<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font face="Calibri">Hi Pedro,</font></p>
<p><font face="Calibri">I think you didn't get what I mean (Jochem
did). I wasn't referring to the domain part but rather the local
part of the email address. To give an example, I don't see any
problem in an OV cert that contains an email address of the type
<a class="moz-txt-link-abbreviated" href="mailto:ExampleLtd@gmail.com">ExampleLtd@gmail.com</a>, although obviously gmail.com is a Google
domain and not of Example Ltd., while I am a bit perplexed by an
OV cert issued for Example Ltd. containing an email address of
the type <a class="moz-txt-link-abbreviated" href="mailto:Name.Surname@example.com">Name.Surname@example.com</a>, especially without knowing
whether this address was validated with the BR method 3.2.2.1
(via domain) rather than 3.2.2.2 (via email). In the second
case, the applicant demonstrated that he/she only controls the
Name.Surname mailbox, but applied for an OV cert which (email
aside) contains his/her company's identity; these two things
don't seem to go together well, somehow, IMO.<br>
</font></p>
<p><font face="Calibri">Regards<br>
Adriano</font></p>
<p><font face="Calibri"><br>
</font></p>
<div class="moz-cite-prefix">Il 16/09/2023 09:27, Pedro FUENTES ha
scritto:<br>
</div>
<blockquote type="cite"
cite="mid:88121FEE-1744-4995-9F04-4F5986355157@wisekey.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<meta http-equiv="content-type"
content="text/html; charset=UTF-8">
<div dir="ltr">We should maybe just understand that there are
companies that don’t have a corporate mail service. </div>
<div dir="ltr"><br>
</div>
<div dir="ltr">IMHO… Once the mailbox is validated, the domain
component is not relevant. </div>
<div dir="ltr"><br>
</div>
<div dir="ltr"><br>
<blockquote type="cite">Le 16 sept. 2023 à 07:23, Adriano
Santoni via Smcwg-public <a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public@cabforum.org"><smcwg-public@cabforum.org></a> a
écrit :<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8">
<p><font face="Calibri">Hi Jochem,</font></p>
<p><font face="Calibri">thanks for sharing your thoughts; as
you say, they don't answer my question, but they do add
useful insight.</font></p>
<p><font face="Calibri">Adriano</font></p>
<p><font face="Calibri"><br>
</font></p>
<div class="moz-cite-prefix">Il 15/09/2023 17:17, Berge,
Jochem Van den ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:51e1e4caf16c412194fff03779420d29@logius.nl">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face { font-family: Wingdings; }@font-face { font-family: "Cambria Math"; }@font-face { font-family: Calibri; }@font-face { font-family: Verdana; }p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif; }a:link, span.MsoHyperlink { color: blue; text-decoration: underline; }.MsoChpDefault { font-size: 10pt; }div.WordSection1 { page: WordSection1; }</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<title></title>
<div align="center">
<table width="30%" cellspacing="2" cellpadding="2"
border="1">
<tbody>
<tr>
<td valign="top" bgcolor="#ffff00"> <span
style="color: red;">NOTICE:</span> Pay
attention - external email - Sender is <a
class="moz-txt-link-abbreviated moz-txt-link-freetext"
href="mailto:prvs=615b3b199=jochem.vanden.berge@logius.nl"
moz-do-not-send="true">prvs=615b3b199=jochem.vanden.berge@logius.nl</a>
</td>
</tr>
</tbody>
</table>
<br>
</div>
<br>
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US">
Hi Adriano,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US">
<o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> I’ve gone over the SBRGs and reading
section 3.2.2 of the SBRGs I think you might have a
point that it is not defined in the SBRG:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> <o:p> </o:p></span></p>
<p class="MsoNormal"><i><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> This section defines the permitted
processes and procedures for confirming the <b>Applicant’s<o:p></o:p></b></span></i></p>
<p class="MsoNormal"><b><i><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> control</span></i></b> <i><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> of Mailbox Addresses to be included
in issued Certificates.<o:p></o:p></span></i></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> <o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> As far as I can see, if the Applicant
(or it’s representative) can demonstrate control
over the mailbox in question it looks like it is
allowed. Other entries in section 3 or in section 7
are mute on this point. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> <o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> If you look at TLS certificates the
relation between the (owner of a) FQDN and the
organization included in the certificate can be (and
often is) different (provided the applicant can
prove to have control over the FQDN). <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> <o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> The same kind of mechanic could apply
here. I think it boils down to if it ever was the
intent to derive any identifying information from an
email address or only use it for a cryptographic
link (like TLS)?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> <o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> If the decision would be that the
email address should have some identifying
properties I just realized that except for the
obvious cases (like the one you addressed) it is
very difficult to put such a requirement into words.
What would be the definition of an organization
controlled email address? And how would a CA be able
to check that it is? The example you list of sole
proprietorships can also be tricky to check by a CA,
and potentially opens up a can of worms.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> <o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> Long story short, my take is that it
is possible and that isn’t something we can easily
fix. I think it boils down to a more fundamental
choice of what the intent is of the different types
of profiles as defined in the SBRGs. Seeing that I
wasn’t involved with the earliest beginning of this
WG I can’t answer that question but I hope that
other can shed some light on it</span> <span
style="font-size:9.0pt;font-family:Wingdings;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> J</span><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> <o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> <o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> <o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D">
Kind Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D">
<o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D">
Jochem van den Berge<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D">
Architect PKIoverheid<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D">
<o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:14.0pt;font-family:"Verdana",sans-serif;color:#538135"
lang="EN-GB"> Logius<o:p></o:p></span></b></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"
lang="EN-GB"> <o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"
lang="EN-GB"> Digital Government Service<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"
lang="EN-GB"> Ministry of the Interior and Kingdom
Relations<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"
lang="FR">
........................................................................<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F4E79"
lang="FR"> <o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"
lang="FR"> M</span></b> <span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"
lang="FR"> (+31) (0)6 – 21 16 26 89<o:p></o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"
lang="FR"> T </span></b> <span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"
lang="FR"> (+31) (0)70 - 888 76 91<b><o:p></o:p></b></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><a
href="mailto:jochem.vanden.berge@logius.nl"
moz-do-not-send="true"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#0563C1"
lang="FR"> jochem.vanden.berge@logius.nl</span></a></span><u><span
style="font-size:9.0pt;color:#0563C1" lang="FR"><br>
</span></u> <span style="color:#1F497D"><a
href="http://www.logius.nl/"
moz-do-not-send="true"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#0563C1"
lang="FR"> www.logius.nl</span></a></span><u><span
style="color:#0563C1" lang="FR"><o:p></o:p></span></u></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F4E79"
lang="FR"> <o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"
lang="FR"> workdays Mo-Tue & Thu-Fri<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D"
lang="EN-GB">
........................................................................<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>Van:</b> Smcwg-public <a
class="moz-txt-link-rfc2396E"
href="mailto:smcwg-public-bounces@cabforum.org"
moz-do-not-send="true"><smcwg-public-bounces@cabforum.org></a>
<b>Namens</b> Adriano Santoni via Smcwg-public<br>
<b>Verzonden:</b> vrijdag 15 september 2023 06:55<br>
<b>Aan:</b> <a
class="moz-txt-link-abbreviated moz-txt-link-freetext"
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true">smcwg-public@cabforum.org</a><br>
<b>Onderwerp:</b> [Smcwg-public] Individual email
addresses in OV certs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hello all,<o:p></o:p></p>
<p>given that an S/MIME OV certificate is characterized
by the fact that it conveys the identity of an
organization, it is acceptable for an OV certificate
to contain an email address that is clearly associated
with an individual mailbox (e.g. <a
href="mailto:name.surname@companydomain.tld"
moz-do-not-send="true" class="moz-txt-link-freetext">name.surname@companydomain.tld</a>)
? <o:p></o:p></p>
<p>If I'm not mistaken, this aspect is not touched on in
the BR and it therefore seems reasonable to assume
that the above case is permitted. However, the fact
that the Applicant only controls an individual email
address somehow feels "inappropriate" for an OV
certificate, so to say. <o:p></o:p></p>
<p>It seems okay for sole proprietorships, but in other
cases (legal persons with several employees) it seems
inconsistent.<o:p></o:p></p>
<p>Maybe the answer is already there, in the BR, but I
cannot see it.<o:p></o:p></p>
<p>Any comments welcome.<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p><o:p> </o:p></p>
</div>
<br>
<hr> <font size="1" face="Arial" color="gray">Dit bericht
kan informatie bevatten die niet voor u is bestemd.
Indien u niet de geadresseerde bent of dit bericht
abusievelijk aan u is toegezonden, wordt u verzocht dat
aan de afzender te melden en het bericht te verwijderen.
De Staat aanvaardt geen aansprakelijkheid voor schade,
van welke aard ook, die verband houdt met risico's
verbonden aan het elektronisch verzenden van berichten.<br>
This message may contain information that is not
intended for you. If you are not the addressee or if
this message was sent to you by mistake, you are
requested to inform the sender and delete the message.
The State accepts no liability for damage of any kind
resulting from the risks inherent in the electronic
transmission of messages.<br>
</font> </blockquote>
<span>_______________________________________________</span><br>
<span>Smcwg-public mailing list</span><br>
<span><a class="moz-txt-link-abbreviated" href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a></span><br>
<span><a class="moz-txt-link-freetext" href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=2dhl3-ZcF9ONC3lHOXB7gQxaDU7yhrVO85H6uHt_xvcjODgYtCsgcvFHYSdKvVeg&s=ITaG9Fp6C2CidMPFAMcWLoZwaafnauR2Bm6yjn-bmU0&e=">https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=2dhl3-ZcF9ONC3lHOXB7gQxaDU7yhrVO85H6uHt_xvcjODgYtCsgcvFHYSdKvVeg&s=ITaG9Fp6C2CidMPFAMcWLoZwaafnauR2Bm6yjn-bmU0&e=</a></span><br>
</div>
</blockquote>
</div>
</blockquote>
</body>
</html>