<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 10/3/2022 1:34 μ.μ., Henschel,
Andreas wrote:<br>
</div>
<blockquote type="cite"
cite="mid:1531398501.5407.1646912048981@progov-n3.bs.prod.int.bln.d-trust.de">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}code
{mso-style-priority:99;
font-family:"Courier New";}pre
{mso-style-priority:99;
mso-style-link:"HTML Vorformatiert Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}span.HTMLVorformatiertZchn
{mso-style-name:"HTML Vorformatiert Zchn";
mso-style-priority:99;
mso-style-link:"HTML Vorformatiert";
font-family:Consolas;}p.HTMLconformatoprevio, li.HTMLconformatoprevio, div.HTMLconformatoprevio
{mso-style-name:"HTML con formato previo";
mso-style-link:"HTML con formato previo Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.HTMLconformatoprevioCar
{mso-style-name:"HTML con formato previo Car";
mso-style-priority:99;
mso-style-link:"HTML con formato previo";
font-family:Consolas;}span.E-MailFormatvorlage23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}span.E-MailFormatvorlage26
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0cm;}ul
{margin-bottom:0cm;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">Hey
Dimitris,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">in a first
step, pseudonyms could be allowed in sponsored profiles.
From an external point of view, those entities have the same
accepted validation level as certificates with an
organisation profile as the organisation is properly
validated anyway.</span></p>
</div>
</blockquote>
<br>
Hi Andreas,<br>
<br>
Why should they be allowed if we cannot describe the rules for it?
Do you believe it is ok to have a sponsored profile that allows a
natural person associated with a company to use any value in the
subjectDN of the certificate? I believe the risks for allowing such
a practice are not acceptable.<br>
<br>
<br>
Best regards,<br>
Dimitris.<br>
<blockquote type="cite"
cite="mid:1531398501.5407.1646912048981@progov-n3.bs.prod.int.bln.d-trust.de">
<div class="WordSection1">
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">Kind
regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-US">Andreas<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>Von:</b> Smcwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public-bounces@cabforum.org"><smcwg-public-bounces@cabforum.org></a> <b>Im Auftrag
von </b>Dimitris Zacharopoulos (HARICA) via
Smcwg-public<br>
<b>Gesendet:</b> Donnerstag, 10. März 2022 12:25<br>
<b>An:</b> Juan Ángel Martín
<a class="moz-txt-link-rfc2396E" href="mailto:martin_ja@camerfirma.com"><martin_ja@camerfirma.com></a>; SMIME Certificate
Working Group <a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public@cabforum.org"><smcwg-public@cabforum.org></a><br>
<b>Betreff:</b> Re: [Smcwg-public] [EXTERNAL]-Re: Common
Name contents<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:12.0pt"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal">On 10/3/2022 1:14 μ.μ., Juan Ángel Martín
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Dimitris,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">One use case of pseudonyms that I know of
is the need for the police to sign certain messages, e.g.
traffic tickets, with a qualified eIDAS certificate.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">But the police officers do not want their
name, surname and personal identification document number to
appear on the certificate, which signs the traffic ticket
for unavoidable legal reasons in Europe.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I think it would be desirable to give an
answer to this need in the CABF requirements for SMIME
certificates.<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
Thank you Juan Ángel,<br>
<br>
We all agree with the end goal but we can't address the
concerns without answering some questions regarding the
validation process. For example, what do those traffic
tickets look like in terms of the signer? Does it only have
a random identifier as described in the 2nd bullet of my
previous letter? Does it say something like "Officer John"?
It is important to get some transparency on this so the
SMCWG can develop validation rules that would support this
feature.<br>
<br>
<br>
Best regards,<br>
Dimitris.<br>
<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Juan Ángel<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>De:</b> Smcwg-public <a
href="mailto:smcwg-public-bounces@cabforum.org"
moz-do-not-send="true"><smcwg-public-bounces@cabforum.org></a>
<b>En nombre de </b>Dimitris Zacharopoulos (HARICA) via
Smcwg-public<br>
<b>Enviado el:</b> jueves, 10 de marzo de 2022 10:40<br>
<b>Para:</b> Wiedenhorst, Matthias <a
href="mailto:M.Wiedenhorst@tuvit.de"
moz-do-not-send="true"><M.Wiedenhorst@tuvit.de></a>;
SMIME Certificate Working Group <a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true"><smcwg-public@cabforum.org></a><br>
<b>Asunto:</b> Re: [Smcwg-public] [EXTERNAL]-Re: Common
Name contents<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Matthias,<br>
<br>
This is indeed a legal requirement in eIDAS and we need to
see its applicability for S/MIME certificates.<br>
<br>
The problem we need to address is the fact that I can
validate myself to a CA with my physical presence and my
official name (Dimitrios Zacharopoulos), and ask for a
Pseudonym to be included in the certificate, but the process
is unclear. Here are some questions/concerns (not addressed
explicitly to Matthias, anyone can chime-in): <o:p></o:p></p>
<ol type="1" start="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo3">Could I ask that my pseudonym is "Matthias
Wiedenhorst" or "Mickey Mouse"? How is THAT information
validated so that it is not misleading to Relying Parties?<o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo3">Can the pseudonym be a name/value that the CA
decides, e.g. "Pseudonym-482733812"? How is that helpful
for Relying Parties?<o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo3">Can a Relying Party ask the CA to reveal the
real identity of the person behind the pseudonym? If this
is the case, how is this protecting the real person for
being in danger?<o:p></o:p></li>
</ol>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
Thanks,<br>
Dimitris.<o:p></o:p></p>
<div>
<p class="MsoNormal">On 10/3/2022 9:05 π.μ., Wiedenhorst,
Matthias via Smcwg-public wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Hi
all!</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB">Article 5 (2) eIDAS reads:</span><o:p></o:p></p>
<p class="MsoNormal"><i><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB">“Without prejudice to the legal effect
given to pseudonyms under national law, the use of
pseudonyms in electronic transactions shall not be
prohibited.”</span></i><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB">I am not a lawyer, but to me it sounds as
if prohibiting pseudonyms could cause problems within
the EU.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB">Legitimate use cases that I have heard of
from different CAs are for example persons from the “law
enforcement area” that are in danger to be threatened or
even attacked in their private live when their full real
name is known.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB">As already pointed out, a pseudonym
certificate is not an anonymous certificate, but only
the CA is able to reveal identity. Identification of the
person has to be performed identically as if a
certificate without pseudonym would be issued.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB">Best regards</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB">Matthias</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-GB"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>Von:</b> Smcwg-public <a
href="mailto:smcwg-public-bounces@cabforum.org"
moz-do-not-send="true"><smcwg-public-bounces@cabforum.org></a>
<b>Im Auftrag von </b>Stephen Davidson via
Smcwg-public<br>
<b>Gesendet:</b> Mittwoch, 9. März 2022 15:34<br>
<b>An:</b> Pedro FUENTES <a
href="mailto:pfuentes@WISEKEY.COM"
moz-do-not-send="true"><pfuentes@WISEKEY.COM></a>;
SMIME Certificate Working Group <a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true"><smcwg-public@cabforum.org></a>;
Dimitris Zacharopoulos (HARICA) <a
href="mailto:dzacharo@harica.gr"
moz-do-not-send="true"><dzacharo@harica.gr></a><br>
<b>Betreff:</b> Re: [Smcwg-public] [EXTERNAL]-Re:
Common Name contents<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">In general, the CA
is supposed to validate the true identity of a holder
behind a subject:pseudonym. This is different from an
anonymous cert.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">The difficulty we
face is that, having chosen to require Subject identity
information to be verified, it would be inconsistent to
allow the freeform use of pseudonyms.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">As far as I know,
only Germany provides the options for alternative
“religious names or pseudonyms” on their national ID: <a
href="https://www.consilium.europa.eu/prado/en/DEU-BO-02004/image-344552.html"
moz-do-not-send="true" class="moz-txt-link-freetext">https://www.consilium.europa.eu/prado/en/DEU-BO-02004/image-344552.html</a>
... So that significantly narrows the options for
verifying pseudonyms!</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">My personal belief
is that we should drop the use of pseudonyms from this
draft. I hope that SMCWG members that disagree with
this will speak up.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">The
Mailbox-validated (MV) profiles are probably more
appropriate for users not wishing “real name” identity
to be in their certs.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Regards, Stephen</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Smcwg-public <<a
href="mailto:smcwg-public-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">smcwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Pedro FUENTES via Smcwg-public<br>
<b>Sent:</b> Monday, March 7, 2022 2:35 PM<br>
<b>To:</b> Dimitris Zacharopoulos (HARICA) <<a
href="mailto:dzacharo@harica.gr"
moz-do-not-send="true"
class="moz-txt-link-freetext">dzacharo@harica.gr</a>>;
SMIME Certificate Working Group <<a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">smcwg-public@cabforum.org</a>><br>
<b>Subject:</b> Re: [Smcwg-public] [EXTERNAL]-Re:
Common Name contents</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span lang="EN-US">Could it be just
acceptable that a pseudonym is freely chosen by a
subscriber?</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">In other words…
could it be acceptable to have names in the
subjectName which don’t require validation?</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">We don’t currently
use such attributes, but I wonder if this could be
good to reserve certain flexibility for use cases
where anonymization is desired. </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Pedro</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
lang="EN-US"> </span><o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
lang="EN-US">Le 7 mars 2022 à 18:58, Dimitris
Zacharopoulos (HARICA) via Smcwg-public <<a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">smcwg-public@cabforum.org</a>>
a écrit :</span><o:p></o:p></p>
</blockquote>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
lang="EN-US"> Unless CAs have some clear rules on
how to validate pseudonyms, I also believe we should
exclude this attribute from the allowed profiles
which makes this attribute practically not allowed.
We must be explicit about this because other
attributes may be allowed.<br>
<br>
Dimitris.</span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span lang="EN-US">On 7/3/2022
9:41 π.μ., Adriano Santoni via Smcwg-public wrote:</span><o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p><span lang="EN-US">We do not support pseudonyms,
and do not think there is a need for them.</span><o:p></o:p></p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-US">...we could
even chose to exclude this attribute from the
allowed profiles</span><o:p></o:p></p>
</blockquote>
<p><span lang="EN-US">Yes, that's what we suggest to
do: exclude this attribute from the allowed
profiles.</span><o:p></o:p></p>
<p><span lang="EN-US">Adriano</span><o:p></o:p></p>
<p><span lang="EN-US"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span lang="EN-US">Il
02/03/2022 18:43, Stephen Davidson via
Smcwg-public ha scritto:</span><o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-US">Hi Doug:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">1. Further
to our discussion today, the language in ETSI EN
319 412-2 probably has the clearest definition:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span
lang="EN-US">The commonName attribute value
shall contain a name of the subject. This may be
in the subject's preferred presentation format,
or a format preferred by the CA, or some other
format. Pseudonyms, nicknames, and names with
spelling other than defined by the registered
name may be used. </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span
lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span
lang="EN-US">NOTE 1: The commonName attribute
has a usage purpose that is different from the
required choice of pseudonym or
givenName/surname. commonName is used for user
friendly representation of the person's name,
whereas givenName/surname is used where more
formal representation or verification of
specific identity of the user is required. To
maximize interoperability both are considered
necessary.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">It does not
give guidance on the scope for “user friendly
representation of the person's name” and as far
as I can tell, most TSPs apply either (givenName
and surname) or pseudonym in that field.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Notwithstanding
this, our previous discussions had been for the
commonName to include verified information for
the purposes of the S/MIME BR, leading to the
options described <a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_smime_blob_preSBR_SBR.md-2371422-2Dsubject-2Ddistinguished-2Dname-2Dfields&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=SikwTyV2nbwaM8CjAAm0ewzVcCUuXH_rrJl0zlNlYwQ&e="
moz-do-not-send="true">here</a>.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><b><u><span lang="EN-US">We are
interested in hearing perspectives from both
Certificate Issuers and Certificate Issuers
on this point.</span></u></b><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">2. The
handling of subject:pseudonym is still an
unresolved issue – and so text still needs to be
tightened up. We are working from the basis that
Subject information must be verified, so this
would also apply to pseudonym (ie not a self
reported name). Pseudonym identity is, by
definition, linked to the person’s real identity</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">ETSI TS 199
461 tries to deal with it by saying:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span
lang="EN-US">Although the outcome of the
identity proofing can be a pseudonym identity,
identity proofing requires identification of the
real identity of the person as determined by
applicable identity documents, official
registers or other authoritative sources.</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span
lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">But as far
as I can tell, only Germany provides pseudonym
as an information attribute on official identity
documents. Given the lack of clarity, we could
even chose to exclude this attribute from the
allowed profiles.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><b><u><span lang="EN-US">We’d
be interested to hear from Certificate
Issuers what their practices are using the
pseudonym in regulated certificate types.</span></u></b><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Best,
Stephen</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Stephen
Davidson </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">DigiCert
Governance, Risk & Compliance<br>
<a href="mailto:stephen.davidson@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">stephen.davidson@digicert.com</a></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">O
1.441.278.2803 | M 1.441.505.4908</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><code><span
style="font-size:10.0pt" lang="EN-US"> </span></code><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Doug Beattie <a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"><doug.beattie@globalsign.com></a>
<br>
<b>Sent:</b> Wednesday, March 2, 2022 1:10
PM<br>
<b>To:</b> Stephen Davidson <a
href="mailto:Stephen.Davidson@digicert.com"
moz-do-not-send="true"><Stephen.Davidson@digicert.com></a>;
SMIME Certificate Working Group <a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true"><smcwg-public@cabforum.org></a><br>
<b>Subject:</b> Common Name contents</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Hey Stephen,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">During the
call today it was mentioned that all of the
subject info pulled from the certificates and
displayed via GUI needs to be validated (no more
OU logic). I went back and looked at the options
for Sponsor validated certs and it permits the
Pseudonym to be present in the CN. </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">I went to
check the rules for validation and found this:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">f. <strong><span
style="font-family:"Calibri",sans-serif">Certificate Field:</span></strong>
</span><code><span style="font-size:10.0pt"
lang="EN-US">subject:pseudonym</span></code><span
lang="EN-US"> (2.5.4.65)<br>
<strong><span
style="font-family:"Calibri",sans-serif">Contents:</span></strong>
The pseudonym attribute MUST NOT be present if
the givenName and/or surname attribute are
present. If present, the </span><code><span
style="font-size:10.0pt" lang="EN-US">subject:pseudonym</span></code><span
lang="EN-US"> field field MUST be verified
according to <a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_smime_blob_preSBR_SBR.md-23323-2Dauthentication-2Dof-2Dindividual-2Didentity&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=nliz6I7gIbr8WMy3LZQ94CqxFqzTqVpunO8t0YqxuCo&e="
moz-do-not-send="true">Section 3.2.3</a>.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">But I could
not find any references to this field in that
section, or section 3.2.4 that indicates how
this is to be validated. Are there CA
validation rules for this, or can any value be
supplied?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Doug</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
lang="EN-US"> </span><o:p></o:p></p>
<pre><span lang="EN-US">_______________________________________________</span><o:p></o:p></pre>
<pre><span lang="EN-US">Smcwg-public mailing list</span><o:p></o:p></pre>
<pre><span lang="EN-US"><a href="mailto:Smcwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a></span><o:p></o:p></pre>
<pre><span lang="EN-US"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e=" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a></span><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
lang="EN-US"> </span><o:p></o:p></p>
<pre><span lang="EN-US">_______________________________________________</span><o:p></o:p></pre>
<pre><span lang="EN-US">Smcwg-public mailing list</span><o:p></o:p></pre>
<pre><span lang="EN-US"><a href="mailto:Smcwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a></span><o:p></o:p></pre>
<pre><span lang="EN-US"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e=" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a></span><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span lang="EN-US"><br>
_______________________________________________<br>
Smcwg-public mailing list<br>
<a href="mailto:Smcwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a><br>
<a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e="
moz-do-not-send="true">https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e=</a></span><o:p></o:p></p>
</div>
</blockquote>
<pre><span style="font-size:7.5pt;font-family:"Arial",sans-serif"> </span><o:p></o:p></pre>
<pre><strong><span style="font-size:7.5pt;font-family:"Arial",sans-serif">______________________________________________________________________________________________________________________</span></strong><o:p></o:p></pre>
<pre><strong><span style="font-size:7.5pt;font-family:"Arial",sans-serif">Sitz der Gesellschaft/Headquarter:</span></strong><span style="font-size:7.5pt;font-family:"Arial",sans-serif"> TÜV Informationstechnik GmbH * Am TÜV 1 * 45307 Essen, Germany</span><o:p></o:p></pre>
<pre><strong><span style="font-size:7.5pt;font-family:"Arial",sans-serif">Registergericht/Register Court:</span></strong><span style="font-size:7.5pt;font-family:"Arial",sans-serif"> Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251</span><o:p></o:p></pre>
<pre><strong><span style="font-size:7.5pt;font-family:"Arial",sans-serif">Geschäftsführung/Management Board:</span></strong><span style="font-size:7.5pt;font-family:"Arial",sans-serif"> Dirk Kretzschmar </span><o:p></o:p></pre>
<p class="MsoNormal"> <o:p></o:p></p>
<pre><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">TÜV NORD GROUP</span></b><o:p></o:p></pre>
<pre><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:black">Expertise for your Success</span><o:p></o:p></pre>
<pre><b><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:black">Please visit our website: <a href="http://www.tuv-nord.com" moz-do-not-send="true">www.tuv-nord.com</a></span></b><o:p></o:p></pre>
<pre><b><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:black">Besuchen Sie unseren Internetauftritt: <a href="http://www.tuev-nord.de" moz-do-not-send="true">www.tuev-nord.de</a></span></b><o:p></o:p></pre>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Smcwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Smcwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://lists.cabforum.org/mailman/listinfo/smcwg-public" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"> <o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>