<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe Script";
panose-1:3 11 5 4 2 0 0 0 0 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
font-size:10.0pt;
font-family:"Courier New";}
p.gmail-m-6802997757353689763msolistparagraph, li.gmail-m-6802997757353689763msolistparagraph, div.gmail-m-6802997757353689763msolistparagraph
{mso-style-name:gmail-m_-6802997757353689763msolistparagraph;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle26
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1301034660;
mso-list-template-ids:-463858992;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Hi Wendy:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thank you for pointing that out. Currently the CN options in the <a href="https://github.com/cabforum/smime/blob/preSBR/SBR.md#71422-subject-distinguished-name-fields">draft</a> are as follows.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Mailbox-validated subject:emailAddress<o:p></o:p></p><p class=MsoNormal>Organization-validated subject:organizationName or subject:emailAddress<o:p></o:p></p><p class=MsoNormal>Sponsored-validated subject:givenName and/or subject:surname, subject:pseudonym, or subject:emailAddress<o:p></o:p></p><p class=MsoNormal>Individual-validated subject:givenName and/or subject:surname, subject:pseudonym, or subject:emailAddress<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Our earlier thinking was that the “generic mailboxes” would use the Organization-validated profile, and that Sponsor-validated was for individuals.<o:p></o:p></p><p class=MsoNormal>Enterprise RAs are allowed both the Organization-validated and Sponsor-validated profiles.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Best, Stephen<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Wendy Brown - QT3LB-C <wendy.brown@gsa.gov> <br><b>Sent:</b> Thursday, March 10, 2022 2:52 PM<br><b>To:</b> Stephen Davidson <Stephen.Davidson@digicert.com>; SMIME Certificate Working Group <smcwg-public@cabforum.org><br><b>Cc:</b> Wiedenhorst, Matthias <M.Wiedenhorst@tuvit.de><br><b>Subject:</b> Re: [Smcwg-public] [EXTERNAL]-Re: Common Name contents<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Stephen - <o:p></o:p></p><div><p class=MsoNormal>I do feel that the sponsored use case may sometime not be for a specific individual & maybe the mailbox validation is what should be used for those cases - but the mailbox itself & therefore the associated certificates fit the sponsored use case & should be allowed with the associated profile<br clear=all><o:p></o:p></p><div><div><div><div><div><div><div><div><div><div><div><p><span style='font-family:"Segoe Script"'>Wendy</span><o:p></o:p></p><p><span style='font-size:9.5pt'>Wendy Brown<br>Supporting GSA FPKI<br>Protiviti Government Services</span><o:p></o:p></p><p> 703-965-2990 (cell)<o:p></o:p></p><p><a href="mailto:wendy.brown@gsa.gov" target="_blank"><span style='font-size:9.5pt'>wendy.brown@gsa.gov</span></a><br><a href="mailto:wendy.brown@protiviti.com" target="_blank">wendy.brown@protiviti.com</a><o:p></o:p></p></div></div></div></div></div></div></div></div></div></div></div><p class=MsoNormal><o:p> </o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Thu, Mar 10, 2022 at 1:49 PM Stephen Davidson via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Hi everyone and thank you for the feedback on this.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>My view on Pseudonyms in S/MIME is simple:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><ul type=disc><li class=gmail-m-6802997757353689763msolistparagraph style='mso-list:l0 level1 lfo1'>The “identity profiles” in the S/MIME BR (Sponsor-validated and Individual-validated) are designed to provide reasonable assurance to relying parties that the Certificate contains a verified real name of the Subject.<o:p></o:p></li><li class=gmail-m-6802997757353689763msolistparagraph style='mso-list:l0 level1 lfo1'>If a user does not wish to assert their identity, the “non-identity profile” (Mailbox-validated) may be more appropriate.<o:p></o:p></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Best regards, Stephen<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From:</b> Smcwg-public <<a href="mailto:smcwg-public-bounces@cabforum.org" target="_blank">smcwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Wiedenhorst, Matthias via Smcwg-public<br><b>Sent:</b> Thursday, March 10, 2022 3:05 AM<br><b>To:</b> <a href="mailto:smcwg-public@cabforum.org" target="_blank">smcwg-public@cabforum.org</a><br><b>Subject:</b> Re: [Smcwg-public] [EXTERNAL]-Re: Common Name contents<o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=DE style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D'>Hi all!</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=DE style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D'>Article 5 (2) eIDAS reads:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><i><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D'>“Without prejudice to the legal effect given to pseudonyms under national law, the use of pseudonyms in electronic transactions shall not be prohibited.”</span></i><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D'>I am not a lawyer, but to me it sounds as if prohibiting pseudonyms could cause problems within the EU.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D'>Legitimate use cases that I have heard of from different CAs are for example persons from the “law enforcement area” that are in danger to be threatened or even attacked in their private live when their full real name is known.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D'>As already pointed out, a pseudonym certificate is not an anonymous certificate, but only the CA is able to reveal identity. Identification of the person has to be performed identically as if a certificate without pseudonym would be issued.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D'>Best regards</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D'>Matthias</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=DE>Von:</span></b><span lang=DE> Smcwg-public <<a href="mailto:smcwg-public-bounces@cabforum.org" target="_blank">smcwg-public-bounces@cabforum.org</a>> <b>Im Auftrag von </b>Stephen Davidson via Smcwg-public<br><b>Gesendet:</b> Mittwoch, 9. März 2022 15:34<br><b>An:</b> Pedro FUENTES <<a href="mailto:pfuentes@WISEKEY.COM" target="_blank">pfuentes@WISEKEY.COM</a>>; SMIME Certificate Working Group <<a href="mailto:smcwg-public@cabforum.org" target="_blank">smcwg-public@cabforum.org</a>>; Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank">dzacharo@harica.gr</a>><br><b>Betreff:</b> Re: [Smcwg-public] [EXTERNAL]-Re: Common Name contents</span><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=DE> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>In general, the CA is supposed to validate the true identity of a holder behind a subject:pseudonym. This is different from an anonymous cert.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>The difficulty we face is that, having chosen to require Subject identity information to be verified, it would be inconsistent to allow the freeform use of pseudonyms.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>As far as I know, only Germany provides the options for alternative “religious names or pseudonyms” on their national ID: <a href="https://www.consilium.europa.eu/prado/en/DEU-BO-02004/image-344552.html" target="_blank">https://www.consilium.europa.eu/prado/en/DEU-BO-02004/image-344552.html</a> ... So that significantly narrows the options for verifying pseudonyms!<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>My personal belief is that we should drop the use of pseudonyms from this draft. I hope that SMCWG members that disagree with this will speak up.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>The Mailbox-validated (MV) profiles are probably more appropriate for users not wishing “real name” identity to be in their certs.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Regards, Stephen<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From:</b> Smcwg-public <<a href="mailto:smcwg-public-bounces@cabforum.org" target="_blank">smcwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Pedro FUENTES via Smcwg-public<br><b>Sent:</b> Monday, March 7, 2022 2:35 PM<br><b>To:</b> Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank">dzacharo@harica.gr</a>>; SMIME Certificate Working Group <<a href="mailto:smcwg-public@cabforum.org" target="_blank">smcwg-public@cabforum.org</a>><br><b>Subject:</b> Re: [Smcwg-public] [EXTERNAL]-Re: Common Name contents<o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Could it be just acceptable that a pseudonym is freely chosen by a subscriber?<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>In other words… could it be acceptable to have names in the subjectName which don’t require validation?<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>We don’t currently use such attributes, but I wonder if this could be good to reserve certain flexibility for use cases where anonymization is desired. <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Pedro<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>Le 7 mars 2022 à 18:58, Dimitris Zacharopoulos (HARICA) via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org" target="_blank">smcwg-public@cabforum.org</a>> a écrit :<o:p></o:p></p></blockquote></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> Unless CAs have some clear rules on how to validate pseudonyms, I also believe we should exclude this attribute from the allowed profiles which makes this attribute practically not allowed. We must be explicit about this because other attributes may be allowed.<br><br>Dimitris.<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On 7/3/2022 9:41 π.μ., Adriano Santoni via Smcwg-public wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p>We do not support pseudonyms, and do not think there is a need for them.<o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>...we could even chose to exclude this attribute from the allowed profiles<o:p></o:p></p></blockquote><p>Yes, that's what we suggest to do: exclude this attribute from the allowed profiles.<o:p></o:p></p><p>Adriano<o:p></o:p></p><p> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Il 02/03/2022 18:43, Stephen Davidson via Smcwg-public ha scritto:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Hi Doug:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>1. Further to our discussion today, the language in ETSI EN 319 412-2 probably has the clearest definition:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'>The commonName attribute value shall contain a name of the subject. This may be in the subject's preferred presentation format, or a format preferred by the CA, or some other format. Pseudonyms, nicknames, and names with spelling other than defined by the registered name may be used. <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'>NOTE 1: The commonName attribute has a usage purpose that is different from the required choice of pseudonym or givenName/surname. commonName is used for user friendly representation of the person's name, whereas givenName/surname is used where more formal representation or verification of specific identity of the user is required. To maximize interoperability both are considered necessary.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>It does not give guidance on the scope for “user friendly representation of the person's name” and as far as I can tell, most TSPs apply either (givenName and surname) or pseudonym in that field.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Notwithstanding this, our previous discussions had been for the commonName to include verified information for the purposes of the S/MIME BR, leading to the options described <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_smime_blob_preSBR_SBR.md-2371422-2Dsubject-2Ddistinguished-2Dname-2Dfields&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=SikwTyV2nbwaM8CjAAm0ewzVcCUuXH_rrJl0zlNlYwQ&e=" target="_blank">here</a>.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><u>We are interested in hearing perspectives from both Certificate Issuers and Certificate Issuers on this point.</u></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>2. The handling of subject:pseudonym is still an unresolved issue – and so text still needs to be tightened up. We are working from the basis that Subject information must be verified, so this would also apply to pseudonym (ie not a self reported name). Pseudonym identity is, by definition, linked to the person’s real identity<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>ETSI TS 199 461 tries to deal with it by saying:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'>Although the outcome of the identity proofing can be a pseudonym identity, identity proofing requires identification of the real identity of the person as determined by applicable identity documents, official registers or other authoritative sources.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>But as far as I can tell, only Germany provides pseudonym as an information attribute on official identity documents. Given the lack of clarity, we could even chose to exclude this attribute from the allowed profiles.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><u>We’d be interested to hear from Certificate Issuers what their practices are using the pseudonym in regulated certificate types.</u></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Best, Stephen<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Stephen Davidson <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>DigiCert Governance, Risk & Compliance<br><a href="mailto:stephen.davidson@digicert.com" target="_blank">stephen.davidson@digicert.com</a><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>O 1.441.278.2803 | M 1.441.505.4908<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><code><span style='font-size:10.0pt'> </span></code><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From:</b> Doug Beattie <a href="mailto:doug.beattie@globalsign.com" target="_blank"><doug.beattie@globalsign.com></a> <br><b>Sent:</b> Wednesday, March 2, 2022 1:10 PM<br><b>To:</b> Stephen Davidson <a href="mailto:Stephen.Davidson@digicert.com" target="_blank"><Stephen.Davidson@digicert.com></a>; SMIME Certificate Working Group <a href="mailto:smcwg-public@cabforum.org" target="_blank"><smcwg-public@cabforum.org></a><br><b>Subject:</b> Common Name contents<o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Hey Stephen,<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>During the call today it was mentioned that all of the subject info pulled from the certificates and displayed via GUI needs to be validated (no more OU logic). I went back and looked at the options for Sponsor validated certs and it permits the Pseudonym to be present in the CN. <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I went to check the rules for validation and found this:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>f. <strong><span style='font-family:"Calibri",sans-serif'>Certificate Field:</span></strong> <code><span style='font-size:10.0pt'>subject:pseudonym</span></code> (2.5.4.65)<br><strong><span style='font-family:"Calibri",sans-serif'>Contents:</span></strong> The pseudonym attribute MUST NOT be present if the givenName and/or surname attribute are present. If present, the <code><span style='font-size:10.0pt'>subject:pseudonym</span></code> field field MUST be verified according to <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_smime_blob_preSBR_SBR.md-23323-2Dauthentication-2Dof-2Dindividual-2Didentity&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=nliz6I7gIbr8WMy3LZQ94CqxFqzTqVpunO8t0YqxuCo&e=" target="_blank">Section 3.2.3</a>.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>But I could not find any references to this field in that section, or section 3.2.4 that indicates how this is to be validated. Are there CA validation rules for this, or can any value be supplied?<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Doug<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>Smcwg-public mailing list<o:p></o:p></pre><pre><a href="mailto:Smcwg-public@cabforum.org" target="_blank">Smcwg-public@cabforum.org</a><o:p></o:p></pre><pre><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e=" target="_blank">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></pre></blockquote><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>Smcwg-public mailing list<o:p></o:p></pre><pre><a href="mailto:Smcwg-public@cabforum.org" target="_blank">Smcwg-public@cabforum.org</a><o:p></o:p></pre><pre><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e=" target="_blank">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></pre></blockquote><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br>_______________________________________________<br>Smcwg-public mailing list<br><a href="mailto:Smcwg-public@cabforum.org" target="_blank">Smcwg-public@cabforum.org</a><br><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e=" target="_blank">https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e=</a><o:p></o:p></p></div></blockquote><pre><span lang=DE style='font-size:7.5pt;font-family:"Arial",sans-serif'> </span><o:p></o:p></pre><pre><strong><span lang=DE style='font-size:7.5pt;font-family:"Arial",sans-serif'>______________________________________________________________________________________________________________________</span></strong><o:p></o:p></pre><pre><strong><span lang=DE style='font-size:7.5pt;font-family:"Arial",sans-serif'>Sitz der Gesellschaft/Headquarter:</span></strong><span lang=DE style='font-size:7.5pt;font-family:"Arial",sans-serif'> TÜV Informationstechnik GmbH * Am TÜV 1 * 45307 Essen, Germany</span><o:p></o:p></pre><pre><strong><span lang=DE style='font-size:7.5pt;font-family:"Arial",sans-serif'>Registergericht/Register Court:</span></strong><span lang=DE style='font-size:7.5pt;font-family:"Arial",sans-serif'> Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251</span><o:p></o:p></pre><pre><strong><span lang=DE style='font-size:7.5pt;font-family:"Arial",sans-serif'>Geschäftsführung/Management Board:</span></strong><span lang=DE style='font-size:7.5pt;font-family:"Arial",sans-serif'> Dirk Kretzschmar </span><o:p></o:p></pre><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=DE> </span><o:p></o:p></p><pre><b><span lang=DE style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>TÜV NORD GROUP</span></b><o:p></o:p></pre><pre><span lang=DE style='font-size:7.5pt;font-family:"Arial",sans-serif;color:black'>Expertise for your Success</span><o:p></o:p></pre><pre><b><span lang=DE style='font-size:7.5pt;font-family:"Arial",sans-serif;color:black'>Please visit our website: <a href="http://www.tuv-nord.com" target="_blank">www.tuv-nord.com</a></span></b><o:p></o:p></pre><pre><b><span lang=DE style='font-size:7.5pt;font-family:"Arial",sans-serif;color:black'>Besuchen Sie unseren Internetauftritt: <a href="http://www.tuev-nord.de" target="_blank">www.tuev-nord.de</a></span></b><o:p></o:p></pre></div></div><p class=MsoNormal>_______________________________________________<br>Smcwg-public mailing list<br><a href="mailto:Smcwg-public@cabforum.org" target="_blank">Smcwg-public@cabforum.org</a><br><a href="https://lists.cabforum.org/mailman/listinfo/smcwg-public" target="_blank">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></p></blockquote></div></div></body></html>