<div dir="auto">Shouldn't at least the email address be included, and verified, of course, by the CA?</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Sep 29, 2023, 11:35 AM Pedro FUENTES <<a href="mailto:pfuentes@wisekey.com">pfuentes@wisekey.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div dir="ltr"></div><div dir="ltr">+1</div><div dir="ltr"><br></div><div dir="ltr"><br><blockquote type="cite">Le 29 sept. 2023 à 17:52, Clint Wilson via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org" target="_blank" rel="noreferrer">smcwg-public@cabforum.org</a>> a écrit :<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">Hi all,<div><br></div><div>In my opinion, CSRs should really be limited to conveying the public key and a proof of possession of the private key; the fields included therein <i>may</i> act as confirmatory signals for a CA, but shouldn’t be directly relied upon e.g. to generate a tbsCertificate. Rather, the values placed in fields of a tbsCertificate should originate from the CA’s validated data store to ensure that the only paths for data to become part of a signed certificate are through static configurations (e.g. signatureAlgorithm) or known-validated data.</div><div><br></div><div>There’s plenty of nuance we can discuss as well, but generally speaking I believe it’s bad practice to rely on fields in the CSR.</div><div><br></div><div>Cheers,</div><div>-Clint<br id="m_-6534719190591544900lineBreakAtBeginningOfMessage"><div><br><blockquote type="cite"><div>On Sep 29, 2023, at 8:27 AM, Ben Wilson via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org" target="_blank" rel="noreferrer">smcwg-public@cabforum.org</a>> wrote:</div><br><div><div dir="ltr"><div>All,</div><div>I'm interested in gathering information from Certificate Issuers about the kind of information that they would like to collect/extract from the CSRs they receive from S/MIME certificate applicants. This information could be used to refine a system to generate CSRs that result in certificates compliant with the various profiles defined in the S/MIME BRs. Alternatively, what is the minimum amount of information that CAs might expect to obtain from CSRs? In other words, which fields should a CSR generator integrated with a Certificate Consumer's software support?</div><div>Thanks,</div><div>Ben<br></div></div>
_______________________________________________<br>Smcwg-public mailing list<br><a href="mailto:Smcwg-public@cabforum.org" target="_blank" rel="noreferrer">Smcwg-public@cabforum.org</a><br><a href="https://lists.cabforum.org/mailman/listinfo/smcwg-public" target="_blank" rel="noreferrer">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><br></div></blockquote></div><br></div><span>_______________________________________________</span><br><span>Smcwg-public mailing list</span><br><span><a href="mailto:Smcwg-public@cabforum.org" target="_blank" rel="noreferrer">Smcwg-public@cabforum.org</a></span><br><span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=SdzPRXhti18pWLmVPVZwDOe4My0SBGtWzL3HSt02tHKsXpWQUw9YUb_QzXtxZYtw&s=5yodJ9UuvfVvN_CqY53dyFJyNwYRRJDEfhmuysvXrQA&e=" target="_blank" rel="noreferrer">https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=SdzPRXhti18pWLmVPVZwDOe4My0SBGtWzL3HSt02tHKsXpWQUw9YUb_QzXtxZYtw&s=5yodJ9UuvfVvN_CqY53dyFJyNwYRRJDEfhmuysvXrQA&e=</a></span><br></div></blockquote></div></blockquote></div>