<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 4/8/2021 8:36 μ.μ., Stefan
Selbitschka via Smcwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100017b123c7f78-b891ceb0-100f-4598-b4fe-461fe490f49a-000000@email.amazonses.com">
<pre class="moz-quote-pre" wrap="">Hi,
I want to continue our today's discussion about the sponsored validation
overlap.
>From my understanding (till today) we had 4 profiles for different use
cases and different validated content in the certificate:
- Mailbox -> email must be validated
- Organization -> email and organization must be validated
- Individual -> email and givenname + surname must be validated
- Sponsored -> organization must be validated, email and/or givenname +
surname validation may be delegated to sponsor
This leads me to this picture
(<a class="moz-txt-link-freetext" href="https://next.rundquadrat.at/s/Rx8PXs3bBdyq9Ae">https://next.rundquadrat.at/s/Rx8PXs3bBdyq9Ae</a>) and it was quite clear
for me.</pre>
</blockquote>
<br>
Thanks Stefan, this is a nice summary. I would like to echo your
concerns and make sure that, as a Working Group, we will find good
and secure practices to include in the SMBRs.<br>
<br>
With that said, for the "Sponsored" profile, I always thought that
ONLY the <b>individual's name (givenName, surname)</b> and the
"local part" or even sub-domains of the "domain part" (provided that
an appropriate Domain Validation Method for wildcards is used) of
the emailAddress would be allowed to be delegated by the CA to the
Organization to validate. The remaining information associated with
the Organization:<br>
<ul>
<li>countryName</li>
<li>stateOrProvinceName</li>
<li>localityName</li>
<li>organizationName</li>
<li>organizationalUnitName (???)<br>
</li>
<li>organizationIdentifier</li>
<li>...more org-related fields...<br>
</li>
<li>Base Domain Name (e.g. "example.com")<br>
</li>
</ul>
<p>would be validated by the CA and would have to be re-validated
periodically.<br>
</p>
That Organization would be allowed to validate the local part under
"example.com" and even subdomains (e.g. "sub1.example.com"), and the
full name of an individual associated with that Organization.<br>
<br>
HARICA would not support rules that would allow a non-audited third
party to validate an email address for a Domain Name that has not
been validated by an audited CA. Even if this delegation practice is
performed by some CAs, it seems to be very insecure for the basic
property this WG is trying to protect, the email address in a
publicly-trusted S/MIME Certificate. If and when such a Baseline
document is adopted, it could have an transition date before CAs
comply to it.<br>
<br>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:0100017b123c7f78-b891ceb0-100f-4598-b4fe-461fe490f49a-000000@email.amazonses.com">
<pre class="moz-quote-pre" wrap="">
Now Stephen pointed out that we could have an organization within a
certificate of individual profile I get confused.
If we now mixing an organization to the individual profile I got puzzled:
- which countryName will be applied, the country of residence of the
individual or the country of juristiction of the organization?
- are the businessCategory and juridsiction* fields included in an
individual certificate including an organization?
Maybe someone can find a better summary of the different profiles for me
to solve my confusion?
thanks
regards
stefan
_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>