<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
Hi Matthias,<br>
<br>
I agree that forbidding "pseudonym" is a conflict with eIDAS and I
believe the WG might consider lifting this restriction provided we
were able to document good validation practices to support it.<br>
<br>
On a separate matter, S/MIME Certificates do not need to be
"eIDAS-compatible" but I can relate to TSPs that want to combine
multiple trust schemes. <br>
<br>
<br>
Dimitris.<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 26/10/2021 10:21 π.μ., Wiedenhorst,
Matthias via Smcwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100017cbb796fce-e5ce5f6d-f3c0-4dd4-b311-db7dbde21ac5-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}span.E-MailFormatvorlage18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}span.E-MailFormatvorlage19
{mso-style-type:personal-reply;
font-family:"Arial",sans-serif;
color:#1F497D;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"
lang="EN-GB">Hi Stephen, all,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"
lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"
lang="EN-GB">a few points regarding the profiles from my
perspective.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"
lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"
lang="EN-GB">My understanding was that the “Sponsored
Individual” profile was to be a merge of the
“Org-validation” and the “Personal Individual” profiles.
While that is true for the Organization part, it is not for
the Individual part. Givenname und Surname are mandatory in
the Strict and Multipurpose Personal Individual Profile, but
only a “may” in the Sponsored Individual.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"
lang="EN-GB">Pseudonym is forbidden (see separate remark
below) in Personal Individual, but a “may” in Sponsored
Individual.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"
lang="EN-GB">Is there any reason for this?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"
lang="EN-GB">If someone would issue a Sponsored Individual
certificate and an Org-validation cert that include only the
mandatory DN fields (O, C, orgIdentifier), than this two
would be identical in profile. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"
lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"
lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"
lang="EN-GB">With regard to pseudonym:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"
lang="EN-GB">In the “Personal Individual”-profile the use of
“pseudonym” is declared as “must not”. However, the European
eIDAS regulation states in Article 5 No.2 :”</span><span
lang="EN-GB">
</span><i><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"
lang="EN-GB">Without prejudice to the legal effect given
to pseudonyms under national law, the use of pseudonyms in
electronic transactions shall not be prohibited.</span></i><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"
lang="EN-GB">” I am not a lawyer, but it seems that this
“must not” might be in conflict with law in Europe.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"
lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"
lang="EN-GB">Best regards<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"
lang="EN-GB">Matthias</span><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;mso-fareast-language:EN-US"
lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>Von:</b> Smcwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public-bounces@cabforum.org"><smcwg-public-bounces@cabforum.org></a>
<b>Im Auftrag von </b>Stephen Davidson via Smcwg-public<br>
<b>Gesendet:</b> Donnerstag, 30. September 2021 22:56<br>
<b>An:</b> <a class="moz-txt-link-abbreviated" href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a><br>
<b>Betreff:</b> [Smcwg-public] Stable Draft of S/MIME
Certificate Profiles<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US">Hello:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The S/MIME Certificate
Working Group has now completed work on a stable draft of
the certificate profiles that will be included in the future
S/MIME Baseline Requirements.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The WG requests that
members share this with their product and technical teams
seeking feedback as the pace will pick up to turn these
worksheets into a draft standard:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><a
href="https://docs.google.com/spreadsheets/d/1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU/edit#gid=0"
moz-do-not-send="true" class="moz-txt-link-freetext">https://docs.google.com/spreadsheets/d/1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU/edit#gid=0</a>
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The S/MIME BR will apply
to “trusted” leaf certs with emailProtection EKU and at
least one email address in Subject / SAN.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">By way of explanation of
the worksheet:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">• SMIME
Types – explains the OID structure and cert profile types<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">• Leaf
Profile – explains the certificate fields common to the
various cert profile types<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">There are then 4 major
cert profiles showing the major differences in Subject, eKU,
keyUsage, and extensions:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">• Mailbox -
The simplest S/MIME, including only email address. The same
email control verification methods apply across all S/MIME
types.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">•
Organizational - Includes Organization details (legal
entity). Example uses include invoice or statement mailers,
etc.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">• Sponsored
Individual - Includes personal details (for natural person,
which may be validated by Enterprise RA) in association with
Organisation details (validated by the CA).<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">• Personal
Individual - Includes personal details (for natural person).<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Each of the cert profile
types will have three available levels:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">• Legacy -
Allows all public S/MIME to an auditable framework but
includes flexibility in allowed field usages and
verification. The intent is that this profile will
eventually be sunsetted.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">•
Multipurpose - Aligned with the Strict profile, but with
more flexibility in the eKU (primarily to allow overlap with
existing use cases such as document signing).<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">• Strict -
The final goal profile. Strict definition and dedicated
eKU.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Discussion is welcomed
on list, but we will also dedicate time in our meeting on
October 27 for feedback. Tentatively, we will also start
considering CA profiles at that time.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">With kind regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Stephen Davidson<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Chair, S/MIME
Certificate Working Group<o:p></o:p></span></p>
</div>
<pre><font size="1" face="arial,helvetica,sans-serif">
<strong>______________________________________________________________________________________________________________________</strong>
<strong>Sitz der Gesellschaft/Headquarter:</strong> TÜV Informationstechnik GmbH * Am TÜV 1 * 45307 Essen, Germany
<strong>Registergericht/Register Court:</strong> Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251
<strong>Geschäftsführung/Management Board:</strong> Dirk Kretzschmar
</font></pre>
<br>
<pre><font size="3" face="arial,helvetica,sans-serif" color="#000000"><b>TÜV NORD GROUP</b></font>
<font size="1" face="arial,helvetica,sans-serif" color="#000000">Expertise for your Success
</font></pre>
<pre><font size="1" face="arial,helvetica,sans-serif" color="#000000"><b>Please visit our website: <a href="http://www.tuv-nord.com" moz-do-not-send="true">www.tuv-nord.com</a>
Besuchen Sie unseren Internetauftritt: <a href="http://www.tuev-nord.de" moz-do-not-send="true">www.tuev-nord.de</a></b></font></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>