<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>I see your point, Wendy, however this seems to me a valid reason
for not mandating the approach I am proposing, not for not
recommending it (wherever possible). <br>
</p>
<p>We should ask ourselves how effectively does the triad of
attributes (givenName, surname, a CA-assigned number) identify the
subscriber of an IV certificate towards relying parties. While in
the OV case the subscriber identification is accurate (thanks to
the mandatory organizationalIdentifier attribute), in the IV case
it seems to me rather weak/ambiguous.</p>
Adriano
<p><br>
</p>
<div class="moz-cite-prefix">Il 13/04/2022 13:15, Wendy Brown -
QT3LB-C via Smcwg-public ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:0100018022a30a31-4ac41250-d67e-490c-8994-86470218f410-000000@email.amazonses.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">I would really be against requiring the serial
number for individual SMIME certificates contain a number
assigned to the individual by the government. This would be very
problematic in the US. What we discussed about the use of this
field was to enable the CA to ensure uniqueness when the name of
the individual may be common <br clear="all">
<div>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<p><span style="font-family:"Segoe
Script",sans-serif">Wendy</span></p>
<p><span style="font-size:12.8px">Wendy
Brown<br>
</span><span style="font-size:12.8px">Supporting
GSA FPKI<br>
</span><span style="font-size:12.8px">Protiviti
Government
Services</span></p>
<p> 703-965-2990 (cell)</p>
<p><a href="mailto:wendy.brown@gsa.gov"
style="font-size:12.8px"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">wendy.brown@gsa.gov</a><br>
<a
href="mailto:wendy.brown@protiviti.com"
style="font-family:Calibri,sans-serif"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">wendy.brown@protiviti.com</a></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Apr 13, 2022 at 3:03
AM Dimitris Zacharopoulos (HARICA) via Smcwg-public <<a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">smcwg-public@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> <br>
<br>
<div>On 4/4/2022 1:02 μ.μ., Adriano Santoni via Smcwg-public
wrote:<br>
</div>
<blockquote type="cite">
<p><font face="Calibri">Hi all,</font></p>
<p><font face="Calibri">I have some doubts about this
part, in connection with IV and SV certificates:<br>
</font></p>
<blockquote type="cite"><b>7.1.4.2.2 Subject distinguished
name fields</b><br>
<br>
g. <b>Certificate Field</b>: subject:serialNumber
(2.5.4.5) <br>
<b>Contents</b>: If present, the subject:serialNumber
MAY be used to contain an identifier assigned by the CA
or RA to identify and/or to disambiguate the Subscriber.<br>
</blockquote>
<br>
I'm rather dubious about "an identifier assigned by the CA
or RA" being appropriate. Unless a pseudonym is used, the
Subscriber identity should be clear to Relying Parties
without a need to query the CA or RA, which would however
be necessary if such identifier was assigned by the CA or
RA and the certificate contained no other disambiguating
information.<br>
<br>
How about we decide, instead, that the subject:
serialNumber MAY contain, for disambiguating purposes, a
unique identifier of the Subscriber assigned to him/her by
a government agency? It could be taken from the identity
document that has been verified according to section 3.2.4
(Authentication of individual identity ) and encoded
according to ETSI EN 319 412-1 Section 5.1.3 (e.g.
IDCxx-nnnnn, PASxx-nnnnn, TINxx-nnnnn and so on).<br>
<p>Apart from this, it seems to me that the purpose and
requirements of this attribute are not very well
explained in the various cases (MV, IV, OV, SV). For
example, since the organizationIdentifier attribute is
mandatory in the OV case, what would be the use of
having the serialNumber in the subject as well?</p>
<p>Adriano</p>
</blockquote>
<br>
Sorry if this has already been discussed in S/MIME calls.<br>
<br>
Adriano, I don't think this is the situation today.
According to ETSI, a CA is allowed to use a unique
identifier in the subject:serialNumber field to disambiguate
a natural person in collision cases. The use of TIN, IDC,
PAS, etc is obviously allowed but not the only way to add a
serialNumber. In fact, the use of these cases are associated
with the semanticsIdentifier of the qcStatements. You can
totally avoid that today and be compliant with the ETSI
profiles.<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<blockquote type="cite">
<p><br>
</p>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Smcwg-public mailing list
<a href="mailto:Smcwg-public@cabforum.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a>
<a href="https://lists.cabforum.org/mailman/listinfo/smcwg-public" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
Smcwg-public mailing list<br>
<a href="mailto:Smcwg-public@cabforum.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/smcwg-public"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><br>
</blockquote>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
</body>
</html>