<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle21
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:283317590;
mso-list-type:hybrid;
mso-list-template-ids:1827179646 704684744 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:1250118158;
mso-list-template-ids:-2073647506;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Thanks Russ!<o:p></o:p></p><p class=MsoNormal>True.<o:p></o:p></p><p class=MsoNormal>But on the counterpoint: are there Qualified certificates that match the Mailbox-validated profile? <o:p></o:p></p><ul type=disc><li class=MsoListParagraph style='mso-list:l0 level1 lfo2'>It seems a lot of work to validate identity for such a constrained profile.<o:p></o:p></li><li class=MsoListParagraph style='mso-list:l0 level1 lfo2'>ETSI EN 319 412-2 requires a subject contain at least C, GN/SN or Pseudonym, and CN.<o:p></o:p></li></ul><p class=MsoNormal>Best, Stephen<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Russ Housley <housley@vigilsec.com> <br><b>Sent:</b> Wednesday, April 19, 2023 2:35 PM<br><b>To:</b> Stephen Davidson <Stephen.Davidson@digicert.com>; SMIME Certificate Working Group <smcwg-public@cabforum.org><br><b>Subject:</b> Re: [Smcwg-public] SubjectDirectoryAttributes in MV-Legacy<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Stephen:<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Qualified Certificates allows SubjectDirectoryAttributes extension. See section 3.2.2 of RFC 3739. So, I think think it should be allowed.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Russ<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><div><p class=MsoNormal><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On Apr 18, 2023, at 6:40 PM, Stephen Davidson via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>Hello:<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>In working out lints for the S/MIME linter (more info to come), Corey observed that we didn't explicitly ban SubjectDirectoryAttributes extension in a Mailbox-validated cert. See (j) of<span class=apple-converted-space> </span><a href="https://github.com/cabforum/smime/blob/main/SBR.md#7123-subscriber-certificates"><span style='color:#0563C1'>https://github.com/cabforum/smime/blob/main/SBR.md#7123-subscriber-certificates</span></a>.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>We did allow the SubjectDirectoryAttributes extension to be used in the Legacy generation profiles, knowing that it is used in many legacy implementations, and that the Legacy generation will eventually be deprecated.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>However, it seems odd to allow its use in the Mailbox-validated Legacy profile, which otherwise blocks the inclusion of Subject Identity information. <o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-top:0in;margin-bottom:0in;mso-list:l1 level1 lfo1'>Does the SMCWG believe that the SubjectDirectoryAttributes extension should be allowed or disallowed in Mailbox-validated Legacy certs?<o:p></o:p></li><li class=MsoListParagraph style='margin-top:0in;margin-bottom:0in;mso-list:l1 level1 lfo1'>In the event that the SubjectDirectoryAttributes extension is disallowed, is this acceptable to be clarified in the Erratum ballot or should it be defined as a new ballot?<o:p></o:p></li></ol><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>This will be on agenda for our next call, but feel free to begin discussion.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>Best, Stephen<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif'>_______________________________________________<br>Smcwg-public mailing list<br></span><a href="mailto:Smcwg-public@cabforum.org"><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#0563C1'>Smcwg-public@cabforum.org</span></a><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif'><br></span><a href="https://lists.cabforum.org/mailman/listinfo/smcwg-public"><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#0563C1'>https://lists.cabforum.org/mailman/listinfo/smcwg-public</span></a><o:p></o:p></p></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></div></div></body></html>