<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font face="Calibri">That's okay for me too.</font></p>
<p><font face="Calibri">Adriano</font><br>
</p>
<div class="moz-cite-prefix">Il 29/09/2022 20:32, Stephen Davidson
via Smcwg-public ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:010001838a85e3a0-e3385a8f-f419-4d14-a3b5-2ea0cbbffae0-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.EmailStyle21
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style>
<div class="WordSection1">
<p class="MsoNormal">Hello all:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I merged a PR into the draft this morning
reflecting our conversation yesterday. In short, any Subject
Address info included in the cert Subject for the<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo3">Org or
Sponsored certificate types is validated according to
section 3.2.3. <o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo3">Individual
certificate types is validated according to section 3.2.4.
<o:p></o:p></li>
</ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">See more at <a
href="https://github.com/cabforum/smime/pull/185/files"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/smime/pull/185/files</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks for the dialogue. I think it is
useful to clarify this language. Please let me know if you
think this helps.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regards, Stephen<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Smcwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public-bounces@cabforum.org"><smcwg-public-bounces@cabforum.org></a> <b>On Behalf Of
</b>Clint Wilson via Smcwg-public<br>
<b>Sent:</b> Thursday, September 29, 2022 3:20 PM<br>
<b>To:</b> Pedro Fuentes <a class="moz-txt-link-rfc2396E" href="mailto:pfuentes@WISEKEY.COM"><pfuentes@WISEKEY.COM></a><br>
<b>Cc:</b> SMIME Certificate Working Group
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public@cabforum.org"><smcwg-public@cabforum.org></a><br>
<b>Subject:</b> Re: [Smcwg-public] [EXTERNAL]-Re: Ballot
SMC01: Final Guideline for “S/MIME Baseline Requirements”<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Pedro,<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">There may well be impact to both the
ideal wording in the guidelines, and to impacted practices.
The goal, as I understand it, is at a high-level to
establish a set of requirements which define processes that
result in a consistent output of information in a
certificate, assuming the same input, regardless of issuing
CA. As I understand current practices, achieving this goal
will absolutely necessitate <i>some</i> alteration to <i>some</i>
implemented practices.<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Sep 29, 2022, at 7:41 AM, Pedro
FUENTES <<a href="mailto:pfuentes@WISEKEY.COM"
moz-do-not-send="true" class="moz-txt-link-freetext">pfuentes@WISEKEY.COM</a>>
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Thanks, Clint. Therefore, your
understanding is that the C/ST/L are related always
to the O, and not to the person that is getting the
certificate. This definitely implies to change the
current writing of the guidelines, as we noticed
yesterday.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">To be in the same page, these
examples would be <b>impacted</b> practices:<o:p></o:p></p>
</div>
<div>
<ul type="disc">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo1">Company “Foo” is registered in the
US. There’s an employee that represents the
company sales operation in Mexico, but there’s
not Mexican registered company. In this case the
employee can’t get a certificate stating
“Mexico” as country. His certificate must always
include “C=US”<o:p></o:p></li>
</ul>
</div>
</div>
</div>
</blockquote>
<p class="MsoNormal">This reflects my understanding.<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<ul type="disc">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
level1 lfo2">Company “Bar” is registered in
California, USA. There’s an employee working in
the Chicago office, but this is just a sales
office. All important operations (e.g. Billing)
are in California. In this case the employee
can’t get a certificate stating “Illinois” as
State. His certificate must always include
“ST=California, C=US”<o:p></o:p></li>
</ul>
</div>
</div>
</div>
</blockquote>
<p class="MsoNormal">That also sounds correct, in most
cases. If we add that “Bar” is <b>not</b> registered in
Illinois nor Chicago, then I think it becomes correct in
all cases.<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Are we OK with that?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">As I said at the beginning,
currently we use the registered address
information and this is not an issue for us in
particular, but I mostly want to open a discussion
to ensure we are all in the same page, and to know
what will be eventually forbidden.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">BR/P<o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On 29 Sep 2022, at 15:58,
Clint Wilson <<a
href="mailto:clintw@apple.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">clintw@apple.com</a>>
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">My understanding is as
follows: where present, the legal entity
identified in the Subject (i.e. the “O”
field) is the legal entity used to
populate the C, ST, and L fields as well
(again, where present). That is, if there
is an organization named “Foo”, and it is
registered as “Foo” in South Africa,
Australia, Germany, and Brazil, then it
can use “Foo” as the O, and different
certificates could have different C, ST, L
values representing that legal entity in
South Africa, Australia, Germany, or
Brazil. If that same organization had a
subsidiary or similar registered as “Bar”
in Bulgaria, Japan, and Canada, it could
use “Bar” as the O, and different
certificates could have the C, ST, and L
values related to Bulgaria, Japan, and
Canada. “Foo” could not appear with Japan
as the country, and “Bar” could not appear
with Germany as the country, as those
legal entities are not registered in those
respective countries.<o:p></o:p></p>
<div>
<p class="MsoNormal">Would it help to
convey the “groupings” of subjectDN
values, with the goal of making it
clearer what values are being populated
with the same base/source data? <o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Sep 29,
2022, at 3:55 AM, Pedro
FUENTES via Smcwg-public <<a
href="mailto:smcwg-public@cabforum.org" moz-do-not-send="true"
class="moz-txt-link-freetext">smcwg-public@cabforum.org</a>>
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Well… I
don’t say that it’s
confusing, what I’d say is
that “country of operation”
is a very vague concept…<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">You
seem to understand that
the company needs to have
registered offices to
operate in a country, but
there are companies that
operate in countries where
they have people working
from home (i.e. sales
staff). <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I don’t
think we can assimilate
directly concepts of BRSSL
here, because in SSL the
subscriber is an entity
that can be an individual
or a company, but there’s
a clear and direct
relationship between the
organization name in the
TLS certificates and the
subscriber… In the case of
SMIME this relationship
between the subscriber and
the organisation is not so
clear at first sight.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Also,
we could need to extend
this discussion to the ST
(and L, eventually), not
only to the country.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">BR/P<o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On
29 Sep 2022, at
12:27, Dimitris
Zacharopoulos
(HARICA) <<a
href="mailto:dzacharo@harica.gr"
moz-do-not-send="true" class="moz-txt-link-freetext">dzacharo@harica.gr</a>>
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal"><br>
<br>
On 29/9/2022 12:59
μ.μ., Pedro
FUENTES wrote:<br>
<br>
<o:p></o:p></p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p
class="MsoNormal">Txs.
Then it could be
understood that
the country of
the employee
could be
considered as a
country where
the company
operates… I’m OK
with that, and I
support this
interpretation,
but this is not
what was
discussed
yesterday, so we
should see about
the consensus on
this topic.<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
Why is this
confusing? The CA
must validate that
the company
operates (i.e. has
registered
offices) at a
certain location.
Then, this country
can be used in a
sponsored
validated profile.
If an employee is
working remotely
in a country where
the company does
not have
registered
offices, then that
country cannot be
used in a
sponsored
validated profile.<br>
<br>
Thanks,<br>
Dimitris.<o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p
class="MsoNormal"><b><span
style="font-size:8.5pt;color:#F62400"><br>
WISeKey SA</span></b><o:p></o:p></p>
<div>
<p
class="MsoNormal"><b><span
style="font-size:8.5pt">Pedro Fuentes<br>
</span></b><span
style="font-size:8.5pt">CSO - Trust Services Manager</span><span
style="font-size:9.0pt"><br>
</span><span
style="font-size:7.5pt">Office:
+ 41 (0) 22
594 30 00<br>
Mobile: + 41
(0) </span><span
style="font-size:10.0pt">791 274 790</span><o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"><span
style="font-size:7.5pt">Address: Avenue Louis-Casaï 58 | </span><span
style="font-size:10.0pt">1216
Cointrin |
Switzerland</span><o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"><b><span
style="font-size:9.0pt">Stay connected with <a
href="http://www.wisekey.com/"
moz-do-not-send="true"><span style="color:#F62400">WISeKey</span></a><br>
</span></b><span
style="font-size:7.5pt;color:darkgray"><br>
<br>
</span><o:p></o:p></p>
</div>
<div>
<div>
<p
class="MsoNormal"><b><span
style="font-size:7.5pt;color:#78A600">THIS IS A TRUSTED MAIL</span></b><span
style="font-size:7.5pt;color:#78A600">: This message is digitally signed
with a WISeKey
identity. If
you get a mail
from WISeKey
please check
the signature
to avoid
security risks</span><span
style="font-size:9.0pt"><o:p></o:p></span></p>
</div>
<div>
<p
class="MsoNormal"><span
style="font-size:7.0pt;color:darkgray"><br>
<br>
</span><span
style="font-size:9.0pt"><o:p></o:p></span></p>
</div>
<div>
<div>
<p
class="MsoNormal"><b><span
style="font-size:7.0pt;color:darkgray">CONFIDENTIALITY: </span></b><span
style="font-size:7.0pt;color:darkgray">This email and any files
transmitted with it
can be
confidential
and
it’s intended
solely for the
use of
the individual or
entity to
which they
are addressed.
If you are not
the
named addressee
you should not
disseminate, distribute or copy this e-mail. If you have received this
email in error
please notify
the sender</span><span
style="font-size:9.0pt"><o:p></o:p></span></p>
</div>
<div>
<p
class="MsoNormal"><span
style="font-size:9.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p
class="MsoNormal"><b><span
style="font-size:7.0pt;color:darkgray">DISCLAIMER: </span></b><span
style="font-size:7.0pt;color:darkgray">WISeKey
does
not warrant
the accuracy
or completeness
of this
message and
does
not accept
any liability
for any errors
or
omissions herein
as this
message has
been transmitted over
a public
network.
Internet
communications cannot
be
guaranteed to
be secure or
error-free as
information
may be
intercepted,
corrupted,
or contain
viruses.
Attachments to
this e-mail
are checked
for viruses;
however, we do
not accept any
liability for
any damage
sustained by
viruses and therefore
you are kindly
requested to
check for
viruses upon
receipt.</span><span
style="font-size:9.0pt"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Smcwg-public mailing list<br>
<a
href="mailto:Smcwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/smcwg-public"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span
style="font-size:8.5pt;color:#F62400"><br>
WISeKey SA</span></b><o:p></o:p></p>
<div>
<p class="MsoNormal"><b><span
style="font-size:8.5pt">Pedro Fuentes<br>
</span></b><span
style="font-size:8.5pt">CSO
- Trust Services Manager</span><span
style="font-size:9.0pt"><br>
</span><span
style="font-size:7.5pt">Office:
+ 41 (0) 22 594 30 00<br>
Mobile: + 41 (0) </span><span
style="font-size:10.0pt">791
274 790</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:7.5pt">Address: Avenue
Louis-Casaï 58 | </span><span
style="font-size:10.0pt">1216
Cointrin | Switzerland</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><b><span
style="font-size:9.0pt">Stay connected with <a
href="http://www.wisekey.com/"
moz-do-not-send="true"><span style="color:#F62400">WISeKey</span></a><br>
</span></b><span
style="font-size:7.5pt;color:darkgray"><br>
<br>
</span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><b><span
style="font-size:7.5pt;color:#78A600">THIS IS A TRUSTED MAIL</span></b><span
style="font-size:7.5pt;color:#78A600">: This message is digitally signed
with a WISeKey
identity. If you get a
mail from WISeKey
please check
the signature to avoid
security risks</span><span
style="font-size:9.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:7.0pt;color:darkgray"><br>
<br>
</span><span
style="font-size:9.0pt"><o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><b><span
style="font-size:7.0pt;color:darkgray">CONFIDENTIALITY: </span></b><span
style="font-size:7.0pt;color:darkgray">This email and any files
transmitted with it
can be confidential
and it’s intended
solely for the use
of the individual or
entity to which they
are addressed. If
you are not the
named addressee
you should not
disseminate, distribute
or copy this e-mail.
If you have
received this email
in error
please notify the
sender</span><span
style="font-size:9.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:9.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><b><span
style="font-size:7.0pt;color:darkgray">DISCLAIMER: </span></b><span
style="font-size:7.0pt;color:darkgray">WISeKey
does not warrant the
accuracy
or completeness of
this message and
does not accept
any liability for
any errors or
omissions herein as
this message has
been transmitted over
a public network.
Internet
communications cannot
be guaranteed to be
secure or
error-free as
information may be
intercepted,
corrupted,
or contain viruses.
Attachments to this
e-mail are checked
for viruses;
however, we do not
accept any liability
for any damage
sustained by
viruses and therefore
you are kindly
requested to
check for viruses
upon receipt.</span><span
style="font-size:9.0pt"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
</body>
</html>