<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 5/7/2021 10:44 π.μ., Burkhard Wiegel
via Smcwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100017a75a059fe-9aaad6f3-3f64-4a3f-b225-1846f8a78763-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div id="divtagdefaultwrapper" dir="ltr" style="font-size: 12pt;
color: rgb(0, 0, 0); font-family: Calibri, Helvetica,
sans-serif, "EmojiFont", "Apple Color
Emoji", "Segoe UI Emoji", NotoColorEmoji,
"Segoe UI Symbol", "Android Emoji",
EmojiSymbols;">
<p>Hello,</p>
<p><br>
</p>
<p> I may have missed this discussion but requiring either
"stateOrProvince" or "localityName" in SMIME certs in Org-,
Sponsored-, and Individual profiles injects additional cert
management for organizations and users without any real value.
Certs become invalid when cert subject/person moves to other
town or state or the organization changes location.</p>
<p><br>
</p>
<p>To identify an organization more precise than the
Organization Name in "O=..." (which anyway must exactly match
the Name from the official company register of the country) an
DN component which contains the register number would be much
more usefull and has not to be touched in case of
relocating/moving.<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><img naturalheight="94" naturalwidth="821" size="0"
id="img577349" tabindex="0" style="max-width:99.9%"
src="cid:part1.CC2204B6.9578FD32@harica.gr" class=""></p>
<p><br>
</p>
<p>I recommend to change this at least to "MAY" <b>without</b>
further requirements
<span>in Org-, Sponsored-, and Individual </span>profiles.</p>
</div>
</blockquote>
<br>
I agree with the general approach of not requiring "one OR the
other". The purpose of that requirement, if I recall correctly, was
to disambiguate two (or more) different legal entities with exactly
the same name. The idea was that at the localityName level, it would
most likely not be allowed to register two different legal entities
with the same name. Obviously this is pointless for the case of a
natural person.<br>
<br>
IMO if we added some requirements for information like the <i>subject:organizationIdentifier</i>
as described in ETSI EN 319 412-3 for legal entities, and <i>subject:serialNumber</i>
as described in ETSI EN 419 412-2 for natural persons, it would be
in the right direction.<br>
<br>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:0100017a75a059fe-9aaad6f3-3f64-4a3f-b225-1846f8a78763-000000@email.amazonses.com">
<div id="divtagdefaultwrapper" dir="ltr" style="font-size: 12pt;
color: rgb(0, 0, 0); font-family: Calibri, Helvetica,
sans-serif, "EmojiFont", "Apple Color
Emoji", "Segoe UI Emoji", NotoColorEmoji,
"Segoe UI Symbol", "Android Emoji",
EmojiSymbols;">
<p><br>
</p>
<p>Best regards<br>
Burkhard</p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>