主旨
TLSサーバー証明書発行(DV証明書を除く)において、2022/09/01以降、部門名:OU(subject:organizationName )の使用が禁止となる。
現在の審査基準は、「No Misleading Information」(誤解を招く情報がないこと)とされており、ほかの正確に記載するべきフィールド(subject:organizationName[組織名]等)と異なり、審査方法が明確化出来ないため、廃止となる。
Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates
7.1.4.2.2 Subject Distinguished Name Fieldsi. Certificate Field:
subject:organizationalUnitName(OID: 2.5.4.11)Required/Optional: Deprecated. Prohibited if the
servercert/BR.md at main · cabforum/servercert · GitHubsubject:organizationNameis absent or the certificate is issued on or after September 1, 2022. Contents: The CA SHALL implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section 3.2 and the Certificate also containssubject:organizationName,subject:givenName,subject:surname,subject:localityName, andsubject:countryNameattributes, also verified in accordance with Section 3.2.2.1.
Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates
servercert/BR.md at main · cabforum/servercert · GitHub
9.6.1 CA representations and warranties
The Certificate Warranties specifically include, but are not limited to, the following:
3.Accuracy of Information: That, at the time of issuance, the CA i. implemented a procedure for verifying the accuracy of all of the information contained in the Certificate (with the exception of the subject:organizationalUnitName attribute); ii. followed the procedure when issuing the Certificate; and iii. accurately described the procedure in the CA’s Certificate Policy and/or Certification Practice Statement;
4.No Misleading Information: That, at the time of issuance, the CA i. implemented a procedure for reducing the likelihood that the information contained in the Certificate’s subject:organizationalUnitName attribute would be misleading; ii. followed the procedure when issuing the Certificate; and iii. accurately described the procedure in the CA’s Certificate Policy and/or Certification Practice Statement;
対象
以下のTLSサーバー証明書で
「証明書ポリシーが」以下の値のもの。(OV証明書、IV証明書、EV証明書)
{joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-policies(1) baseline-requirements(2) organization-validated(2)} (2.23.140.1.2.2)
{joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-policies(1) baseline-requirements(2) individual-validated(3)} (2.23.140.1.2.3)
{joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) certificate‐policies(1) ev-guidelines(1)} (2.23.140.1.1)
2.23.140.1.2.2以下、DV証明書は対象外。
{joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-policies(1) baseline-requirements(2) domain-validated(1)} (2.23.140.1.2.1)
Ballot(CA / Browser Forum 投票結果)
Ballot SC47v2: Sunset subject:organizationalUnitName | CAB Forum
