<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Hi Corey,<br>
<br>
So, to summarize, the current proposals for multiple values in the
subjectDN are the following:<br>
<ol>
<li>OU (probably makes sense to allow multiple instances until we
decide further actions)</li>
<li>streetAddress (probably makes sense to forbid because of lack
of support)</li>
<li>organizationIdentifier (probably makes sense to forbid
multiple instances because of lack of support by Certificate
Consumers)</li>
</ol>
<p>Is this a fair summary?<br>
</p>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 13/7/2021 11:40 μ.μ., Corey Bonnell
via Smcwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100017aa1990fa7-acfc084b-2ff6-4af8-b2de-b8b5087e55a7-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Seb,<o:p></o:p></p>
<p class="MsoNormal">Generally, I agree with you that multiple
instances of a given attribute type may introduce complexity,
although I think for the orgId case, there is value in
allowing multiple registration schemes to assist RP software
in automated lookups of supplementary information regarding
the Subject.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The rationale for including streetAddress
as an allowed duplicate attribute type stems solely from
historical practice seen in the TLS world. It appears that a
common practice was/is to include the street information in
one streetAddress RDN and any apartment/suite, etc.
information in a subsequent RDN. If we decide that is not
desirable for S/MIME, then we can forbid that attribute type
from appearing more than once. I don’t have strong feelings
either way.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I suppose the cardinality of OU will go
alongside the discussion of what we want to do with OU in
general; as you mentioned, permitting its presence (or
“presences”) in Legacy and Multipurpose but restricting it in
Strict may be a viable way of providing a transition path.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Corey<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Sebastian Schulz
<a class="moz-txt-link-rfc2396E" href="mailto:sebastian.schulz@globalsign.com"><sebastian.schulz@globalsign.com></a> <br>
<b>Sent:</b> Tuesday, July 13, 2021 11:01 AM<br>
<b>To:</b> Corey Bonnell
<a class="moz-txt-link-rfc2396E" href="mailto:Corey.Bonnell@digicert.com"><Corey.Bonnell@digicert.com></a>;
<a class="moz-txt-link-abbreviated" href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a><br>
<b>Subject:</b> RE: Cardinality of subject fields<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB">Hey Corey, Hey All,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB">Agreed – would be good to clarify that right
off the bat. Is there a reason why multiple instances of the
S field should be supported? For the organisational
Identifier the different registration schemes are a valid
point.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB">Generally, I’d say that having multiple
instances of attributes present significantly complicates
validation and increases the risk of the certificate
representing outdated information at some point during its
validity. But given your argument for OID and the widespread
use of multiple OU for all sorts of information it might be
yet another case of something we’d want to avoid for
“Strict” and allow for other profiles?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB">Best,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB">Seb<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><b><span
style="font-family:"Arial",sans-serif;color:#666666;mso-fareast-language:EN-US">Sebastian
Schulz</span></b><span
style="color:#1F497D;mso-fareast-language:EN-US"><br>
</span><i><span
style="font-family:"Arial",sans-serif;color:#666666"
lang="EN-GB">Product Manager Client Certificates</span></i><span
style="mso-fareast-language:EN-US"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Smcwg-public <<a
href="mailto:smcwg-public-bounces@cabforum.org"
moz-do-not-send="true">smcwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Corey Bonnell via Smcwg-public<br>
<b>Sent:</b> 13 July 2021 15:16<br>
<b>To:</b> SMIME Certificate Working Group <<a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true">smcwg-public@cabforum.org</a>><br>
<b>Subject:</b> [Smcwg-public] Cardinality of subject
fields<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal">When reviewing the proposed set of
allowed/required subject fields for the profiles we have
discussed this far, I realized that there is room for better
clarity regarding the allowed number of each attribute type
that may be present in each subject. For example, the current
specification leaves it unclear whether multiple CN attributes
may be present in the subject Name. The cardinality of each
attribute type is currently left unstated in the TLS BRs,
which has led to a lack of clarity and disagreements on the
allowed number of various attribute types.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">To prevent this confusion and provide
concrete written guidance, I suggest that we add a column to
the profiles spreadsheet that indicates whether multiple
instances of an attribute type are allowed.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">To start, I propose that the following
attributes be allowed to appear more than once:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo3">OU (if we
decide to allow its presence at all)<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo3">streetAddress<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo3">organizationalIdentifier
(if different registration schemes are specified)<o:p></o:p></li>
</ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">All other attribute types must not appear
more than once in each subject.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thoughts?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Corey<span
style="font-family:"Arial",sans-serif;color:#686869"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>