<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">I agree for the legacy profile, we can safely state that all rfc822Names and otherNames of type id-on-SmtpUTF8Mailbox must be validated, but I am concerned with allowing otherNames of any other type to be included without that information being validated. As with the Subject DN, do we want to allow for unvalidated information in these certificates? Do we feel it is acceptable because we are only discussing the legacy profile?<div class=""><br class=""></div><div class="">- Curt<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On May 4, 2021, at 1:20 AM, Dimitris Zacharopoulos (HARICA) via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org" class="">smcwg-public@cabforum.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
  
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
  
  <div class="">
    +1<br class="">
    <br class="">
    <div class="moz-cite-prefix">On 3/5/2021 9:16 μ.μ., Russ Housley via
      Smcwg-public wrote:<br class="">
    </div>
    <blockquote type="cite" cite="mid:010001793371f27f-bee495a6-3da0-441b-ae9d-2c707d22a90d-000000@email.amazonses.com" class="">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
      <br class="">
      <div class=""><br class="">
        <blockquote type="cite" class="">
          <div class="">On May 3, 2021, at 1:21 PM, Corey Bonnell via
            Smcwg-public <<a href="mailto:smcwg-public@cabforum.org" class="" moz-do-not-send="true">smcwg-public@cabforum.org</a>>
            wrote:</div>
          <br class="Apple-interchange-newline">
          <div class="">
            <div class="WordSection1" style="page: WordSection1;
              caret-color: rgb(0, 0, 0); font-family: Helvetica;
              font-size: 12px; font-style: normal; font-variant-caps:
              normal; font-weight: normal; letter-spacing: normal;
              text-align: start; text-indent: 0px; text-transform: none;
              white-space: normal; word-spacing: 0px;
              -webkit-text-stroke-width: 0px; text-decoration: none;">
              <div style="margin: 0in; font-size: 11pt; font-family:
                Calibri, sans-serif;" class="">Hello,<o:p class=""></o:p></div>
              <div style="margin: 0in; font-size: 11pt; font-family:
                Calibri, sans-serif;" class="">As discussed on last
                week’s call, we indicated a desire to require validation
                of email addresses that are contained in a subset of SAN
                types. I think we all agreed that rfc822Names must be
                validated, but there was a discussion on otherNames. The
                IANA registry for otherNames is located here:<span class="Apple-converted-space"> </span><a href="https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.8" style="color: rgb(5, 99, 193); text-decoration:
                  underline;" class="" moz-do-not-send="true">https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.8</a><o:p class=""></o:p></div>
              <div style="margin: 0in; font-size: 11pt; font-family:
                Calibri, sans-serif;" class=""><o:p class=""> </o:p></div>
              <div style="margin: 0in; font-size: 11pt; font-family:
                Calibri, sans-serif;" class="">From this registry, the
                only entry that I can see as requiring validation in an
                S/MIME context is id-on-SmtpUTF8Mailbox (which I brought
                up on the call); all the other ones appear to be
                unrelated. Given this, I believe for the legacy profile,
                we can safely state that all rfc822Names and otherNames
                of type id-on-SmtpUTF8Mailbox must be validated and
                otherNames of any other type do not need to be validated
                (such as UPN, etc).<o:p class=""></o:p></div>
              <div style="margin: 0in; font-size: 11pt; font-family:
                Calibri, sans-serif;" class=""><o:p class=""> </o:p></div>
              <div style="margin: 0in; font-size: 11pt; font-family:
                Calibri, sans-serif;" class="">Thoughts?<o:p class=""></o:p></div>
            </div>
          </div>
        </blockquote>
        <br class="">
      </div>
      <div class="">I agree that id-on-SmtpUTF8Mailbox needs to be validated, if
        it is present.  You can learn more about it in RFC 8398.</div>
      <div class=""><br class="">
      </div>
      <div class="">Russ</div>
      <br class="">
      <br class="">
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
    </blockquote>
    <br class="">
  </div>

_______________________________________________<br class="">Smcwg-public mailing list<br class=""><a href="mailto:Smcwg-public@cabforum.org" class="">Smcwg-public@cabforum.org</a><br class="">https://lists.cabforum.org/mailman/listinfo/smcwg-public<br class=""></div></blockquote></div><br class=""></div></body></html>