<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
while I'm not a a member of this group, how about some
stanard-hashed version of real id? CN = sha256(real name+salt) ?<br>
it still can't be verifyed by outsider without knowing real id, and
it's trivial to copy entire CN but if we trust CA then we can sat a
same name means the same person? <br>
<div class="moz-cite-prefix">2022-03-10 오후 6:39에 Dimitris
Zacharopoulos (HARICA) via Smcwg-public 이(가) 쓴 글:<br>
</div>
<blockquote type="cite"
cite="mid:0100017f7332b7d5-46562835-6d7c-4e12-a157-42416c0b6b80-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Matthias,<br>
<br>
This is indeed a legal requirement in eIDAS and we need to see its
applicability for S/MIME certificates.<br>
<br>
The problem we need to address is the fact that I can validate
myself to a CA with my physical presence and my official name
(Dimitrios Zacharopoulos), and ask for a Pseudonym to be included
in the certificate, but the process is unclear. Here are some
questions/concerns (not addressed explicitly to Matthias, anyone
can chime-in): <br>
<ul>
<li>Could I ask that my pseudonym is "Matthias Wiedenhorst" or
"Mickey Mouse"? How is THAT information validated so that it
is not misleading to Relying Parties?</li>
<li>Can the pseudonym be a name/value that the CA decides, e.g.
"Pseudonym-482733812"? How is that helpful for Relying
Parties?<br>
</li>
<li>Can a Relying Party ask the CA to reveal the real identity
of the person behind the pseudonym? If this is the case, how
is this protecting the real person for being in danger?</li>
</ul>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 10/3/2022 9:05 π.μ., Wiedenhorst,
Matthias via Smcwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100017f72a57474-010447f2-1571-417f-8796-21ea1010a9dd-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}code
{mso-style-priority:99;
font-family:"Courier New";}pre
{mso-style-priority:99;
mso-style-link:"HTML Vorformatiert Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLVorformatiertZchn
{mso-style-name:"HTML Vorformatiert Zchn";
mso-style-priority:99;
mso-style-link:"HTML Vorformatiert";
font-family:Consolas;}p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}p.HTMLPreformatted, li.HTMLPreformatted, div.HTMLPreformatted
{mso-style-name:"HTML Preformatted";
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.E-MailFormatvorlage23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}span.E-MailFormatvorlage26
{mso-style-type:personal-reply;
font-family:"Arial",sans-serif;
color:#1F497D;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Hi
all!<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB">Article 5 (2) eIDAS reads:<o:p></o:p></span></p>
<p class="MsoNormal"><i><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB">“Without prejudice to the legal effect
given to pseudonyms under national law, the use of
pseudonyms in electronic transactions shall not be
prohibited.”<o:p></o:p></span></i></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB">I am not a lawyer, but to me it sounds as if
prohibiting pseudonyms could cause problems within the EU.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB">Legitimate use cases that I have heard of
from different CAs are for example persons from the “law
enforcement area” that are in danger to be threatened or
even attacked in their private live when their full real
name is known.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB">As already pointed out, a pseudonym
certificate is not an anonymous certificate, but only the
CA is able to reveal identity. Identification of the
person has to be performed identically as if a certificate
without pseudonym would be issued.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB">Best regards<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-GB">Matthias<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>Von:</b> Smcwg-public <a
class="moz-txt-link-rfc2396E"
href="mailto:smcwg-public-bounces@cabforum.org"
moz-do-not-send="true"><smcwg-public-bounces@cabforum.org></a>
<b>Im Auftrag von </b>Stephen Davidson via Smcwg-public<br>
<b>Gesendet:</b> Mittwoch, 9. März 2022 15:34<br>
<b>An:</b> Pedro FUENTES <a
class="moz-txt-link-rfc2396E"
href="mailto:pfuentes@WISEKEY.COM"
moz-do-not-send="true"><pfuentes@WISEKEY.COM></a>;
SMIME Certificate Working Group <a
class="moz-txt-link-rfc2396E"
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true"><smcwg-public@cabforum.org></a>;
Dimitris Zacharopoulos (HARICA) <a
class="moz-txt-link-rfc2396E"
href="mailto:dzacharo@harica.gr"
moz-do-not-send="true"><dzacharo@harica.gr></a><br>
<b>Betreff:</b> Re: [Smcwg-public] [EXTERNAL]-Re: Common
Name contents<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US">In general, the CA is
supposed to validate the true identity of a holder behind
a subject:pseudonym. This is different from an anonymous
cert.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The difficulty we face
is that, having chosen to require Subject identity
information to be verified, it would be inconsistent to
allow the freeform use of pseudonyms.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">As far as I know, only
Germany provides the options for alternative “religious
names or pseudonyms” on their national ID: <a
href="https://www.consilium.europa.eu/prado/en/DEU-BO-02004/image-344552.html"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://www.consilium.europa.eu/prado/en/DEU-BO-02004/image-344552.html</a>
... So that significantly narrows the options for
verifying pseudonyms!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">My personal belief is
that we should drop the use of pseudonyms from this
draft. I hope that SMCWG members that disagree with this
will speak up.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The Mailbox-validated
(MV) profiles are probably more appropriate for users not
wishing “real name” identity to be in their certs.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Regards, Stephen<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Smcwg-public <<a
href="mailto:smcwg-public-bounces@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">smcwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Pedro FUENTES via Smcwg-public<br>
<b>Sent:</b> Monday, March 7, 2022 2:35 PM<br>
<b>To:</b> Dimitris Zacharopoulos (HARICA) <<a
href="mailto:dzacharo@harica.gr"
moz-do-not-send="true" class="moz-txt-link-freetext">dzacharo@harica.gr</a>>;
SMIME Certificate Working Group <<a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">smcwg-public@cabforum.org</a>><br>
<b>Subject:</b> Re: [Smcwg-public] [EXTERNAL]-Re:
Common Name contents<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">Could it be just
acceptable that a pseudonym is freely chosen by a
subscriber?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">In other words…
could it be acceptable to have names in the subjectName
which don’t require validation?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">We don’t currently
use such attributes, but I wonder if this could be good
to reserve certain flexibility for use cases where
anonymization is desired. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Pedro<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
lang="EN-US"><o:p> </o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
lang="EN-US">Le 7 mars 2022 à 18:58, Dimitris
Zacharopoulos (HARICA) via Smcwg-public <<a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">smcwg-public@cabforum.org</a>>
a écrit :<o:p></o:p></span></p>
</blockquote>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
lang="EN-US"> Unless CAs have some clear rules on how
to validate pseudonyms, I also believe we should
exclude this attribute from the allowed profiles which
makes this attribute practically not allowed. We must
be explicit about this because other attributes may be
allowed.<br>
<br>
Dimitris.<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">On 7/3/2022 9:41
π.μ., Adriano Santoni via Smcwg-public wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p><span lang="EN-US">We do not support pseudonyms, and
do not think there is a need for them.<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-US">...we could
even chose to exclude this attribute from the
allowed profiles<o:p></o:p></span></p>
</blockquote>
<p><span lang="EN-US">Yes, that's what we suggest to do:
exclude this attribute from the allowed profiles.<o:p></o:p></span></p>
<p><span lang="EN-US">Adriano<o:p></o:p></span></p>
<p><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">Il 02/03/2022
18:43, Stephen Davidson via Smcwg-public ha
scritto:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-US">Hi Doug:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">1. Further to
our discussion today, the language in ETSI EN 319
412-2 probably has the clearest definition:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span
lang="EN-US">The commonName attribute value shall
contain a name of the subject. This may be in the
subject's preferred presentation format, or a
format preferred by the CA, or some other format.
Pseudonyms, nicknames, and names with spelling
other than defined by the registered name may be
used. <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span
lang="EN-US">NOTE 1: The commonName attribute has
a usage purpose that is different from the
required choice of pseudonym or givenName/surname.
commonName is used for user friendly
representation of the person's name, whereas
givenName/surname is used where more formal
representation or verification of specific
identity of the user is required. To maximize
interoperability both are considered necessary.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">It does not
give guidance on the scope for “user friendly
representation of the person's name” and as far as
I can tell, most TSPs apply either (givenName and
surname) or pseudonym in that field.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Notwithstanding
this, our previous discussions had been for the
commonName to include verified information for the
purposes of the S/MIME BR, leading to the options
described <a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_smime_blob_preSBR_SBR.md-2371422-2Dsubject-2Ddistinguished-2Dname-2Dfields&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=SikwTyV2nbwaM8CjAAm0ewzVcCUuXH_rrJl0zlNlYwQ&e="
moz-do-not-send="true"> here</a>.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><b><u><span lang="EN-US">We are
interested in hearing perspectives from both
Certificate Issuers and Certificate Issuers on
this point.</span></u></b><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">2. The
handling of subject:pseudonym is still an
unresolved issue – and so text still needs to be
tightened up. We are working from the basis that
Subject information must be verified, so this
would also apply to pseudonym (ie not a self
reported name). Pseudonym identity is, by
definition, linked to the person’s real identity<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">ETSI TS 199
461 tries to deal with it by saying:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span
lang="EN-US">Although the outcome of the identity
proofing can be a pseudonym identity, identity
proofing requires identification of the real
identity of the person as determined by applicable
identity documents, official registers or other
authoritative sources.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">But as far as
I can tell, only Germany provides pseudonym as an
information attribute on official identity
documents. Given the lack of clarity, we could
even chose to exclude this attribute from the
allowed profiles.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><b><u><span lang="EN-US">We’d be
interested to hear from Certificate Issuers
what their practices are using the pseudonym
in regulated certificate types.</span></u></b><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Best, Stephen<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Stephen
Davidson <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">DigiCert
Governance, Risk & Compliance<br>
<a href="mailto:stephen.davidson@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">stephen.davidson@digicert.com</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">O
1.441.278.2803 | M 1.441.505.4908<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><code><span
style="font-size:10.0pt" lang="EN-US"> </span></code><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Doug Beattie <a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"><doug.beattie@globalsign.com></a>
<br>
<b>Sent:</b> Wednesday, March 2, 2022 1:10 PM<br>
<b>To:</b> Stephen Davidson <a
href="mailto:Stephen.Davidson@digicert.com"
moz-do-not-send="true"><Stephen.Davidson@digicert.com></a>;
SMIME Certificate Working Group <a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true"><smcwg-public@cabforum.org></a><br>
<b>Subject:</b> Common Name contents<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Hey Stephen,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">During the
call today it was mentioned that all of the
subject info pulled from the certificates and
displayed via GUI needs to be validated (no more
OU logic). I went back and looked at the options
for Sponsor validated certs and it permits the
Pseudonym to be present in the CN. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I went to
check the rules for validation and found this:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">f. <strong><span
style="font-family:"Calibri",sans-serif">Certificate Field:</span></strong>
</span><code><span style="font-size:10.0pt"
lang="EN-US">subject:pseudonym</span></code><span
lang="EN-US"> (2.5.4.65)<br>
<strong><span
style="font-family:"Calibri",sans-serif">Contents:</span></strong>
The pseudonym attribute MUST NOT be present if the
givenName and/or surname attribute are present. If
present, the </span><code><span
style="font-size:10.0pt" lang="EN-US">subject:pseudonym</span></code><span
lang="EN-US"> field field MUST be verified
according to <a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_smime_blob_preSBR_SBR.md-23323-2Dauthentication-2Dof-2Dindividual-2Didentity&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=nliz6I7gIbr8WMy3LZQ94CqxFqzTqVpunO8t0YqxuCo&e="
moz-do-not-send="true"> Section 3.2.3</a>.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">But I could
not find any references to this field in that
section, or section 3.2.4 that indicates how this
is to be validated. Are there CA validation rules
for this, or can any value be supplied?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Doug<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
lang="EN-US"><o:p> </o:p></span></p>
<pre><span lang="EN-US">_______________________________________________<o:p></o:p></span></pre>
<pre><span lang="EN-US">Smcwg-public mailing list<o:p></o:p></span></pre>
<pre><span lang="EN-US"><a href="mailto:Smcwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a><o:p></o:p></span></pre>
<pre><span lang="EN-US"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e=" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></span></pre>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
lang="EN-US"><o:p> </o:p></span></p>
<pre><span lang="EN-US">_______________________________________________<o:p></o:p></span></pre>
<pre><span lang="EN-US">Smcwg-public mailing list<o:p></o:p></span></pre>
<pre><span lang="EN-US"><a href="mailto:Smcwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a><o:p></o:p></span></pre>
<pre><span lang="EN-US"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e=" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></span></pre>
</blockquote>
<p class="MsoNormal"><span lang="EN-US"><br>
_______________________________________________<br>
Smcwg-public mailing list<br>
<a href="mailto:Smcwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a><br>
<a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e="
moz-do-not-send="true">https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=NCuXVva5JxiZue0JFxEbVTEZS67ltuKPjLakEuBlN-Q&s=M6K8kM_fZBp_w11MPEbpQzwTErczaQV8-qlOhtEiIMg&e=</a><o:p></o:p></span></p>
</div>
</blockquote>
</div>
<pre><font size="1" face="arial,helvetica,sans-serif">
<strong>______________________________________________________________________________________________________________________</strong>
<strong>Sitz der Gesellschaft/Headquarter:</strong> TÜV Informationstechnik GmbH * Am TÜV 1 * 45307 Essen, Germany
<strong>Registergericht/Register Court:</strong> Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251
<strong>Geschäftsführung/Management Board:</strong> Dirk Kretzschmar
</font></pre>
<br>
<pre><font size="3" face="arial,helvetica,sans-serif" color="#000000"><b>TÜV NORD GROUP</b></font>
<font size="1" face="arial,helvetica,sans-serif" color="#000000">Expertise for your Success
</font></pre>
<pre><font size="1" face="arial,helvetica,sans-serif" color="#000000"><b>Please visit our website: <a href="http://www.tuv-nord.com" moz-do-not-send="true">www.tuv-nord.com</a>
Besuchen Sie unseren Internetauftritt: <a href="http://www.tuev-nord.de" moz-do-not-send="true">www.tuev-nord.de</a></b></font></pre>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:Smcwg-public@cabforum.org" moz-do-not-send="true">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/smcwg-public" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
</body>
</html>