<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi Stephen and Doug,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I also think that in Enterprise RA case we should have some way to put name details (in some field) with less validation rigor/auditing.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In current Telia CA SMIME certificates we have let Enterprise RA to use CN value quite freely. I hope the new SMIME standard would have that kind of option also. Today we have divided subject attributes so that CN represents individual
employee based on Enterprise RA information and O,C represent the company information verified by CA something like this:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">CN=John Smith, O=Telia Finland Oyj, C=FI or<o:p></o:p></p>
<p class="MsoNormal">CN=Help Desk, O=Telia Finland Oyj, C=FI<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Is there a way to continue this kind of subject formatting in any of the new SMIME options? I don’t think that it is essential that CN value in SMIME certificates must be absolutely correct and guaranteed by CA. Other attributes like Surname,
Givenname, Title could be verified/audited somehow by CA but CN could have more freedom.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best Regards<o:p></o:p></p>
<p class="MsoNormal">Pekka<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>From:</b> Smcwg-public <smcwg-public-bounces@cabforum.org>
<b>On Behalf Of </b>Stephen Davidson via Smcwg-public<br>
<b>Sent:</b> maanantai 28. helmikuuta 2022 22.59<br>
<b>To:</b> Doug Beattie <doug.beattie@globalsign.com>; SMIME Certificate Working Group <smcwg-public@cabforum.org><br>
<b>Subject:</b> Re: [Smcwg-public] Individual's names in S/MIME certificates<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Doug:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks for continuing the dialogue – we’ll return to the below points on our normal call this week on Wed March 2. I hope members with particular interest will join the call.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Agenda to follow.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">NAMES<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">For individuals, the intent is for Enterprise RA records to be usable as authoritative records for the Sponsor-validation cert profiles, as described in
<a href="https://github.com/cabforum/smime/blob/preSBR/SBR.md#3241-attribute-collection-of-individual-identity">
3.2.4.1</a><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:72.0pt">4. From Enterprise RA records: In the case of Sponsor-validation certificates approved by an Enterprise RA, records maintained by the Enterprise RA shall be accepted as evidence of individual identity. The Enterprise
RA MUST maintain records to satisfy the requirements of Section 8.8.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">For individuals, the draft S/MIME BR does not require a full legal name at this time. The description as it stands is for verified names “which should be current names” based on ID.
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">For generic names like “Help Desk”, I was reminded that in the chartering discussions for the WG, it was intended that Organisations would be able to “name” machine certs or accounts under the S/MIME BR.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">AUDIT<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">As noted in our conversation at the F2F, we need to find the appropriate level of internal audit oversight to describe in section 8.8. There is a level of internal audit by the CA of certificates it issues –
but the appropriate supervision of Enterprise RAs probably has different requirements. The WG would welcome feedback on possible text for this requirement.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">SECTION REFERENCES<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">You are correct – as noted at the beginning of the doc, some of the section references within the doc are still incorrect from the shifting tides of edits. Will fix!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Again, thanks for engaging on this point. We know Enterprise RAs are important and certainly want to get the standard right in this area.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Very best, Stephen<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>From:</b> Doug Beattie <<a href="mailto:doug.beattie@globalsign.com">doug.beattie@globalsign.com</a>>
<br>
<b>Sent:</b> Monday, February 28, 2022 12:41 PM<br>
<b>To:</b> SMIME Certificate Working Group <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>>; Stephen Davidson <<a href="mailto:Stephen.Davidson@digicert.com">Stephen.Davidson@digicert.com</a>><br>
<b>Subject:</b> Individual's names in S/MIME certificates<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Stephen,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’ve been out of the loop a bit on the lates status and some staffing changes have happened in the meantime so I didn’t release the level of auditing needed for individual names for the Sponsor validated method.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Reading the current spec, there is no way that the enterprise RA can provide an individual’s name without it being validated as their full legal name and audited by the CA.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Section 7.1.4.2.2 which says the CN must contain:<o:p></o:p></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt">(subject:givenName</span></code> and/or
<code><span style="font-size:10.0pt">subject:surname) or </span></code> <code><span style="font-size:10.0pt">subject:pseudonym</span></code>, or
<code><span style="font-size:10.0pt">subject:email</span></code><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">By the way, I think you need to add the parentheses like above because this is not clear:<o:p></o:p></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt"> subject:givenName</span></code> and/or
<code><span style="font-size:10.0pt">subject:surname</span></code>, <code><span style="font-size:10.0pt">subject:pseudonym</span></code>, or
<code><span style="font-size:10.0pt">subject:email<o:p></o:p></span></code></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt"><o:p> </o:p></span></code></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It goes on to say that you must validate these in accordance with section 3.2.3 (Authentication of organization identity). That section does not define the validation of any of those fields so I assume that this should reference 3.2.4
Authentication of individual identity. I’m assuming yes.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This will drive usage to Mailbox or Organization because nobody will want to do audits (CAs or Customers), so there will no longer be readable names in S/MIME certificates. That’s very unfortunate. Maybe nobody looks at that field and
rely on the “From: and “reply to” fields, so not using sponsor validated certificates isn’t an issue and we could look to remove this from the spec as something that won’t be adopted.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Question:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Is there no way we can come up with a way to permit the enterprise RA to optionally supply the name details (in some field) with less validation rigor/auditing? As it stands, we cannot issue certs to
<a href="mailto:helpdesk@example.com">helpdesk@example.com</a> with something like “Help Desk” in the subject DN.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Could we permit the Enterprise RA to supply Sponsor verified name details into the CN and omit givenName and surname and not require formal recordkeeping and audits? Since these certificates will contain the Sponsor validated OID, relying
parties will (could) know the level of validation applied to the CN is “Supplied by Organization and not validated by the CA” vs. the current level of assurance. I totally understand the high level of validation needed for the Individual Validated certs,
but the Sponsor validated certificates could/should(?) be different.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thoughts from anyone?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Doug<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ps, the <code><span style="font-size:10.0pt">organizationIdentifier</span></code> field also threw me for a loop, but that’s another thread I’ll need to catch up on.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div style="font-size:9pt; font-family: 'Calibri',sans-serif;"><br>
<i>This email may contain information which is privileged or protected against unauthorized disclosure or communication. If you are not the intended recipient, please notify the sender and delete this message and any attachments from your system without producing,
distributing or retaining copies thereof or disclosing its contents to any other person.
<br>
<br>
Telia Company processes emails and other files that may contain personal data in accordance with Telia Company’s
<a href="https://www.teliacompany.com/en/about-the-company/privacy/">Privacy Policy</a>.</i>
<br>
<br>
<br>
</div>
</body>
</html>