<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font face="Calibri">We do not support pseudonyms, and do not
think there is a need for them.</font><br>
</p>
<p><font face="Calibri">
<blockquote type="cite">...we could even chose to exclude this
attribute from the allowed profiles</blockquote>
</font></p>
<p><font face="Calibri">Yes, that's what we suggest to do: </font><font
face="Calibri"><font face="Calibri">exclude this attribute from
the allowed profiles.</font></font></p>
<p>Adriano</p>
<p><br>
</p>
<div class="moz-cite-prefix">Il 02/03/2022 18:43, Stephen Davidson
via Smcwg-public ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:0100017f4bbb0c28-ec17487b-e0d7-4a38-80a6-aa594f8d9c66-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}code
{mso-style-priority:99;
font-family:"Courier New";}span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Doug:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">1. Further to our discussion today, the
language in ETSI EN 319 412-2 probably has the clearest
definition:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">The commonName
attribute value shall contain a name of the subject. This may
be in the subject's preferred presentation format, or a format
preferred by the CA, or some other format. Pseudonyms,
nicknames, and names with spelling other than defined by the
registered name may be used. <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">NOTE 1: The
commonName attribute has a usage purpose that is different
from the required choice of pseudonym or givenName/surname.
commonName is used for user friendly representation of the
person's name, whereas givenName/surname is used where more
formal representation or verification of specific identity of
the user is required. To maximize interoperability both are
considered necessary.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It does not give guidance on the scope for
“user friendly representation of the person's name” and as far
as I can tell, most TSPs apply either (givenName and surname)
or pseudonym in that field.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Notwithstanding this, our previous
discussions had been for the commonName to include verified
information for the purposes of the S/MIME BR, leading to the
options described
<a
href="https://github.com/cabforum/smime/blob/preSBR/SBR.md#71422-subject-distinguished-name-fields"
moz-do-not-send="true">
here</a>.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><u>We are interested in hearing
perspectives from both Certificate Issuers and Certificate
Issuers on this point.<o:p></o:p></u></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">2. The handling of subject:pseudonym is
still an unresolved issue – and so text still needs to be
tightened up. We are working from the basis that Subject
information must be verified, so this would also apply to
pseudonym (ie not a self reported name). Pseudonym identity
is, by definition, linked to the person’s real identity<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">ETSI TS 199 461 tries to deal with it by
saying:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Although the
outcome of the identity proofing can be a pseudonym identity,
identity proofing requires identification of the real identity
of the person as determined by applicable identity documents,
official registers or other authoritative sources.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal">But as far as I can tell, only Germany
provides pseudonym as an information attribute on official
identity documents. Given the lack of clarity, we could even
chose to exclude this attribute from the allowed profiles.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><u>We’d be interested to hear from
Certificate Issuers </u>
</b><b><u>what their practices are using the pseudonym in
regulated certificate types.<o:p></o:p></u></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best, Stephen<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Stephen Davidson <o:p></o:p></p>
<p class="MsoNormal">DigiCert Governance, Risk & Compliance<br>
<a class="moz-txt-link-abbreviated" href="mailto:stephen.davidson@digicert.com">stephen.davidson@digicert.com</a><o:p></o:p></p>
<p class="MsoNormal">O 1.441.278.2803 | M 1.441.505.4908<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt"><o:p> </o:p></span></code></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Doug Beattie
<a class="moz-txt-link-rfc2396E" href="mailto:doug.beattie@globalsign.com"><doug.beattie@globalsign.com></a> <br>
<b>Sent:</b> Wednesday, March 2, 2022 1:10 PM<br>
<b>To:</b> Stephen Davidson
<a class="moz-txt-link-rfc2396E" href="mailto:Stephen.Davidson@digicert.com"><Stephen.Davidson@digicert.com></a>; SMIME Certificate
Working Group <a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public@cabforum.org"><smcwg-public@cabforum.org></a><br>
<b>Subject:</b> Common Name contents<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hey Stephen,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">During the call today it was mentioned that
all of the subject info pulled from the certificates and
displayed via GUI needs to be validated (no more OU logic). I
went back and looked at the options for Sponsor validated
certs and it permits the Pseudonym to be present in the CN. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I went to check the rules for validation
and found this:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">f. <strong><span
style="font-family:"Calibri",sans-serif">Certificate
Field:</span></strong>
<code><span style="font-size:10.0pt">subject:pseudonym</span></code>
(2.5.4.65)<br>
<strong><span
style="font-family:"Calibri",sans-serif">Contents:</span></strong>
The pseudonym attribute MUST NOT be present if the givenName
and/or surname attribute are present. If present, the
<code><span style="font-size:10.0pt">subject:pseudonym</span></code>
field field MUST be verified according to
<a
href="https://github.com/cabforum/smime/blob/preSBR/SBR.md#323-authentication-of-individual-identity"
moz-do-not-send="true">
Section 3.2.3</a>.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">But I could not find any references to this
field in that section, or section 3.2.4 that indicates how
this is to be validated. Are there CA validation rules for
this, or can any value be supplied?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Doug<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
</body>
</html>