<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 13/4/2022 11:42 π.μ., Adriano
Santoni via Smcwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:010001802217096c-73108423-d3b9-4472-87bc-a13270a83769-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p><font face="Calibri">Hi Dimitris,</font></p>
<p><font face="Calibri">I was not implying that this is the
situation today, nor that we have to </font>be compliant with
the ETSI profiles.<br>
</p>
<p>I was just suggesting that we might adopt the ETSI-style of
natural person identifier so to put in the subject:serialNumber
a "talking" disambiguating datum.</p>
<p>Let's consider the following example: two (fictional) ladies
both named "Katerina Papadopoulos", possibly living in the same
town, request an IV (Individual Validated) S/MIME certificate.</p>
<p>In order to disambiguate their identities in the Subject field,
the CA would add a serialNumber containing a unique number of
their choice (the CA's). Consequently, we would end up with the
two certificates having a Subject field like the following:</p>
<p>Cert #1) givenName=Katerina, surname=Papadopoulos,
serialNumber=722486</p>
<p>Cert #2) givenName=Katerina, surname=Papadopoulos,
serialNumber=907235</p>
<p>Now, if I receive an email signed by one of the two
certificates above, I have no hints about which of the two
Katerina Papadopoulos wrote to me....</p>
<p>I might rely on some other Subject information, such as address
attributes (L, S, C) but that would not necessarily solve the
ambiguity.</p>
<p>However, should the serialNumber contain an ETSI-style natural
person identifier, I would have more chances to understand who
is the sender, based on what I know of the expected sender.<br>
</p>
<p>I am not asking to revise the BR so to mandate this coding, I
was just sharing the proposal to get some opinions. After all,
the current BR draft does not forbid using an ETSI natural
person identifier in the Subject:serialNumber, so I suppose
nothing would prevent a CA from doing so. But maybe this could
be the preferred way to go rather that just a possibility... ?<br>
</p>
<p>At any rate, we have already adopted the ETSI unique identifier
for legal persons (the draft BR requires the
organizationalIdentifier attribute in OV and SV certificates),
so I am not clear why we shouldn't do the same for natural
persons.</p>
<p>Adriano</p>
</blockquote>
<br>
I agree with your position that for IV certificates we SHOULD have
some <b>uniquely </b>personally identifiable information that <b>Relying
Parties</b> could use without the assistance of the CA.<br>
<br>
Dimitris.<br>
<blockquote type="cite"
cite="mid:010001802217096c-73108423-d3b9-4472-87bc-a13270a83769-000000@email.amazonses.com">
<p><br>
</p>
<div class="moz-cite-prefix">Il 13/04/2022 09:02, Dimitris
Zacharopoulos (HARICA) via Smcwg-public ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:0100018021bb8764-42439d6b-decc-4344-8362-bd9e28eb5aee-000000@email.amazonses.com">
Adriano, I don't think this is the situation today. According to
ETSI, a CA is allowed to use a unique identifier in the
subject:serialNumber field to disambiguate a natural person in
collision cases. The use of TIN, IDC, PAS, etc is obviously
allowed but not the only way to add a serialNumber. In fact, the
use of these cases are associated with the semanticsIdentifier
of the qcStatements. You can totally avoid that today and be
compliant with the ETSI profiles.</blockquote>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>