[Smcwg-public] [External Sender] Re: Re: RE: Individual email addresses in OV certs
Adriano Santoni
adriano.santoni at staff.aruba.it
Mon Sep 18 07:21:54 UTC 2023
Pedro,
I am not sure why, but it seems you are completely misunderstanding what
I am writing here.
I am not talking about TLS certs. Of course I am referring to S/MIME
certificates.
You might have noticed I said "S/MIME" in my first mail....
Maybe my English needs some improvement.... :(
Adriano
Il 18/09/2023 09:07, Pedro FUENTES ha scritto:
> HI Adriano,
> Sorry, as this is the SM WG I thought you were referring to S/MIME
> certificates, not to TLS certs.
>
> The rule of thumbs that CAs must ensure that any identity information
> included in a certificate is validated. In particular… latest version
> of the BR say in 7.1.2.7.4 that the email is “Not Recommended”, and
> the referenced section 7.1.4.4 says that it’s required to “Ensure that
> the contents contain information that has been verified by the CA,
> independent of the Applicant”.
>
> Therefore, it shouldn't happen that a CA includes an email that has
> not been verified… assuming that the email is still permitted, which I
> understand is not if we apply the “default deny” thing here.
>
> Best,
> Pedro
>
>> On 18 Sep 2023, at 08:25, Adriano Santoni via Smcwg-public
>> <smcwg-public at cabforum.org> wrote:
>>
>> Hi Pedro,
>>
>> I think you didn't get what I mean (Jochem did). I wasn't referring
>> to the domain part but rather the local part of the email address. To
>> give an example, I don't see any problem in an OV cert that contains
>> an email address of the typeExampleLtd at gmail.com, although
>> obviouslygmail.com <http://gmail.com/>is a Google domain and not of
>> Example Ltd., while I am a bit perplexed by an OV cert issued for
>> Example Ltd. containing an email address of the
>> typeName.Surname at example.com, especially without knowing whether this
>> address was validated with the BR method 3.2.2.1 (via domain) rather
>> than 3.2.2.2 (via email). In the second case, the applicant
>> demonstrated that he/she only controls the Name.Surname mailbox, but
>> applied for an OV cert which (email aside) contains his/her company's
>> identity; these two things don't seem to go together well, somehow, IMO.
>>
>> Regards
>> Adriano
>>
>>
>> Il 16/09/2023 09:27, Pedro FUENTES ha scritto:
>>>
>>> We should maybe just understand that there are companies that don’t
>>> have a corporate mail service.
>>>
>>> IMHO… Once the mailbox is validated, the domain component is not
>>> relevant.
>>>
>>>
>>>> Le 16 sept. 2023 à 07:23, Adriano Santoni via
>>>> Smcwg-public<smcwg-public at cabforum.org>a écrit :
>>>>
>>>>
>>>>
>>>> Hi Jochem,
>>>>
>>>> thanks for sharing your thoughts; as you say, they don't answer my
>>>> question, but they do add useful insight.
>>>>
>>>> Adriano
>>>>
>>>>
>>>> Il 15/09/2023 17:17, Berge, Jochem Van den ha scritto:
>>>>> NOTICE:Pay attention - external email - Sender
>>>>> isprvs=615b3b199=jochem.vanden.berge at logius.nl
>>>>>
>>>>>
>>>>>
>>>>> Hi Adriano,
>>>>> I’ve gone over the SBRGs and reading section 3.2.2 of the SBRGs I
>>>>> think you might have a point that it is not defined in the SBRG:
>>>>> /This section defines the permitted processes and procedures for
>>>>> confirming the*Applicant’s*/
>>>>> */control/*/of Mailbox Addresses to be included in issued
>>>>> Certificates./
>>>>> As far as I can see, if the Applicant (or it’s representative) can
>>>>> demonstrate control over the mailbox in question it looks like it
>>>>> is allowed. Other entries in section 3 or in section 7 are mute on
>>>>> this point.
>>>>> If you look at TLS certificates the relation between the (owner of
>>>>> a) FQDN and the organization included in the certificate can be
>>>>> (and often is) different (provided the applicant can prove to have
>>>>> control over the FQDN).
>>>>> The same kind of mechanic could apply here. I think it boils down
>>>>> to if it ever was the intent to derive any identifying information
>>>>> from an email address or only use it for a cryptographic link
>>>>> (like TLS)?
>>>>> If the decision would be that the email address should have some
>>>>> identifying properties I just realized that except for the obvious
>>>>> cases (like the one you addressed) it is very difficult to put
>>>>> such a requirement into words. What would be the definition of an
>>>>> organization controlled email address? And how would a CA be able
>>>>> to check that it is? The example you list of sole proprietorships
>>>>> can also be tricky to check by a CA, and potentially opens up a
>>>>> can of worms.
>>>>> Long story short, my take is that it is possible and that isn’t
>>>>> something we can easily fix. I think it boils down to a more
>>>>> fundamental choice of what the intent is of the different types of
>>>>> profiles as defined in the SBRGs. Seeing that I wasn’t involved
>>>>> with the earliest beginning of this WG I can’t answer that
>>>>> question but I hope that other can shed some light on itJ.
>>>>> Kind Regards,
>>>>> Jochem van den Berge
>>>>> Architect PKIoverheid
>>>>> *Logius*
>>>>> Digital Government Service
>>>>> Ministry of the Interior and Kingdom Relations
>>>>> ........................................................................
>>>>> *M*(+31) (0)6 – 21 16 26 89
>>>>> *T *(+31) (0)70 - 888 76 91**
>>>>> jochem.vanden.berge at logius.nl <mailto:jochem.vanden.berge at logius.nl>_
>>>>> _www.logius.nl <http://www.logius.nl/>__
>>>>> workdays Mo-Tue & Thu-Fri
>>>>> ........................................................................
>>>>> *Van:*Smcwg-public<smcwg-public-bounces at cabforum.org>*Namens*Adriano
>>>>> Santoni via Smcwg-public
>>>>> *Verzonden:*vrijdag 15 september 2023 06:55
>>>>> *Aan:*smcwg-public at cabforum.org
>>>>> *Onderwerp:*[Smcwg-public] Individual email addresses in OV certs
>>>>>
>>>>> Hello all,
>>>>>
>>>>> given that an S/MIME OV certificate is characterized by the fact
>>>>> that it conveys the identity of an organization, it is acceptable
>>>>> for an OV certificate to contain an email address that is clearly
>>>>> associated with an individual mailbox
>>>>> (e.g.name.surname at companydomain.tld) ?
>>>>>
>>>>> If I'm not mistaken, this aspect is not touched on in the BR and
>>>>> it therefore seems reasonable to assume that the above case is
>>>>> permitted. However, the fact that the Applicant only controls an
>>>>> individual email address somehow feels "inappropriate" for an OV
>>>>> certificate, so to say.
>>>>>
>>>>> It seems okay for sole proprietorships, but in other cases (legal
>>>>> persons with several employees) it seems inconsistent.
>>>>>
>>>>> Maybe the answer is already there, in the BR, but I cannot see it.
>>>>>
>>>>> Any comments welcome.
>>>>>
>>>>> Adriano
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>> Dit bericht kan informatie bevatten die niet voor u is bestemd.
>>>>> Indien u niet de geadresseerde bent of dit bericht abusievelijk
>>>>> aan u is toegezonden, wordt u verzocht dat aan de afzender te
>>>>> melden en het bericht te verwijderen. De Staat aanvaardt geen
>>>>> aansprakelijkheid voor schade, van welke aard ook, die verband
>>>>> houdt met risico's verbonden aan het elektronisch verzenden van
>>>>> berichten.
>>>>> This message may contain information that is not intended for you.
>>>>> If you are not the addressee or if this message was sent to you by
>>>>> mistake, you are requested to inform the sender and delete the
>>>>> message. The State accepts no liability for damage of any kind
>>>>> resulting from the risks inherent in the electronic transmission
>>>>> of messages.
>>>> _______________________________________________
>>>> Smcwg-public mailing list
>>>> Smcwg-public at cabforum.org
>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=2dhl3-ZcF9ONC3lHOXB7gQxaDU7yhrVO85H6uHt_xvcjODgYtCsgcvFHYSdKvVeg&s=ITaG9Fp6C2CidMPFAMcWLoZwaafnauR2Bm6yjn-bmU0&e=
>> _______________________________________________
>> Smcwg-public mailing list
>> Smcwg-public at cabforum.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=mlFi8Nvz6YV8YpAYq4cXStM9D_AyHRL3dfQU4k240xZrV4ZH4nWM_MO6NfguS9EJ&s=-S5iqg5VXloP_6pGjtCUzcvOiXs62bFdqdBIY4yIZfI&e=
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=mlFi8Nvz6YV8YpAYq4cXStM9D_AyHRL3dfQU4k240xZrV4ZH4nWM_MO6NfguS9EJ&s=-S5iqg5VXloP_6pGjtCUzcvOiXs62bFdqdBIY4yIZfI&e=>
>
> *
> WISeKey SA
> *
> *Pedro Fuentes
> *CSO - Trust Services Manager
> Office: + 41 (0) 22 594 30 00
> Mobile: + 41 (0) 791 274 790
> Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland
> *Stay connected with WISeKey <http://www.wisekey.com>
> *
> *THIS IS A TRUSTED MAIL*: This message is digitally signed with a
> WISeKey identity. If you get a mail from WISeKey please check
> the signature to avoid security risks
>
> *CONFIDENTIALITY: *This email and any files transmitted with it can be
> confidential and it’s intended solely for the use of the individual or
> entity to which they are addressed. If you are not the named addressee
> you should not disseminate, distribute or copy this e-mail. If
> you have received this email in error please notify the sender
>
> *DISCLAIMER: *WISeKey does not warrant the accuracy or completeness of
> this message and does not accept any liability for any errors or
> omissions herein as this message has been transmitted over a public
> network. Internet communications cannot be guaranteed to be secure or
> error-free as information may be intercepted, corrupted, or contain
> viruses. Attachments to this e-mail are checked for viruses;
> however, we do not accept any liability for any damage sustained by
> viruses and therefore you are kindly requested to check for viruses
> upon receipt.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230918/c7da3dd3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4461 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230918/c7da3dd3/attachment-0001.p7s>
More information about the Smcwg-public
mailing list