[Smcwg-public] [External Sender] Re: RE: Individual email addresses in OV certs

Adriano Santoni adriano.santoni at staff.aruba.it
Mon Sep 18 06:25:35 UTC 2023 

Hi Pedro,

I think you didn't get what I mean (Jochem did). I wasn't referring to 
the domain part but rather the local part of the email address. To give 
an example, I don't see any problem in an OV cert that contains an email 
address of the type ExampleLtd at gmail.com, although obviously gmail.com 
is a Google domain and not of Example Ltd., while I am a bit perplexed 
by an OV cert issued for Example Ltd. containing an email address of the 
type Name.Surname at example.com, especially without knowing whether this 
address was validated with the BR method 3.2.2.1 (via domain) rather 
than 3.2.2.2 (via email). In the second case, the applicant demonstrated 
that he/she only controls the Name.Surname mailbox, but applied for an 
OV cert which (email aside) contains his/her company's identity; these 
two things don't seem to go together well, somehow, IMO.

Regards
     Adriano


Il 16/09/2023 09:27, Pedro FUENTES ha scritto:
> 
> We should maybe just understand that there are companies that don’t 
> have a corporate mail service.
>
> IMHO… Once the mailbox is validated, the domain component is not 
> relevant.
>
>
>> Le 16 sept. 2023 à 07:23, Adriano Santoni via Smcwg-public 
>> <smcwg-public at cabforum.org> a écrit :
>>
>> 
>>
>> Hi Jochem,
>>
>> thanks for sharing your thoughts; as you say, they don't answer my 
>> question, but they do add useful insight.
>>
>> Adriano
>>
>>
>> Il 15/09/2023 17:17, Berge, Jochem Van den ha scritto:
>>> NOTICE: Pay attention - external email - Sender is 
>>> prvs=615b3b199=jochem.vanden.berge at logius.nl
>>>
>>>
>>>
>>> Hi Adriano,
>>>
>>> I’ve gone over the SBRGs and reading section 3.2.2 of the SBRGs I 
>>> think you might have a point that it is not defined in the SBRG:
>>>
>>> /This section defines the permitted processes and procedures for 
>>> confirming the *Applicant’s*/
>>>
>>> */control/* /of Mailbox Addresses to be included in issued 
>>> Certificates./
>>>
>>> As far as I can see, if the Applicant (or it’s representative) can 
>>> demonstrate control over the mailbox in question it looks like it is 
>>> allowed. Other entries in section 3 or in section 7 are mute on this 
>>> point.
>>>
>>> If you look at TLS certificates the relation between the (owner of 
>>> a) FQDN and the organization included in the certificate can be (and 
>>> often is) different (provided the applicant can prove to have 
>>> control over the FQDN).
>>>
>>> The same kind of mechanic could apply here. I think it boils down to 
>>> if it ever was the intent to derive any identifying information from 
>>> an email address or only use it for a cryptographic link (like TLS)?
>>>
>>> If the decision would be that the email address should have some 
>>> identifying properties I just realized that except for the obvious 
>>> cases (like the one you addressed) it is very difficult to put such 
>>> a requirement into words. What would be the definition of an 
>>> organization controlled email address? And how would a CA be able to 
>>> check that it is? The example you list of sole proprietorships can 
>>> also be tricky to check by a CA, and potentially opens up a can of 
>>> worms.
>>>
>>> Long story short, my take is that it is possible and that isn’t 
>>> something we can easily fix. I think it boils down to a more 
>>> fundamental choice of what the intent is of the different types of 
>>> profiles as defined in the SBRGs. Seeing that I wasn’t involved with 
>>> the earliest beginning of this WG I can’t answer that question but I 
>>> hope that other can shed some light on it J.
>>>
>>> Kind Regards,
>>>
>>> Jochem van den Berge
>>>
>>> Architect PKIoverheid
>>>
>>> *Logius*
>>>
>>> Digital Government Service
>>>
>>> Ministry of the Interior and Kingdom Relations
>>>
>>> ........................................................................
>>>
>>> *M* (+31) (0)6 – 21 16 26 89
>>>
>>> *T * (+31) (0)70 - 888 76 91**
>>>
>>> jochem.vanden.berge at logius.nl <mailto:jochem.vanden.berge at logius.nl>_
>>> _ www.logius.nl <http://www.logius.nl/>__
>>>
>>> workdays Mo-Tue & Thu-Fri
>>>
>>> ........................................................................
>>>
>>> *Van:* Smcwg-public <smcwg-public-bounces at cabforum.org> *Namens* 
>>> Adriano Santoni via Smcwg-public
>>> *Verzonden:* vrijdag 15 september 2023 06:55
>>> *Aan:* smcwg-public at cabforum.org
>>> *Onderwerp:* [Smcwg-public] Individual email addresses in OV certs
>>>
>>> Hello all,
>>>
>>> given that an S/MIME OV certificate is characterized by the fact 
>>> that it conveys the identity of an organization, it is acceptable 
>>> for an OV certificate to contain an email address that is clearly 
>>> associated with an individual mailbox (e.g. 
>>> name.surname at companydomain.tld) ?
>>>
>>> If I'm not mistaken, this aspect is not touched on in the BR and it 
>>> therefore seems reasonable to assume that the above case is 
>>> permitted. However, the fact that the Applicant only controls an 
>>> individual email address somehow feels "inappropriate" for an OV 
>>> certificate, so to say.
>>>
>>> It seems okay for sole proprietorships, but in other cases (legal 
>>> persons with several employees) it seems inconsistent.
>>>
>>> Maybe the answer is already there, in the BR, but I cannot see it.
>>>
>>> Any comments welcome.
>>>
>>> Adriano
>>>
>>>
>>> ------------------------------------------------------------------------
>>> Dit bericht kan informatie bevatten die niet voor u is bestemd. 
>>> Indien u niet de geadresseerde bent of dit bericht abusievelijk aan 
>>> u is toegezonden, wordt u verzocht dat aan de afzender te melden en 
>>> het bericht te verwijderen. De Staat aanvaardt geen 
>>> aansprakelijkheid voor schade, van welke aard ook, die verband houdt 
>>> met risico's verbonden aan het elektronisch verzenden van berichten.
>>> This message may contain information that is not intended for you. 
>>> If you are not the addressee or if this message was sent to you by 
>>> mistake, you are requested to inform the sender and delete the 
>>> message. The State accepts no liability for damage of any kind 
>>> resulting from the risks inherent in the electronic transmission of 
>>> messages.
>> _______________________________________________
>> Smcwg-public mailing list
>> Smcwg-public at cabforum.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=2dhl3-ZcF9ONC3lHOXB7gQxaDU7yhrVO85H6uHt_xvcjODgYtCsgcvFHYSdKvVeg&s=ITaG9Fp6C2CidMPFAMcWLoZwaafnauR2Bm6yjn-bmU0&e=
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230918/05a577bc/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4461 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230918/05a577bc/attachment-0001.p7s>

More information about the Smcwg-public mailing list