Re: Organization attribute ( LC-2093) from mzurko@us.ibm.com on 2009-01-16 (public-usable-authentication@w3.org from January 2009)

From: <mzurko@us.ibm.com>
Date: Fri, 16 Jan 2009 19:10:49 +0000
To: Philipp Gühring <pg@futureware.at>
Cc: public-usable-authentication@w3.org
Message-Id: <E1LNu5h-0001ao-2v@wiggum.w3.org>

 Dear Philipp Gühring ,

The Web Security Context Working Group has reviewed the comments you sent
[1] on the Last Call Working Draft [2] of the Web Security Context: User
Interface Guidelines published on 24 Jul 2008. Thank you for having taken
the time to review the document and to send us comments!

The Working Group's response to your comment is included below.

Please review it carefully and let us know by email at
public-usable-authentication@w3.org if you agree with it or not before 26
January 2009. In case of disagreement, you are requested to provide a
specific solution for or a path to a consensus with the Working Group. If
such a consensus cannot be achieved, you will be given the opportunity to
raise a formal objection which will then be reviewed by the Director
during the transition of this document to the next stage in the W3C
Recommendation Track.

Thanks,

For the Web Security Context Working Group,
Thomas Roessler
W3C Staff Contact

 1. http://www.w3.org/mid/48C5729A.9020703@futureware.at
 2. http://www.w3.org/TR/2008/WD-wsc-ui-20080724/


=====

Your comment on 5.1.2 Augmented Assurance Certificates:
> Hi,
> 
> "To derive a human-readable subject name from an AAC, user agents MUST
> use the Subject field's Organization (O) attribute.
> If the certificate's Subject field does not have an Organization
> attribute, then user agents MUST NOT consider the certificate as an
> augmented assurance certificate, even if it chains up to an
> AA-qualified
> trust root. User agents MAY consider such a certificate as an ordinary
> validated certificate."
> 
> The CPS's of several CA's are clearly stating that certificates for
> non-registered organisations (universities, communities, partnerships,
> ....) or non-organisations (individuals, ...) must not contain an
> Organization attribute.
> 
> Taking those 2 things together, this guideline is discriminating
> against
> a large amount of people and institutions.
> 
> My current idea to somewhat solve this problem is to use either
> Oraganization(O), or Surname(SN) + GivenName(GN) in case O is not
> available.
> 
> Best regards,
> Philipp Gühring


Working Group Resolution (LC-2093):
Thank you. We have added the following text:

Note: Should certificates arise in the future that provide strong  
assurance of the holder's identity, but do not include an  
organization attribute, then user agents can make use of the  
additional assurance level and identity information without  
violating this specification.  Such future certificates could, for  
example, include high assurance certificates for individuals.


----

Received on Friday, 16 January 2009 19:10:58 UTC