<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas",serif;}
span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=en-SE link="#0563C1" vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>While I see the advantage for some in that, is this not exactly why we’re banning the OU field in both S/MIME and SSL?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>It opens up for Pseudonym becoming the new OU field.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>Martijn<o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> Smcwg-public <smcwg-public-bounces@cabforum.org> <b>On Behalf Of </b>Pedro FUENTES via Smcwg-public<br><b>Sent:</b> Monday, 7 March 2022 19:35<br><b>To:</b> Dimitris Zacharopoulos (HARICA) <dzacharo@harica.gr>; SMIME Certificate Working Group <smcwg-public@cabforum.org><br><b>Subject:</b> Re: [Smcwg-public] [EXTERNAL]-Re: Common Name contents<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span style='font-size:10.0pt;color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>Could it be just acceptable that a pseudonym is freely chosen by a subscriber?<o:p></o:p></p></div><div><p class=MsoNormal>In other words… could it be acceptable to have names in the subjectName which don’t require validation?<o:p></o:p></p></div><div><p class=MsoNormal>We don’t currently use such attributes, but I wonder if this could be good to reserve certain flexibility for use cases where anonymization is desired. <o:p></o:p></p></div><div><p class=MsoNormal>Pedro<o:p></o:p></p></div><div><p class=MsoNormal><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal style='margin-bottom:12.0pt'>Le 7 mars 2022 à 18:58, Dimitris Zacharopoulos (HARICA) via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>> a écrit :<o:p></o:p></p></blockquote></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-bottom:12.0pt'> Unless CAs have some clear rules on how to validate pseudonyms, I also believe we should exclude this attribute from the allowed profiles which makes this attribute practically not allowed. We must be explicit about this because other attributes may be allowed.<br><br>Dimitris.<o:p></o:p></p><div><p class=MsoNormal>On 7/3/2022 9:41 π.μ., Adriano Santoni via Smcwg-public wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p>We do not support pseudonyms, and do not think there is a need for them.<o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>...we could even chose to exclude this attribute from the allowed profiles<o:p></o:p></p></blockquote><p>Yes, that's what we suggest to do: exclude this attribute from the allowed profiles.<o:p></o:p></p><p>Adriano<o:p></o:p></p><p><o:p> </o:p></p><div><p class=MsoNormal>Il 02/03/2022 18:43, Stephen Davidson via Smcwg-public ha scritto:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>Hi Doug:<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>1. Further to our discussion today, the language in ETSI EN 319 412-2 probably has the clearest definition:<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal style='margin-left:36.0pt'>The commonName attribute value shall contain a name of the subject. This may be in the subject's preferred presentation format, or a format preferred by the CA, or some other format. Pseudonyms, nicknames, and names with spelling other than defined by the registered name may be used. <o:p></o:p></p><p class=MsoNormal style='margin-left:36.0pt'> <o:p></o:p></p><p class=MsoNormal style='margin-left:36.0pt'>NOTE 1: The commonName attribute has a usage purpose that is different from the required choice of pseudonym or givenName/surname. commonName is used for user friendly representation of the person's name, whereas givenName/surname is used where more formal representation or verification of specific identity of the user is required. To maximize interoperability both are considered necessary.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>It does not give guidance on the scope for “user friendly representation of the person's name” and as far as I can tell, most TSPs apply either (givenName and surname) or pseudonym in that field.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Notwithstanding this, our previous discussions had been for the commonName to include verified information for the purposes of the S/MIME BR, leading to the options described <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__github.com_cabforum_smime_blob_preSBR_SBR.md-2371422-2Dsubject-2Ddistinguished-2Dname-2Dfields%26d%3DDwMDaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DNCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q%26s%3DSikwTyV2nbwaM8CjAAm0ewzVcCUuXH_rrJl0zlNlYwQ%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C32c6d640337442e8798808da00692fcd%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637822750367336498%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=TFrRek26xNPjTJcniTuIcIURYUDC3o0H6YzdcXu2hS4%3D&reserved=0">here</a>.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><b><u>We are interested in hearing perspectives from both Certificate Issuers and Certificate Issuers on this point.</u></b><o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>2. The handling of subject:pseudonym is still an unresolved issue – and so text still needs to be tightened up. We are working from the basis that Subject information must be verified, so this would also apply to pseudonym (ie not a self reported name). Pseudonym identity is, by definition, linked to the person’s real identity<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>ETSI TS 199 461 tries to deal with it by saying:<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal style='margin-left:36.0pt'>Although the outcome of the identity proofing can be a pseudonym identity, identity proofing requires identification of the real identity of the person as determined by applicable identity documents, official registers or other authoritative sources.<o:p></o:p></p><p class=MsoNormal style='margin-left:36.0pt'> <o:p></o:p></p><p class=MsoNormal>But as far as I can tell, only Germany provides pseudonym as an information attribute on official identity documents. Given the lack of clarity, we could even chose to exclude this attribute from the allowed profiles.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><b><u>We’d be interested to hear from Certificate Issuers what their practices are using the pseudonym in regulated certificate types.</u></b><o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Best, Stephen<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Stephen Davidson <o:p></o:p></p><p class=MsoNormal>DigiCert Governance, Risk & Compliance<br><a href="mailto:stephen.davidson@digicert.com">stephen.davidson@digicert.com</a><o:p></o:p></p><p class=MsoNormal>O 1.441.278.2803 | M 1.441.505.4908<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><code><span style='font-size:10.0pt'> </span></code><o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b>From:</b> Doug Beattie <a href="mailto:doug.beattie@globalsign.com"><doug.beattie@globalsign.com></a> <br><b>Sent:</b> Wednesday, March 2, 2022 1:10 PM<br><b>To:</b> Stephen Davidson <a href="mailto:Stephen.Davidson@digicert.com"><Stephen.Davidson@digicert.com></a>; SMIME Certificate Working Group <a href="mailto:smcwg-public@cabforum.org"><smcwg-public@cabforum.org></a><br><b>Subject:</b> Common Name contents<o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Hey Stephen,<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>During the call today it was mentioned that all of the subject info pulled from the certificates and displayed via GUI needs to be validated (no more OU logic). I went back and looked at the options for Sponsor validated certs and it permits the Pseudonym to be present in the CN. <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>I went to check the rules for validation and found this:<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>f. <strong><span style='font-family:"Calibri",sans-serif'>Certificate Field:</span></strong> <code><span style='font-size:10.0pt'>subject:pseudonym</span></code> (2.5.4.65)<br><strong><span style='font-family:"Calibri",sans-serif'>Contents:</span></strong> The pseudonym attribute MUST NOT be present if the givenName and/or surname attribute are present. If present, the <code><span style='font-size:10.0pt'>subject:pseudonym</span></code> field field MUST be verified according to <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__github.com_cabforum_smime_blob_preSBR_SBR.md-23323-2Dauthentication-2Dof-2Dindividual-2Didentity%26d%3DDwMDaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DNCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q%26s%3Dnliz6I7gIbr8WMy3LZQ94CqxFqzTqVpunO8t0YqxuCo%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C32c6d640337442e8798808da00692fcd%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637822750367336498%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=t2hI0Z4izKBpGKLS8RLmCK7LbKep7Qwy8qIpj8bQcWw%3D&reserved=0">Section 3.2.3</a>.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>But I could not find any references to this field in that section, or section 3.2.4 that indicates how this is to be validated. Are there CA validation rules for this, or can any value be supplied?<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Doug<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><br><br><o:p></o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>Smcwg-public mailing list<o:p></o:p></pre><pre><a href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a><o:p></o:p></pre><pre><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic%26d%3DDwMDaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DNCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q%26s%3DM6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C32c6d640337442e8798808da00692fcd%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637822750367336498%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=X%2FG7MmUwwnyiOHHN5Kq02YX9BPNz3mS0m9CJuyNukFw%3D&reserved=0">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></pre></blockquote><p class=MsoNormal><br><br><o:p></o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>Smcwg-public mailing list<o:p></o:p></pre><pre><a href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a><o:p></o:p></pre><pre><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic%26d%3DDwMDaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DNCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q%26s%3DM6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C32c6d640337442e8798808da00692fcd%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637822750367336498%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=X%2FG7MmUwwnyiOHHN5Kq02YX9BPNz3mS0m9CJuyNukFw%3D&reserved=0">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></pre></blockquote><p class=MsoNormal><br>_______________________________________________<br>Smcwg-public mailing list<br><a href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a><br><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e=">https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e=</a><o:p></o:p></p></div></blockquote></div></div></body></html>