Policy-Discussion

[Philipp Gühring <pg AT futureware.at>]

Hi,

> OK, so as promised, let's check this bug out.
>
> I checked my certificate for SSL use and it has no
> identifying info in (for example) the OU field.  (Whereas my
> individual email certs do have my name in them.)  This
> matches the above claim made on the wiki as found by mfolimun.

Ok, I´ll try to explain it a again:

X.509 has 3 common fields for putting the name into:
CN (CommonName)
O (Organisation)
OU (OrganisationUnit, could be translated as department)

O and OU are reserved for organisations. (Some CA´s put other weird stuff in 
those fields, but CAcert doesn´t want to abuse those fields)

CN is filled with the personal name for client certificates, and filled with 
the servername for server certificates.

I personally guess that the X.509 designers originally didn´t thought that 
individuals that are not associated with any organisation exist that would 
ever have enough money to buy themself a server certificate.

> I checked one other CA's cert for some website, and the
> owner was identified in the OU field.

Yes, Peter Gutmann has a long list of weird X.509 practices in his 
styleguide ...

> Why does CAcert's CA strip any identifying info from the
> other fields?  Is there a reason why this is so?

* We haven´t found a field where we could put it into in a sane way.
* We didn´t want to create our own propietory extension 
* There wasn´t enough demand for it yet
* Nobody reads the values in those fields anyway

Choose any 3 of the 4 options

> (I can imagine many myself ... but I want to hear the CA's
> reasons.)

Which ones did you imagine?

> Then, in the CPS, it states that:
>
> Relying Party Statement
> A relying party may rely on the User named in a certificate
> having been assured to at least 50 points.

> Now, we could argue that both ways, in comparison to the
> above.  But for integrity of claim, we should be clear what
> we are intending to do here;  and rewrite that relying party
> statement ... or the certs policy ... to match.

The Relying Party Statement does not say that we put the name of the user in 
a 
certificate in any case. It just says that you may rely in it if the user is 
named.

> Comments?

Well, that´s why I pushed to have a standardisation officer to work on issues 
like that, that X.509 is missing a PersonalName field.
(Which lead to funny situations like Firefox demanding Firefix Extensions to 
be signed by Organisations, and claiming that extensions which are correctly 
signed by individuals are "unsigned".)

Is anyone interested in representing CAcert in various standardisation bodies?

Best regards,
Philipp Gühring