<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font face="Calibri">Hi Jochem,</font></p>
<p><font face="Calibri">thanks for sharing your thoughts; as you
say, they don't answer my question, but they do add useful
insight.</font></p>
<p><font face="Calibri">Adriano</font></p>
<p><font face="Calibri"><br>
</font></p>
<div class="moz-cite-prefix">Il 15/09/2023 17:17, Berge, Jochem Van
den ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:51e1e4caf16c412194fff03779420d29@logius.nl">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<title></title>
<div align="center">
<table width="30%" cellspacing="2" cellpadding="2" border="1">
<tbody>
<tr>
<td valign="top" bgcolor="#ffff00"> <span
style="color: red;">NOTICE:</span> Pay attention -
external email - Sender is
<a class="moz-txt-link-abbreviated" href="mailto:prvs=615b3b199=jochem.vanden.berge@logius.nl">prvs=615b3b199=jochem.vanden.berge@logius.nl</a> </td>
</tr>
</tbody>
</table>
<br>
</div>
<br>
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US">
Hi Adriano,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US">
<o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">
I’ve gone over the SBRGs and reading section 3.2.2 of the
SBRGs I
think you might have a point that it is not defined in the
SBRG:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">
<o:p> </o:p></span></p>
<p class="MsoNormal"><i><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">
This section defines the permitted processes and
procedures for
confirming the <b>Applicant’s<o:p></o:p></b></span></i></p>
<p class="MsoNormal"><b><i><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">
control</span></i></b> <i><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">
of Mailbox Addresses to be included in issued
Certificates.<o:p></o:p></span></i></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">
<o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">
As far as I can see, if the Applicant (or it’s
representative) can
demonstrate control over the mailbox in question it looks
like it
is allowed. Other entries in section 3 or in section 7 are
mute on
this point. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">
<o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">
If you look at TLS certificates the relation between the
(owner of
a) FQDN and the organization included in the certificate can
be
(and often is) different (provided the applicant can prove
to have
control over the FQDN). <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">
<o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">
The same kind of mechanic could apply here. I think it boils
down
to if it ever was the intent to derive any identifying
information
from an email address or only use it for a cryptographic
link (like
TLS)?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">
<o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">
If the decision would be that the email address should have
some
identifying properties I just realized that except for the
obvious
cases (like the one you addressed) it is very difficult to
put such
a requirement into words. What would be the definition of an
organization controlled email address? And how would a CA be
able
to check that it is? The example you list of sole
proprietorships
can also be tricky to check by a CA, and potentially opens
up a can
of worms.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">
<o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">
Long story short, my take is that it is possible and that
isn’t
something we can easily fix. I think it boils down to a more
fundamental choice of what the intent is of the different
types of
profiles as defined in the SBRGs. Seeing that I wasn’t
involved
with the earliest beginning of this WG I can’t answer that
question
but I hope that other can shed some light on it</span> <span
style="font-size:9.0pt;font-family:Wingdings;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">
J</span><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">
<o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">
<o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">
<o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D">
Kind Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D">
<o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D">
Jochem van den Berge<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D">
Architect PKIoverheid<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D">
<o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:14.0pt;font-family:"Verdana",sans-serif;color:#538135"
lang="EN-GB">
Logius<o:p></o:p></span></b></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"
lang="EN-GB">
<o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"
lang="EN-GB">
Digital Government Service<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"
lang="EN-GB">
Ministry of the Interior and Kingdom
Relations<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"
lang="FR">
........................................................................<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F4E79"
lang="FR">
<o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"
lang="FR">
M</span></b> <span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"
lang="FR">
(+31) (0)6 – 21 16 26 89<o:p></o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"
lang="FR">
T </span></b> <span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"
lang="FR">
(+31) (0)70 - 888 76 91<b><o:p></o:p></b></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><a
href="mailto:jochem.vanden.berge@logius.nl"
moz-do-not-send="true"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#0563C1"
lang="FR">
jochem.vanden.berge@logius.nl</span></a></span><u><span
style="font-size:9.0pt;color:#0563C1" lang="FR"><br>
</span></u> <span style="color:#1F497D"><a
href="http://www.logius.nl/" moz-do-not-send="true"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#0563C1"
lang="FR">
www.logius.nl</span></a></span><u><span
style="color:#0563C1" lang="FR"><o:p></o:p></span></u></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F4E79"
lang="FR">
<o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"
lang="FR">
workdays Mo-Tue & Thu-Fri<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"
lang="EN-GB">
........................................................................<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>Van:</b> Smcwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public-bounces@cabforum.org"><smcwg-public-bounces@cabforum.org></a> <b>Namens</b>
Adriano
Santoni via Smcwg-public<br>
<b>Verzonden:</b> vrijdag 15 september 2023 06:55<br>
<b>Aan:</b> <a class="moz-txt-link-abbreviated" href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a><br>
<b>Onderwerp:</b> [Smcwg-public] Individual email
addresses in OV
certs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hello all,<o:p></o:p></p>
<p>given that an S/MIME OV certificate is characterized by the
fact
that it conveys the identity of an organization, it is
acceptable
for an OV certificate to contain an email address that is
clearly
associated with an individual mailbox (e.g. <a
href="mailto:name.surname@companydomain.tld"
moz-do-not-send="true" class="moz-txt-link-freetext">name.surname@companydomain.tld</a>)
? <o:p></o:p></p>
<p>If I'm not mistaken, this aspect is not touched on in the BR
and
it therefore seems reasonable to assume that the above case is
permitted. However, the fact that the Applicant only controls
an
individual email address somehow feels "inappropriate"
for an OV certificate, so to say. <o:p></o:p></p>
<p>It seems okay for sole proprietorships, but in other cases
(legal persons with several employees) it seems
inconsistent.<o:p></o:p></p>
<p>Maybe the answer is already there, in the BR, but I cannot
see
it.<o:p></o:p></p>
<p>Any comments welcome.<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p><o:p> </o:p></p>
</div>
<br>
<hr>
<font size="1" face="Arial" color="gray">Dit bericht kan
informatie
bevatten die niet voor u is bestemd. Indien u niet de
geadresseerde
bent of dit bericht abusievelijk aan u is toegezonden, wordt u
verzocht dat aan de afzender te melden en het bericht te
verwijderen. De Staat aanvaardt geen aansprakelijkheid voor
schade,
van welke aard ook, die verband houdt met risico's verbonden aan
het elektronisch verzenden van berichten.<br>
This message may contain information that is not intended for
you.
If you are not the addressee or if this message was sent to you
by
mistake, you are requested to inform the sender and delete the
message. The State accepts no liability for damage of any kind
resulting from the risks inherent in the electronic transmission
of
messages.<br>
</font>
</blockquote>
</body>
</html>