. They MUST use information that is subject to 
the certificate authority's additional assurances, as documented in the 
user agent's conformance statement." (#II and #IIa in the latest editor's 
draft)
> 
> Note that the proposed change includes dropping  the previous 
conformance claim III, "If the certificate's Subject field does not have 
an Organization attribute, then user agents MUST NOT consider the 
certificate as an augmented assurance certificate, even if it chains up to 
an augmented assurance qualified trust root (5.1.2 Augmented Assurance 
Certificates). User agents MAY consider such a certificate as an ordinary 
validated certificate."

Received on Friday, 26 February 2010 19:11:21 UTC