[Smcwg-public] [External Sender] Re: RE: Individual email addresses in OV certs

Mon Sep 18 07:39:05 UTC 2023

Adriano, sorry again to you and the group for spamming with non-sense.

Not your English, but it’s me not reading properly and the “OV” terminology did mislead me for some reason.

Anyhow, I’d be in agreement with what Dimitris just said. We can have the role of a “representative” of the company that uses their individual email and as long is validated, it should be OK, even if the validation method is other than 3.2.2.2

BR/P

> On 18 Sep 2023, at 09:21, Adriano Santoni <adriano.santoni at staff.aruba.it> wrote:
> 
> Pedro,
> 
> I am not sure why, but it seems you are completely misunderstanding what I am writing here.
> 
> I am not talking about TLS certs. Of course I am referring to S/MIME certificates. 
> 
> You might have noticed I said "S/MIME" in my first mail....
> 
> Maybe my English needs some improvement.... :(
> 
> Adriano
> 
> 
> 
> Il 18/09/2023 09:07, Pedro FUENTES ha scritto:
>> HI Adriano, 
>> Sorry, as this is the SM WG I thought you were referring to S/MIME certificates, not to TLS certs.
>> 
>> The rule of thumbs that CAs must ensure that any identity information included in a certificate is validated. In particular… latest version of the BR say in 7.1.2.7.4 that the email is “Not Recommended”, and the referenced section 7.1.4.4 says that it’s required to “Ensure that the contents contain information that has been verified by the CA, independent of the Applicant”.
>> 
>> Therefore, it shouldn't happen that a CA includes an email that has not been verified… assuming that the email is still permitted, which I understand is not if we apply the “default deny” thing here.
>> 
>> Best,
>> Pedro
>> 
>>> On 18 Sep 2023, at 08:25, Adriano Santoni via Smcwg-public <smcwg-public at cabforum.org> <mailto:smcwg-public at cabforum.org> wrote:
>>> 
>>> Hi Pedro,
>>> 
>>> I think you didn't get what I mean (Jochem did). I wasn't referring to the domain part but rather the local part of the email address. To give an example, I don't see any problem in an OV cert that contains an email address of the type ExampleLtd at gmail.com <mailto:ExampleLtd at gmail.com>, although obviously gmail.com <http://gmail.com/> is a Google domain and not of Example Ltd., while I am a bit perplexed by an OV cert issued for Example Ltd. containing an email address of the type Name.Surname at example.com <mailto:Name.Surname at example.com>, especially without knowing whether this address was validated with the BR method 3.2.2.1 (via domain) rather than 3.2.2.2 (via email). In the second case, the applicant demonstrated that he/she only controls the Name.Surname mailbox, but applied for an OV cert which (email aside) contains his/her company's identity; these two things don't seem to go together well, somehow, IMO.
>>> 
>>> Regards
>>>     Adriano
>>> 
>>> 
>>> 
>>> Il 16/09/2023 09:27, Pedro FUENTES ha scritto:
>>>> 
>>>> We should maybe just understand that there are companies that don’t have a corporate mail service. 
>>>> 
>>>> IMHO… Once the mailbox is validated, the domain component is not relevant. 
>>>> 
>>>> 
>>>>> Le 16 sept. 2023 à 07:23, Adriano Santoni via Smcwg-public <smcwg-public at cabforum.org> <mailto:smcwg-public at cabforum.org> a écrit :
>>>>> 
>>>>> 
>>>>> Hi Jochem,
>>>>> 
>>>>> thanks for sharing your thoughts; as you say, they don't answer my question, but they do add useful insight.
>>>>> 
>>>>> Adriano
>>>>> 
>>>>> 
>>>>> 
>>>>> Il 15/09/2023 17:17, Berge, Jochem Van den ha scritto:
>>>>>> 
>>>>>> NOTICE: Pay attention - external email - Sender is prvs=615b3b199=jochem.vanden.berge at logius.nl <mailto:prvs=615b3b199=jochem.vanden.berge at logius.nl>
>>>>>> 
>>>>>> Hi Adriano,
>>>>>>  
>>>>>> I’ve gone over the SBRGs and reading section 3.2.2 of the SBRGs I think you might have a point that it is not defined in the SBRG:
>>>>>>  
>>>>>> This section defines the permitted processes and procedures for confirming the Applicant’s
>>>>>> control of Mailbox Addresses to be included in issued Certificates.
>>>>>>  
>>>>>> As far as I can see, if the Applicant (or it’s representative) can demonstrate control over the mailbox in question it looks like it is allowed. Other entries in section 3 or in section 7 are mute on this point. 
>>>>>>  
>>>>>> If you look at TLS certificates the relation between the (owner of a) FQDN and the organization included in the certificate can be (and often is) different (provided the applicant can prove to have control over the FQDN). 
>>>>>>  
>>>>>> The same kind of mechanic could apply here. I think it boils down to if it ever was the intent to derive any identifying information from an email address or only use it for a cryptographic link (like TLS)?
>>>>>>  
>>>>>> If the decision would be that the email address should have some identifying properties I just realized that except for the obvious cases (like the one you addressed) it is very difficult to put such a requirement into words. What would be the definition of an organization controlled email address? And how would a CA be able to check that it is? The example you list of sole proprietorships can also be tricky to check by a CA, and potentially opens up a can of worms.
>>>>>>  
>>>>>> Long story short, my take is that it is possible and that isn’t something we can easily fix. I think it boils down to a more fundamental choice of what the intent is of the different types of profiles as defined in the SBRGs. Seeing that I wasn’t involved with the earliest beginning of this WG I can’t answer that question but I hope that other can shed some light on it J. 
>>>>>>  
>>>>>>  
>>>>>>  
>>>>>> Kind Regards,
>>>>>>  
>>>>>> Jochem van den Berge
>>>>>> Architect PKIoverheid
>>>>>>  
>>>>>> Logius
>>>>>>  
>>>>>> Digital Government Service
>>>>>> Ministry of the Interior and Kingdom Relations
>>>>>> ........................................................................
>>>>>>  
>>>>>> M (+31) (0)6 – 21 16 26 89
>>>>>> T  (+31) (0)70 - 888 76 91
>>>>>> jochem.vanden.berge at logius.nl <mailto:jochem.vanden.berge at logius.nl>
>>>>>> www.logius.nl <http://www.logius.nl/>
>>>>>>  
>>>>>> workdays Mo-Tue & Thu-Fri
>>>>>> ........................................................................
>>>>>>  
>>>>>> Van: Smcwg-public <smcwg-public-bounces at cabforum.org> <mailto:smcwg-public-bounces at cabforum.org> Namens Adriano Santoni via Smcwg-public
>>>>>> Verzonden: vrijdag 15 september 2023 06:55
>>>>>> Aan: smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org>
>>>>>> Onderwerp: [Smcwg-public] Individual email addresses in OV certs
>>>>>>  
>>>>>> Hello all,
>>>>>> 
>>>>>> given that an S/MIME OV certificate is characterized by the fact that it conveys the identity of an organization, it is acceptable for an OV certificate to contain an email address that is clearly associated with an individual mailbox (e.g. name.surname at companydomain.tld <mailto:name.surname at companydomain.tld>) ? 
>>>>>> 
>>>>>> If I'm not mistaken, this aspect is not touched on in the BR and it therefore seems reasonable to assume that the above case is permitted. However, the fact that the Applicant only controls an individual email address somehow feels "inappropriate" for an OV certificate, so to say. 
>>>>>> 
>>>>>> It seems okay for sole proprietorships, but in other cases (legal persons with several employees) it seems inconsistent.
>>>>>> 
>>>>>> Maybe the answer is already there, in the BR, but I cannot see it.
>>>>>> 
>>>>>> Any comments welcome.
>>>>>> 
>>>>>> Adriano
>>>>>> 
>>>>>>  
>>>>>> 
>>>>>> 
>>>>>> Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
>>>>>> This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
>>>>> _______________________________________________
>>>>> Smcwg-public mailing list
>>>>> Smcwg-public at cabforum.org <mailto:Smcwg-public at cabforum.org>
>>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=2dhl3-ZcF9ONC3lHOXB7gQxaDU7yhrVO85H6uHt_xvcjODgYtCsgcvFHYSdKvVeg&s=ITaG9Fp6C2CidMPFAMcWLoZwaafnauR2Bm6yjn-bmU0&e=
>>> _______________________________________________
>>> Smcwg-public mailing list
>>> Smcwg-public at cabforum.org <mailto:Smcwg-public at cabforum.org>
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=mlFi8Nvz6YV8YpAYq4cXStM9D_AyHRL3dfQU4k240xZrV4ZH4nWM_MO6NfguS9EJ&s=-S5iqg5VXloP_6pGjtCUzcvOiXs62bFdqdBIY4yIZfI&e=
>> 
>> 
>> WISeKey SA
>> Pedro Fuentes
>> CSO - Trust Services Manager
>> Office: + 41 (0) 22 594 30 00
>> Mobile: + 41 (0) 791 274 790
>> Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland
>> Stay connected with WISeKey <http://www.wisekey.com/>
>> 
>> THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks
>> 
>> CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender
>> 
>> DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.
>> 

WISeKey SA
Pedro Fuentes
CSO - Trust Services Manager
Office: + 41 (0) 22 594 30 00
Mobile: + 41 (0) 791 274 790
Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland
Stay connected with WISeKey <http://www.wisekey.com/>

THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks

CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender

DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230918/30a12d85/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3407 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230918/30a12d85/attachment-0001.p7s>