<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font face="Calibri">+1</font><br>
</p>
<div class="moz-cite-prefix">Il 09/03/2022 15:34, Stephen Davidson
via Smcwg-public ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:0100017f6f1a3433-5a92467c-a6eb-45c6-b92f-7279dfb9b21f-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}code
{mso-style-priority:99;
font-family:"Courier New";}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle26
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">In general, the CA is supposed to validate
the true identity of a holder behind a subject:pseudonym.
This is different from an anonymous cert.<o:p></o:p></p>
<p class="MsoNormal">The difficulty we face is that, having
chosen to require Subject identity information to be verified,
it would be inconsistent to allow the freeform use of
pseudonyms.<o:p></o:p></p>
<p class="MsoNormal">As far as I know, only Germany provides the
options for alternative “religious names or pseudonyms” on
their national ID: <a
href="https://www.consilium.europa.eu/prado/en/DEU-BO-02004/image-344552.html"
moz-do-not-send="true" class="moz-txt-link-freetext">https://www.consilium.europa.eu/prado/en/DEU-BO-02004/image-344552.html</a>
... So that significantly narrows the options for verifying
pseudonyms!<o:p></o:p></p>
<p class="MsoNormal">My personal belief is that we should drop
the use of pseudonyms from this draft. I hope that SMCWG
members that disagree with this will speak up.<o:p></o:p></p>
<p class="MsoNormal">The Mailbox-validated (MV) profiles are
probably more appropriate for users not wishing “real name”
identity to be in their certs.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regards, Stephen<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Smcwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public-bounces@cabforum.org"><smcwg-public-bounces@cabforum.org></a> <b>On Behalf Of
</b>Pedro FUENTES via Smcwg-public<br>
<b>Sent:</b> Monday, March 7, 2022 2:35 PM<br>
<b>To:</b> Dimitris Zacharopoulos (HARICA)
<a class="moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a>; SMIME Certificate Working
Group <a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public@cabforum.org"><smcwg-public@cabforum.org></a><br>
<b>Subject:</b> Re: [Smcwg-public] [EXTERNAL]-Re: Common
Name contents<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Could it be just acceptable that a
pseudonym is freely chosen by a subscriber?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">In other words… could it be acceptable to
have names in the subjectName which don’t require
validation?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">We don’t currently use such attributes,
but I wonder if this could be good to reserve certain
flexibility for use cases where anonymization is desired. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Pedro<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">Le 7 mars
2022 à 18:58, Dimitris Zacharopoulos (HARICA) via
Smcwg-public <<a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">smcwg-public@cabforum.org</a>>
a écrit :<o:p></o:p></p>
</blockquote>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"> Unless
CAs have some clear rules on how to validate pseudonyms, I
also believe we should exclude this attribute from the
allowed profiles which makes this attribute practically
not allowed. We must be explicit about this because other
attributes may be allowed.<br>
<br>
Dimitris.<o:p></o:p></p>
<div>
<p class="MsoNormal">On 7/3/2022 9:41 π.μ., Adriano
Santoni via Smcwg-public wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>We do not support pseudonyms, and do not think there is
a need for them.<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">...we could even chose to exclude
this attribute from the allowed profiles<o:p></o:p></p>
</blockquote>
<p>Yes, that's what we suggest to do: exclude this
attribute from the allowed profiles.<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p><o:p> </o:p></p>
<div>
<p class="MsoNormal">Il 02/03/2022 18:43, Stephen
Davidson via Smcwg-public ha scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi Doug:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">1. Further to our discussion today,
the language in ETSI EN 319 412-2 probably has the
clearest definition:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">The
commonName attribute value shall contain a name of the
subject. This may be in the subject's preferred
presentation format, or a format preferred by the CA,
or some other format. Pseudonyms, nicknames, and names
with spelling other than defined by the registered
name may be used. <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">NOTE 1:
The commonName attribute has a usage purpose that is
different from the required choice of pseudonym or
givenName/surname. commonName is used for user
friendly representation of the person's name, whereas
givenName/surname is used where more formal
representation or verification of specific identity of
the user is required. To maximize interoperability
both are considered necessary.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">It does not give guidance on the
scope for “user friendly representation of the
person's name” and as far as I can tell, most TSPs
apply either (givenName and surname) or pseudonym in
that field.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Notwithstanding this, our previous
discussions had been for the commonName to include
verified information for the purposes of the S/MIME
BR, leading to the options described <a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_smime_blob_preSBR_SBR.md-2371422-2Dsubject-2Ddistinguished-2Dname-2Dfields&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=SikwTyV2nbwaM8CjAAm0ewzVcCUuXH_rrJl0zlNlYwQ&e="
moz-do-not-send="true">here</a>.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b><u>We are interested in hearing
perspectives from both Certificate Issuers and
Certificate Issuers on this point.</u></b><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">2. The handling of
subject:pseudonym is still an unresolved issue – and
so text still needs to be tightened up. We are working
from the basis that Subject information must be
verified, so this would also apply to pseudonym (ie
not a self reported name). Pseudonym identity is, by
definition, linked to the person’s real identity<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">ETSI TS 199 461 tries to deal with
it by saying:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Although
the outcome of the identity proofing can be a
pseudonym identity, identity proofing requires
identification of the real identity of the person as
determined by applicable identity documents, official
registers or other authoritative sources.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal">But as far as I can tell, only
Germany provides pseudonym as an information attribute
on official identity documents. Given the lack of
clarity, we could even chose to exclude this attribute
from the allowed profiles.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b><u>We’d be interested to hear
from Certificate Issuers what their practices are
using the pseudonym in regulated certificate
types.</u></b><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Best, Stephen<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Stephen Davidson <o:p></o:p></p>
<p class="MsoNormal">DigiCert Governance, Risk &
Compliance<br>
<a href="mailto:stephen.davidson@digicert.com"
moz-do-not-send="true" class="moz-txt-link-freetext">stephen.davidson@digicert.com</a><o:p></o:p></p>
<p class="MsoNormal">O 1.441.278.2803 | M 1.441.505.4908<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><code><span
style="font-size:10.0pt"> </span></code><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Doug Beattie <a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"><doug.beattie@globalsign.com></a>
<br>
<b>Sent:</b> Wednesday, March 2, 2022 1:10 PM<br>
<b>To:</b> Stephen Davidson <a
href="mailto:Stephen.Davidson@digicert.com"
moz-do-not-send="true"><Stephen.Davidson@digicert.com></a>;
SMIME Certificate Working Group <a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true"><smcwg-public@cabforum.org></a><br>
<b>Subject:</b> Common Name contents<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Hey Stephen,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">During the call today it was
mentioned that all of the subject info pulled from the
certificates and displayed via GUI needs to be
validated (no more OU logic). I went back and looked
at the options for Sponsor validated certs and it
permits the Pseudonym to be present in the CN. <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I went to check the rules for
validation and found this:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">f. <strong><span
style="font-family:"Calibri",sans-serif">Certificate
Field:</span></strong> <code><span
style="font-size:10.0pt">subject:pseudonym</span></code>
(2.5.4.65)<br>
<strong><span
style="font-family:"Calibri",sans-serif">Contents:</span></strong>
The pseudonym attribute MUST NOT be present if the
givenName and/or surname attribute are present. If
present, the <code><span style="font-size:10.0pt">subject:pseudonym</span></code>
field field MUST be verified according to <a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_smime_blob_preSBR_SBR.md-23323-2Dauthentication-2Dof-2Dindividual-2Didentity&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=nliz6I7gIbr8WMy3LZQ94CqxFqzTqVpunO8t0YqxuCo&e="
moz-do-not-send="true">Section 3.2.3</a>.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">But I could not find any references
to this field in that section, or section 3.2.4 that
indicates how this is to be validated. Are there CA
validation rules for this, or can any value be
supplied?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Doug<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Smcwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Smcwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e=" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Smcwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Smcwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e=" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><br>
_______________________________________________<br>
Smcwg-public mailing list<br>
<a href="mailto:Smcwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a><br>
<a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e="
moz-do-not-send="true">https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e=</a><o:p></o:p></p>
</div>
</blockquote>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
</body>
</html>