Two observations:
First, it seems to me that the Baseline Requirements allow
transformations of the organization's name only if the CA documents
such transformations. I am unable to find such documentation in
DigiCert's CP and CPS documents. Am I missing something?
Second, while verifying that the applicant indeed represents a
specific real organization is a difficult problem, in the case where
the country that the certificate designates operates an
online-queryable database of registered businesses, associations,
etc., it should be entirely feasible to eliminate the failure mode
where the certificate's organization field is (absent documented
transformations permitted under the Baseline Requirements) not
canonically equivalent (in the Unicode sense) to the name of any
organization registered in the country that the certificates
designates. That (inferring from the certificate for
www.alandsbanken.fi) there isn't technical process that would by
necessity remove diacritical marks from the organization field and
that the certificate for
www.saastopankki.fi has them removed is
strongly suggestive that DigiCert's process for validating
Finland-based organization does not include as a mandatory part either
the retrieval of the organization's name via an online API to the
business registry or a human CA representative copying and pasting the
organization's name from a browser view to the business registry.
While the Baseline Requirements clearly permit relying on an opinion
letter, which is vulnerable to failure modes such as the author of the
opinion letter helpfully omitting diacritical marks (perhaps assuming
that foreign systems couldn't deal with them) or the recipient of an
opinion letter failing to precisely input a name displayed on the
opinion letter into a computer system, I wonder: When a given country
has an online-queryable business registry, why isn't it either
recommended or required to import names digitally from the business
registry into certificates? Such practice would eliminate the failure
mode of the certificate designating a name that doesn't match any
entry in the business registry for such country. (Obviously, if it was
_required_, the BRs would need to include a list of countries whose
business registry is considered online-queryable in the sense that the
requirement would apply, but unwillingness to maintain such a list
does not explain why it isn't even recommended.)
>> In the Finnish language, ä
>> and ö are considered to be distinct letters from a and o (so distinct
>> that they sort to the end of the alphabet), so from that perspective,
>> one could argue that the transformation is not "slight" for trade
>> names themselves even though it is customary for transforming trade
>> names into domain names[1].
>>
>> Clearly, this isn't a matter of technical limitation, because DigiCert
>> was able to put "Ålandsbanken Abp" in the O field of the cert for
>>
https://www.alandsbanken.fi/ .
>>
>> [1]
https://www.saastopankki.fi/ is the primary address to which
>> http://säästöpankki.fi/ (but not https!) redirects. Web site operators