<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="NL" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Hi Adriano,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US">I’ve gone over the SBRGs and reading section 3.2.2 of the SBRGs I think you might have a point that it is not defined in
the SBRG:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><i><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US">This section defines the permitted processes and procedures for confirming the
<b>Applicant’s<o:p></o:p></b></span></i></p>
<p class="MsoNormal"><b><i><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US">control</span></i></b><i><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US">
of Mailbox Addresses to be included in issued Certificates.<o:p></o:p></span></i></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US">As far as I can see, if the Applicant (or it’s representative) can demonstrate control over the mailbox in question it
looks like it is allowed. Other entries in section 3 or in section 7 are mute on this point.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US">If you look at TLS certificates the relation between the (owner of a) FQDN and the organization included in the certificate
can be (and often is) different (provided the applicant can prove to have control over the FQDN).
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US">The same kind of mechanic could apply here. I think it boils down to if it ever was the intent to derive any identifying
information from an email address or only use it for a cryptographic link (like TLS)?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US">If the decision would be that the email address should have some identifying properties I just realized that except for
the obvious cases (like the one you addressed) it is very difficult to put such a requirement into words. What would be the definition of an organization controlled email address? And how would a CA be able to check that it is? The example you list of sole
proprietorships can also be tricky to check by a CA, and potentially opens up a can of worms.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Long story short, my take is that it is possible and that isn’t something we can easily fix. I think it boils down to a
more fundamental choice of what the intent is of the different types of profiles as defined in the SBRGs. Seeing that I wasn’t involved with the earliest beginning of this WG I can’t answer that question but I hope that other can shed some light on it
</span><span lang="EN-US" style="font-size:9.0pt;font-family:Wingdings;color:#1F497D;mso-fareast-language:EN-US">J</span><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US">.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D">Kind Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D">Jochem van den Berge<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D">Architect PKIoverheid<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-GB" style="font-size:14.0pt;font-family:"Verdana",sans-serif;color:#538135">Logius<o:p></o:p></span></b></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D">Digital Government Service<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D">Ministry of the Interior and Kingdom Relations<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D">........................................................................<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR" style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="FR" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D">M</span></b><span lang="FR" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"> (+31) (0)6 – 21 16 26 89<o:p></o:p></span></p>
<p class="MsoNormal"><b><span lang="FR" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D">T
</span></b><span lang="FR" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D">(+31) (0)70 - 888 76 91<b><o:p></o:p></b></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><a href="mailto:jochem.vanden.berge@logius.nl"><span lang="FR" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#0563C1">jochem.vanden.berge@logius.nl</span></a></span><u><span lang="FR" style="font-size:9.0pt;color:#0563C1"><br>
</span></u><span style="color:#1F497D"><a href="http://www.logius.nl/"><span lang="FR" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#0563C1">www.logius.nl</span></a></span><u><span lang="FR" style="color:#0563C1"><o:p></o:p></span></u></p>
<p class="MsoNormal"><span lang="FR" style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="FR" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D">workdays Mo-Tue & Thu-Fri<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D">........................................................................<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>Van:</b> Smcwg-public <smcwg-public-bounces@cabforum.org>
<b>Namens </b>Adriano Santoni via Smcwg-public<br>
<b>Verzonden:</b> vrijdag 15 september 2023 06:55<br>
<b>Aan:</b> smcwg-public@cabforum.org<br>
<b>Onderwerp:</b> [Smcwg-public] Individual email addresses in OV certs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hello all,<o:p></o:p></p>
<p>given that an S/MIME OV certificate is characterized by the fact that it conveys the identity of an organization, it is acceptable for an OV certificate to contain an email address that is clearly associated with an individual mailbox (e.g.
<a href="mailto:name.surname@companydomain.tld">name.surname@companydomain.tld</a>) ? <o:p></o:p></p>
<p>If I'm not mistaken, this aspect is not touched on in the BR and it therefore seems reasonable to assume that the above case is permitted. However, the fact that the Applicant only controls an individual email address somehow feels "inappropriate" for an
OV certificate, so to say. <o:p></o:p></p>
<p>It seems okay for sole proprietorships, but in other cases (legal persons with several employees) it seems inconsistent.<o:p></o:p></p>
<p>Maybe the answer is already there, in the BR, but I cannot see it.<o:p></o:p></p>
<p>Any comments welcome.<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p><o:p> </o:p></p>
</div>
<br>
<HR>
<font color=gray size=1 face=Arial>Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.<br>This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. </HR><br></font></body>
</html>