In June 2021, the CA/Browser Forum passed ballot SC47 to remove the organization unit (OU) field from all public trust TLS/SSL certificates.
The problem with the OU field relates to the principle that the certification authority (CA) must verify and assert the identity of the certificate subject within the subject name of the certificate. The OU field, on the other hand, is not a well-defined term, but is considered a smaller part of the organization. The CA has no method to consistently verify the smaller part of the organization and correctly assert its identity.
Without true identity, the OU field might be used to mislead the certificate’s relying parties . As an example, the organization field will state the name of the certificate subscriber entity, but the OU field might be worded to imply a different organization creating confusion. Also, some CAs may use the OU field to insert clarifying information, but that also does not improve the identity of the subscriber. In addition, the OU field provides no technical capability for browsers. Therefore, it was decided that removing OU field from TLS/SSL certificates would reduce any potential risk to browser users’.
Please note Entrust issues TLS/SSL certificates with an OU field, which have a technical capability for a specific use case. These TLS/SSL certificates are issued to support Intel vPro and AMT technology. To resolve the problem of removing the OU, the TLS/SSL certificates will be migrated and issued with a special extended key usage (2.16.840.1.1137184.108.40.206) to support vPro.
OU field deprecation only applies to TLS/SSL certificates and does not impact other digital certificate types. There are two other certificate working groups within the CA/Browser Forum that manage the requirements for Code Signing and S/MIME certificates. In the future, certificate subscribers may see new requirements that deprecate OU from other public trust certificates. In addition, some CAs may eliminate support of OUs for all certificates just to remain consistent.
The ballot change will be effective on September 1, 2022. So certificate subscribers have some time to migrate away from using the OU field.
Please click here for more information.
The post New Requirement Will Deprecate the Organization Unit (OU) Field in TLS Certificates appeared first on Entrust Blog.
*** This is a Security Bloggers Network syndicated blog from Entrust Blog authored by Travis Phillips. Read the original post at: https://www.entrust.com/blog/2021/12/new-requirement-will-deprecate-the-organization-unit-ou-field-in-tls-certificates/