[Smcwg-public] Validation Point of View

[Stefan Selbitschka]

Hi,

recent discussion about "organisationName" within a certificate
following the "individual" profile kept me thinking and I want to share
my thoughts.

First of all we agreed that only validated (meaningful) content should
appear within a certificate. Following this I matched the mailbox,
organization and individual profile (strict ones) to look for collisions
within the subject fields. It feels that only the location fields
(countryName, state, locality, street) are not clear where they belong
to - organization or individual
(https://next.rundquadrat.at/s/5SczQyp9mJnSDJt).

Leaving this beside I thought about a validation point of view of our
certificate profiles. This means if you would like to have more content
within your certificate you need to pass more validations.

This would lead to two profiles:
- CA validated
- Sponsored (where parts of the validation is delegated)

CA validated profile:
---------------------
In this profile all validations are done by the CA. Hereby the mailbox
validation is mandatory since we will require an email within SAN. Other
validation like organization (OV /EV) or individual (IV) depends on the
desired certificate content.

commonName: [ email | organization | gn + sn ]
   organization -> requires OV / EV
   gn + sn      -> requires IV
organizationName: only if OV /EV
givenName: only if IV
surname: only if IV
pseudonym: only if IV
serialNumber: ???
title: only if IV
countryName: only if IV or OV (which if both??)
stateOrProvinceName: only if IV or OV (which if both??)
localityName: only if IV or OV (which if both??)
streetAddress: only if IV or OV (which if both??)
organizationalIdentifier: only if OV / EV
businessCategory: only if EV
jurisdictionCountryName: only if EV
jurisdictionStateOrProvinceName: only if EV
jurisdictionLocalityName: only if EV


Sponsored profile:
------------------
In this profile validation of fixed content like organization (OV / EV)
and domain is done by the CA. The validation of the "local part" of the
email or givenName and surName is delegated to the sponsor. Hereby the
sponsor can choose between email-validation and additionally individual
validation (IV) depending on which quality of date he has.

commonName: [ email | organization | gn + sn ]
organizationName: FIXED
givenName: only if IV
surname: only if IV
pseudonym: only if IV
serialNumber: ???
title: only if IV
countryName: FIXED (from Org)
stateOrProvinceName: FIXED (from Org)
localityName: FIXED (from Org)
streetAddress: FIXED (from Org)
organizationalIdentifier: FIXED
businessCategory: FIXED if EV
jurisdictionCountryName: FIXED if EV
jurisdictionStateOrProvinceName: FIXED if EV
jurisdictionLocalityName: FIXED if EV

FIXED means that this value is taken from the organization validation
done by the CA and cannot be changed and is mandatory.

Please note, I left out fields that are identically in all profiles like
email, other, etc. for better readability.


I was not able to solve the locality problem between organization and
individual but this needs to be discussed anyway.

In such a scenario we will miss the unique OID for different validation
types but if we start mixing different validation like individual and
organization the interpretaion of such an OID is not clear anyway.


regards

stefan