<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"></div><div dir="ltr">Could it be just acceptable that a pseudonym is freely chosen by a subscriber?</div><div dir="ltr">In other words… could it be acceptable to have names in the subjectName which don’t require validation?</div><div dir="ltr">We don’t currently use such attributes, but I wonder if this could be good to reserve certain flexibility for use cases where anonymization is desired. </div><div dir="ltr">Pedro</div><div dir="ltr"><br><blockquote type="cite">Le 7 mars 2022 à 18:58, Dimitris Zacharopoulos (HARICA) via Smcwg-public <smcwg-public@cabforum.org> a écrit :<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
Unless CAs have some clear rules on how to validate pseudonyms, I
also believe we should exclude this attribute from the allowed
profiles which makes this attribute practically not allowed. We must
be explicit about this because other attributes may be allowed.<br>
<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 7/3/2022 9:41 π.μ., Adriano Santoni
via Smcwg-public wrote:<br>
</div>
<blockquote type="cite" cite="mid:0100017f63531170-b8fe07f3-846e-4d85-a741-731e4595a845-000000@email.amazonses.com">
<p><font face="Calibri">We do not support pseudonyms, and do not
think there is a need for them.</font><br>
</p>
<p><font face="Calibri"> </font></p>
<blockquote type="cite"><font face="Calibri">...we could even
chose to exclude this attribute from the allowed profiles</font></blockquote>
<font face="Calibri"> </font>
<p><font face="Calibri">Yes, that's what we suggest to do: </font><font face="Calibri"><font face="Calibri">exclude this attribute
from the allowed profiles.</font></font></p>
<p>Adriano</p>
<p><br>
</p>
<div class="moz-cite-prefix">Il 02/03/2022 18:43, Stephen Davidson
via Smcwg-public ha scritto:<br>
</div>
<blockquote type="cite" cite="mid:0100017f4bbb0c28-ec17487b-e0d7-4a38-80a6-aa594f8d9c66-000000@email.amazonses.com">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}code
{mso-style-priority:99;
font-family:"Courier New";}span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Doug:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">1. Further to our discussion today, the
language in ETSI EN 319 412-2 probably has the clearest
definition:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">The commonName
attribute value shall contain a name of the subject. This
may be in the subject's preferred presentation format, or a
format preferred by the CA, or some other format.
Pseudonyms, nicknames, and names with spelling other than
defined by the registered name may be used. <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">NOTE 1: The
commonName attribute has a usage purpose that is different
from the required choice of pseudonym or givenName/surname.
commonName is used for user friendly representation of the
person's name, whereas givenName/surname is used where more
formal representation or verification of specific identity
of the user is required. To maximize interoperability both
are considered necessary.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It does not give guidance on the scope
for “user friendly representation of the person's name” and
as far as I can tell, most TSPs apply either (givenName and
surname) or pseudonym in that field.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Notwithstanding this, our previous
discussions had been for the commonName to include verified
information for the purposes of the S/MIME BR, leading to
the options described <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_smime_blob_preSBR_SBR.md-2371422-2Dsubject-2Ddistinguished-2Dname-2Dfields&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=SikwTyV2nbwaM8CjAAm0ewzVcCUuXH_rrJl0zlNlYwQ&e=" moz-do-not-send="true"> here</a>.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><u>We are interested in hearing
perspectives from both Certificate Issuers and
Certificate Issuers on this point.<o:p></o:p></u></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">2. The handling of subject:pseudonym is
still an unresolved issue – and so text still needs to be
tightened up. We are working from the basis that Subject
information must be verified, so this would also apply to
pseudonym (ie not a self reported name). Pseudonym identity
is, by definition, linked to the person’s real identity<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">ETSI TS 199 461 tries to deal with it by
saying:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Although the
outcome of the identity proofing can be a pseudonym
identity, identity proofing requires identification of the
real identity of the person as determined by applicable
identity documents, official registers or other
authoritative sources.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal">But as far as I can tell, only Germany
provides pseudonym as an information attribute on official
identity documents. Given the lack of clarity, we could
even chose to exclude this attribute from the allowed
profiles.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><u>We’d be interested to hear from
Certificate Issuers </u> </b><b><u>what their
practices are using the pseudonym in regulated
certificate types.<o:p></o:p></u></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best, Stephen<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Stephen Davidson <o:p></o:p></p>
<p class="MsoNormal">DigiCert Governance, Risk &
Compliance<br>
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:stephen.davidson@digicert.com" moz-do-not-send="true">stephen.davidson@digicert.com</a><o:p></o:p></p>
<p class="MsoNormal">O 1.441.278.2803 | M 1.441.505.4908<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt"><o:p> </o:p></span></code></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Doug Beattie <a class="moz-txt-link-rfc2396E" href="mailto:doug.beattie@globalsign.com" moz-do-not-send="true"><doug.beattie@globalsign.com></a>
<br>
<b>Sent:</b> Wednesday, March 2, 2022 1:10 PM<br>
<b>To:</b> Stephen Davidson <a class="moz-txt-link-rfc2396E" href="mailto:Stephen.Davidson@digicert.com" moz-do-not-send="true"><Stephen.Davidson@digicert.com></a>;
SMIME Certificate Working Group <a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public@cabforum.org" moz-do-not-send="true"><smcwg-public@cabforum.org></a><br>
<b>Subject:</b> Common Name contents<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hey Stephen,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">During the call today it was mentioned
that all of the subject info pulled from the certificates
and displayed via GUI needs to be validated (no more OU
logic). I went back and looked at the options for Sponsor
validated certs and it permits the Pseudonym to be present
in the CN. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I went to check the rules for validation
and found this:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">f. <strong><span style="font-family:"Calibri",sans-serif">Certificate
Field:</span></strong> <code><span style="font-size:10.0pt">subject:pseudonym</span></code>
(2.5.4.65)<br>
<strong><span style="font-family:"Calibri",sans-serif">Contents:</span></strong>
The pseudonym attribute MUST NOT be present if the givenName
and/or surname attribute are present. If present, the <code><span style="font-size:10.0pt">subject:pseudonym</span></code>
field field MUST be verified according to <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_smime_blob_preSBR_SBR.md-23323-2Dauthentication-2Dof-2Dindividual-2Didentity&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=nliz6I7gIbr8WMy3LZQ94CqxFqzTqVpunO8t0YqxuCo&e=" moz-do-not-send="true"> Section 3.2.3</a>.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">But I could not find any references to
this field in that section, or section 3.2.4 that indicates
how this is to be validated. Are there CA validation rules
for this, or can any value be supplied?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Doug<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:Smcwg-public@cabforum.org" moz-do-not-send="true">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e=" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e=">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
<br>
<span>_______________________________________________</span><br><span>Smcwg-public mailing list</span><br><span>Smcwg-public@cabforum.org</span><br><span>https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e=</span><br></div></blockquote></body></html>