<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe Script";
panose-1:3 11 5 4 2 0 0 0 0 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1438061750;
mso-list-template-ids:-2022771412;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Mozilla’s email validation policy does not apply to the UPN and since this is used for authentication, not secure mail, I hope we can keep it that way in this spec.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><a href="https://github.com/mozilla/pkipolicy/issues/200">https://github.com/mozilla/pkipolicy/issues/200</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I think we should permit more than 1 email address in the SAN for those customer that have multiple aliases. For me, doug.beattie and douglas.beattie are both supported, and I know that come companies periodically change the domain for their employees. For example, I’ve noticed that Entrust is using a mix of entrustdatacard.com and entrust.com.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I’d recommend that we permit a max of one email address in the certificate subject DN, but multiple in the SAN:RFC822<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Doug<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>From:</b> Smcwg-public <smcwg-public-bounces@cabforum.org> <b>On Behalf Of </b>Wendy Brown - QT3LB-C via Smcwg-public<br><b>Sent:</b> Friday, November 20, 2020 8:07 AM<br><b>To:</b> Dimitris Zacharopoulos (HARICA) <dzacharo@harica.gr>; SMIME Certificate Working Group <smcwg-public@cabforum.org><br><b>Subject:</b> Re: [Smcwg-public] email addresses in S/MIME certificates<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Also I do not remember a discussion that the UPN, if present, has to be identical to the email address. Although I may have missed at least 1 of the calls. I do not think this is always the case.<o:p></o:p></p><div><p class=MsoNormal>Another question is will we allow more than one email address SAN?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>thanks,<br clear=all><o:p></o:p></p><div><div><div><div><div><div><div><div><div><div><div><p><span style='font-family:"Segoe Script"'>Wendy</span><o:p></o:p></p><p><span style='font-size:9.5pt'>Wendy Brown<br>Supporting GSA FPKI<br>Protiviti Government Services</span><o:p></o:p></p><p> 703-965-2990 (cell)<o:p></o:p></p><p><a href="mailto:wendy.brown@gsa.gov" target="_blank"><span style='font-size:9.5pt'>wendy.brown@gsa.gov</span></a><br><a href="mailto:wendy.brown@protiviti.com" target="_blank">wendy.brown@protiviti.com</a><o:p></o:p></p></div></div></div></div></div></div></div></div></div></div></div><p class=MsoNormal><o:p> </o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Fri, Nov 20, 2020 at 6:19 AM Dimitris Zacharopoulos (HARICA) via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><p class=MsoNormal style='margin-bottom:12.0pt'><br>I believe this proposal prohibits <i>directoryName </i>values<i> </i>in the subjectAltName extention. I remember that the intent of the first version of S/MIME requirements was not to prohibit identity information to be included in the Certificate Profile.<br><br>Dimitris.<br><br><o:p></o:p></p><div><p class=MsoNormal>On 20/11/2020 12:11 π.μ., Stephen Davidson via Smcwg-public wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>To date our discussion related to email addresses in S/MIME has been a general reference to rfc822Name along the lines of:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'>Extension ID: subjectAlternateName<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'>Required?: Yes<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'>Critical: Yes if the subject is an empty sequence; otherwise, SHOULD NOT be critical<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'>Permitted Value(s): MUST contain at least one rfc822Name value. MUST NOT contain values of type: dNSName, iPAddress, uniformResourceIdentifier. otherName values (such as Microsoft UPN) MAY be included if the value is identical to an rfc822Name expressed in the SAN extension. Any rfc822Name and otherName value in the Subject DN must be repeated in the SAN extension. Each rfc822Name and otherName value must be verified with publicly documented and audited measures in accordance with Section 3.2.2.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'>References: RFC 5280, Section 4.2.1.6<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>S/MIME and rfc822Name has enjoyed a proliferation of standards which leads to the question:<o:p></o:p></p><ul type=disc><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1'>Do we wish to summarise those rules relating to rfc822Name in this standard or in an informative appendix?<o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1'>Or do wish simply to provide a listing of the relevant standards?<o:p></o:p></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>If the latter, I believe the most relevant would include RFC 5322 (internet message format, sections 3.2.3 and 3.4.1), RFC 3696 (informational, checking of names), and RFC 8398 (internationalized email addresses).<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Missing anything? Comments?<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Best regards, Stephen<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>RFC 5322: <a href="https://tools.ietf.org/html/rfc5322" target="_blank">https://tools.ietf.org/html/rfc5322</a><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>RFC 3696: <a href="https://tools.ietf.org/html/rfc3696" target="_blank">https://tools.ietf.org/html/rfc3696</a><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>RFC 8398: <a href="https://tools.ietf.org/html/rfc8398" target="_blank">https://tools.ietf.org/html/rfc8398</a><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>Smcwg-public mailing list<o:p></o:p></pre><pre><a href="mailto:Smcwg-public@cabforum.org" target="_blank">Smcwg-public@cabforum.org</a><o:p></o:p></pre><pre><a href="https://lists.cabforum.org/mailman/listinfo/smcwg-public" target="_blank">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></pre></blockquote><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>_______________________________________________<br>Smcwg-public mailing list<br><a href="mailto:Smcwg-public@cabforum.org" target="_blank">Smcwg-public@cabforum.org</a><br><a href="https://lists.cabforum.org/mailman/listinfo/smcwg-public" target="_blank">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></p></blockquote></div></div></body></html>