[Smcwg-public] [External Sender] Re: Re: RE: Individual email addresses in OV certs

Adriano Santoni adriano.santoni at staff.aruba.it
Mon Sep 18 07:21:54 UTC 2023 

Pedro,

I am not sure why, but it seems you are completely misunderstanding what 
I am writing here.

I am not talking about TLS certs. Of course I am referring to S/MIME 
certificates.

You might have noticed I said "S/MIME" in my first mail....

Maybe my English needs some improvement.... :(

Adriano


Il 18/09/2023 09:07, Pedro FUENTES ha scritto:
> HI Adriano,
> Sorry, as this is the SM WG I thought you were referring to S/MIME 
> certificates, not to TLS certs.
>
> The rule of thumbs that CAs must ensure that any identity information 
> included in a certificate is validated. In particular… latest version 
> of the BR say in 7.1.2.7.4 that the email is “Not Recommended”, and 
> the referenced section 7.1.4.4 says that it’s required to “Ensure that 
> the contents contain information that has been verified by the CA, 
> independent of the Applicant”.
>
> Therefore, it shouldn't happen that a CA includes an email that has 
> not been verified… assuming that the email is still permitted, which I 
> understand is not if we apply the “default deny” thing here.
>
> Best,
> Pedro
>
>> On 18 Sep 2023, at 08:25, Adriano Santoni via Smcwg-public 
>> <smcwg-public at cabforum.org> wrote:
>>
>> Hi Pedro,
>>
>> I think you didn't get what I mean (Jochem did). I wasn't referring 
>> to the domain part but rather the local part of the email address. To 
>> give an example, I don't see any problem in an OV cert that contains 
>> an email address of the typeExampleLtd at gmail.com, although 
>> obviouslygmail.com <http://gmail.com/>is a Google domain and not of 
>> Example Ltd., while I am a bit perplexed by an OV cert issued for 
>> Example Ltd. containing an email address of the 
>> typeName.Surname at example.com, especially without knowing whether this 
>> address was validated with the BR method 3.2.2.1 (via domain) rather 
>> than 3.2.2.2 (via email). In the second case, the applicant 
>> demonstrated that he/she only controls the Name.Surname mailbox, but 
>> applied for an OV cert which (email aside) contains his/her company's 
>> identity; these two things don't seem to go together well, somehow, IMO.
>>
>> Regards
>>     Adriano
>>
>>
>> Il 16/09/2023 09:27, Pedro FUENTES ha scritto:
>>> 
>>> We should maybe just understand that there are companies that don’t 
>>> have a corporate mail service.
>>>
>>> IMHO… Once the mailbox is validated, the domain component is not 
>>> relevant.
>>>
>>>
>>>> Le 16 sept. 2023 à 07:23, Adriano Santoni via 
>>>> Smcwg-public<smcwg-public at cabforum.org>a écrit :
>>>>
>>>> 
>>>>
>>>> Hi Jochem,
>>>>
>>>> thanks for sharing your thoughts; as you say, they don't answer my 
>>>> question, but they do add useful insight.
>>>>
>>>> Adriano
>>>>
>>>>
>>>> Il 15/09/2023 17:17, Berge, Jochem Van den ha scritto:
>>>>> NOTICE:Pay attention - external email - Sender 
>>>>> isprvs=615b3b199=jochem.vanden.berge at logius.nl
>>>>>
>>>>>
>>>>>
>>>>> Hi Adriano,
>>>>> I’ve gone over the SBRGs and reading section 3.2.2 of the SBRGs I 
>>>>> think you might have a point that it is not defined in the SBRG:
>>>>> /This section defines the permitted processes and procedures for 
>>>>> confirming the*Applicant’s*/
>>>>> */control/*/of Mailbox Addresses to be included in issued 
>>>>> Certificates./
>>>>> As far as I can see, if the Applicant (or it’s representative) can 
>>>>> demonstrate control over the mailbox in question it looks like it 
>>>>> is allowed. Other entries in section 3 or in section 7 are mute on 
>>>>> this point.
>>>>> If you look at TLS certificates the relation between the (owner of 
>>>>> a) FQDN and the organization included in the certificate can be 
>>>>> (and often is) different (provided the applicant can prove to have 
>>>>> control over the FQDN).
>>>>> The same kind of mechanic could apply here. I think it boils down 
>>>>> to if it ever was the intent to derive any identifying information 
>>>>> from an email address or only use it for a cryptographic link 
>>>>> (like TLS)?
>>>>> If the decision would be that the email address should have some 
>>>>> identifying properties I just realized that except for the obvious 
>>>>> cases (like the one you addressed) it is very difficult to put 
>>>>> such a requirement into words. What would be the definition of an 
>>>>> organization controlled email address? And how would a CA be able 
>>>>> to check that it is? The example you list of sole proprietorships 
>>>>> can also be tricky to check by a CA, and potentially opens up a 
>>>>> can of worms.
>>>>> Long story short, my take is that it is possible and that isn’t 
>>>>> something we can easily fix. I think it boils down to a more 
>>>>> fundamental choice of what the intent is of the different types of 
>>>>> profiles as defined in the SBRGs. Seeing that I wasn’t involved 
>>>>> with the earliest beginning of this WG I can’t answer that 
>>>>> question but I hope that other can shed some light on itJ.
>>>>> Kind Regards,
>>>>> Jochem van den Berge
>>>>> Architect PKIoverheid
>>>>> *Logius*
>>>>> Digital Government Service
>>>>> Ministry of the Interior and Kingdom Relations
>>>>> ........................................................................
>>>>> *M*(+31) (0)6 – 21 16 26 89
>>>>> *T *(+31) (0)70 - 888 76 91**
>>>>> jochem.vanden.berge at logius.nl <mailto:jochem.vanden.berge at logius.nl>_
>>>>> _www.logius.nl <http://www.logius.nl/>__
>>>>> workdays Mo-Tue & Thu-Fri
>>>>> ........................................................................
>>>>> *Van:*Smcwg-public<smcwg-public-bounces at cabforum.org>*Namens*Adriano 
>>>>> Santoni via Smcwg-public
>>>>> *Verzonden:*vrijdag 15 september 2023 06:55
>>>>> *Aan:*smcwg-public at cabforum.org
>>>>> *Onderwerp:*[Smcwg-public] Individual email addresses in OV certs
>>>>>
>>>>> Hello all,
>>>>>
>>>>> given that an S/MIME OV certificate is characterized by the fact 
>>>>> that it conveys the identity of an organization, it is acceptable 
>>>>> for an OV certificate to contain an email address that is clearly 
>>>>> associated with an individual mailbox 
>>>>> (e.g.name.surname at companydomain.tld) ?
>>>>>
>>>>> If I'm not mistaken, this aspect is not touched on in the BR and 
>>>>> it therefore seems reasonable to assume that the above case is 
>>>>> permitted. However, the fact that the Applicant only controls an 
>>>>> individual email address somehow feels "inappropriate" for an OV 
>>>>> certificate, so to say.
>>>>>
>>>>> It seems okay for sole proprietorships, but in other cases (legal 
>>>>> persons with several employees) it seems inconsistent.
>>>>>
>>>>> Maybe the answer is already there, in the BR, but I cannot see it.
>>>>>
>>>>> Any comments welcome.
>>>>>
>>>>> Adriano
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>> Dit bericht kan informatie bevatten die niet voor u is bestemd. 
>>>>> Indien u niet de geadresseerde bent of dit bericht abusievelijk 
>>>>> aan u is toegezonden, wordt u verzocht dat aan de afzender te 
>>>>> melden en het bericht te verwijderen. De Staat aanvaardt geen 
>>>>> aansprakelijkheid voor schade, van welke aard ook, die verband 
>>>>> houdt met risico's verbonden aan het elektronisch verzenden van 
>>>>> berichten.
>>>>> This message may contain information that is not intended for you. 
>>>>> If you are not the addressee or if this message was sent to you by 
>>>>> mistake, you are requested to inform the sender and delete the 
>>>>> message. The State accepts no liability for damage of any kind 
>>>>> resulting from the risks inherent in the electronic transmission 
>>>>> of messages.
>>>> _______________________________________________
>>>> Smcwg-public mailing list
>>>> Smcwg-public at cabforum.org
>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=2dhl3-ZcF9ONC3lHOXB7gQxaDU7yhrVO85H6uHt_xvcjODgYtCsgcvFHYSdKvVeg&s=ITaG9Fp6C2CidMPFAMcWLoZwaafnauR2Bm6yjn-bmU0&e=
>> _______________________________________________
>> Smcwg-public mailing list
>> Smcwg-public at cabforum.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=mlFi8Nvz6YV8YpAYq4cXStM9D_AyHRL3dfQU4k240xZrV4ZH4nWM_MO6NfguS9EJ&s=-S5iqg5VXloP_6pGjtCUzcvOiXs62bFdqdBIY4yIZfI&e= 
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=mlFi8Nvz6YV8YpAYq4cXStM9D_AyHRL3dfQU4k240xZrV4ZH4nWM_MO6NfguS9EJ&s=-S5iqg5VXloP_6pGjtCUzcvOiXs62bFdqdBIY4yIZfI&e=>
>
> *
> WISeKey SA
> *
> *Pedro Fuentes
> *CSO - Trust Services Manager
> Office: + 41 (0) 22 594 30 00
> Mobile: + 41 (0) 791 274 790
> Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland
> *Stay connected with WISeKey <http://www.wisekey.com>
> *
> *THIS IS A TRUSTED MAIL*: This message is digitally signed with a 
> WISeKey identity. If you get a mail from WISeKey please check 
> the signature to avoid security risks
>
> *CONFIDENTIALITY: *This email and any files transmitted with it can be 
> confidential and it’s intended solely for the use of the individual or 
> entity to which they are addressed. If you are not the named addressee 
> you should not disseminate, distribute or copy this e-mail. If 
> you have received this email in error please notify the sender
>
> *DISCLAIMER: *WISeKey does not warrant the accuracy or completeness of 
> this message and does not accept any liability for any errors or 
> omissions herein as this message has been transmitted over a public 
> network. Internet communications cannot be guaranteed to be secure or 
> error-free as information may be intercepted, corrupted, or contain 
> viruses. Attachments to this e-mail are checked for viruses; 
> however, we do not accept any liability for any damage sustained by 
> viruses and therefore you are kindly requested to check for viruses 
> upon receipt.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230918/c7da3dd3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4461 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230918/c7da3dd3/attachment-0001.p7s>

More information about the Smcwg-public mailing list