<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font face="Calibri">I agree with Rob.<br>
</font></p>
<p><font face="Calibri">Adriano</font></p>
<p><font face="Calibri"><br>
</font></p>
<div class="moz-cite-prefix">Il 02/10/2023 20:45, Robert Lee via
Smcwg-public ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:0100018af1b605ab-d917b2b3-82a4-4d53-a7b2-6caee230c02f-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}div.WordSection1
{page:WordSection1;}</style>
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hi
all,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">So,
I can see the sense to Clint’s argument that fields in the
CSR may be confirmatory but shouldn’t be the only source of
the information that gets put into a certificate because it
should be coming from the store of vetted information held
by the CA. But what if the fields in a provided CSR are
explicitly contradictory to what is to be in the requested
certificate?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Providing
a CSR with no subject information in it to support the
certificate request is one thing, but what if a subscriber
provides a CSR containing subject information completely
different to that which should be put into the certificate?
If I am requesting a certificate for <a
href="mailto:rob@example.com" moz-do-not-send="true"
class="moz-txt-link-freetext">rob@example.com</a> and the
CSR I send to the CA to provide my public key and
proof-of-possession contains only the email address “<a
href="mailto:definitelynotrob@definitelynotexample.com"
moz-do-not-send="true" class="moz-txt-link-freetext">definitelynotrob@definitelynotexample.com</a>”
then there is a reasonable argument to be made that
something strange is going on and that my CSR does not
support my certificate request because the information it
does contain doesn’t match what should be included in my
certificate.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">I
guess I’d argue for a position of “The CSR doesn’t need to
contain everything, but what is in there should at least be
correct” which I _<i>think</i>_ mostly aligns with Clint’s
position.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Best
Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Rob<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal" style="background:white"><b><span
style="color:#18376A">Dr. Robert Lee MEng PhD</span></b><span
style="font-size:12.0pt;color:#201F1E"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#18376A;background:white">Senior Software
Engineer with Cryptography SME</span><span
style="font-size:12.0pt;color:#201F1E"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:black"><a
href="http://www.globalsign.co.uk/" target="_blank"
moz-do-not-send="true"><span style="color:#0563C1">www.globalsign.co.uk</span></a></span><span
style="color:#18376A">|</span><span style="color:black"><a
href="http://www.globalsign.eu/" target="_blank"
moz-do-not-send="true"><span style="color:#0B4CB4">www.globalsign.eu</span></a></span><span
style="font-size:12.0pt;color:#201F1E"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div id="mail-editor-reference-message-container">
<div>
<div
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span
style="font-size:12.0pt;color:black">From: </span></b><span
style="font-size:12.0pt;color:black">Smcwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public-bounces@cabforum.org"><smcwg-public-bounces@cabforum.org></a> on behalf of
Adriano Santoni via Smcwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public@cabforum.org"><smcwg-public@cabforum.org></a><br>
<b>Date: </b>Monday, 2 October 2023 at 07:57<br>
<b>To: </b><a class="moz-txt-link-abbreviated" href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public@cabforum.org"><smcwg-public@cabforum.org></a><br>
<b>Subject: </b>Re: [Smcwg-public] [External Sender]
Re: [EXTERNAL]-Re: Fields for S/MIME CSRs<o:p></o:p></span></p>
</div>
<p>Not necessarily: the email address can be transmitted to
the CA as a separate datum. </p>
<p>Indeed, I would say that this is preferable because it
allows syntax checking on the email address without even
starting to look at the CSR, from which in my opinion only
the public key should be taken.</p>
<p>Adriano</p>
<p><o:p> </o:p></p>
<div>
<p class="MsoNormal">Il 29/09/2023 21:21, Ben Wilson via
Smcwg-public ha scritto:</p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div align="center">
<table class="MsoNormalTable" style="width:30.0%"
width="30%" cellpadding="0" border="1">
<tbody>
<tr>
<td
style="background:yellow;padding:1.5pt 1.5pt 1.5pt 1.5pt" valign="top">
<p class="MsoNormal"><span style="color:red">NOTICE:</span><span
style="color:black"> Pay attention -
external email - Sender is <a
href="mailto:0100018ae263a9a7-3e84e260-b7d7-43c5-85cb-d1425682cb27-000000@amazonses.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">0100018ae263a9a7-3e84e260-b7d7-43c5-85cb-d1425682cb27-000000@amazonses.com</a>
</span></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal" style="text-align:center"
align="center"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Shouldn't at least the email
address be included, and verified, of course, by the
CA?</p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Fri, Sep 29, 2023, 11:35 AM
Pedro FUENTES <<a
href="mailto:pfuentes@wisekey.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">pfuentes@wisekey.com</a>>
wrote:</p>
</div>
<blockquote
style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">+1</p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><br>
<br>
</p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"
style="margin-bottom:12.0pt">Le 29 sept. 2023
à 17:52, Clint Wilson via Smcwg-public <<a
href="mailto:smcwg-public@cabforum.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">smcwg-public@cabforum.org</a>>
a écrit :</p>
</blockquote>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Hi all, </p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In my opinion, CSRs
should really be limited to conveying the
public key and a proof of possession of the
private key; the fields included therein <i>may</i>
act as confirmatory signals for a CA, but
shouldn’t be directly relied upon e.g. to
generate a tbsCertificate. Rather, the
values placed in fields of a tbsCertificate
should originate from the CA’s validated
data store to ensure that the only paths for
data to become part of a signed certificate
are through static configurations (e.g.
signatureAlgorithm) or known-validated data.</p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">There’s plenty of nuance
we can discuss as well, but generally
speaking I believe it’s bad practice to rely
on fields in the CSR.</p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Cheers,</p>
</div>
<div>
<p class="MsoNormal">-Clint</p>
<div>
<p class="MsoNormal"><br>
<br>
</p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Sep 29, 2023, at
8:27 AM, Ben Wilson via Smcwg-public
<<a
href="mailto:smcwg-public@cabforum.org" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">smcwg-public@cabforum.org</a>>
wrote:</p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">All,</p>
</div>
<div>
<p class="MsoNormal">I'm interested
in gathering information from
Certificate Issuers about the kind
of information that they would
like to collect/extract from the
CSRs they receive from S/MIME
certificate applicants. This
information could be used to
refine a system to generate CSRs
that result in certificates
compliant with the various
profiles defined in the S/MIME
BRs. Alternatively, what is the
minimum amount of information that
CAs might expect to obtain from
CSRs? In other words, which fields
should a CSR generator integrated
with a Certificate Consumer's
software support?</p>
</div>
<div>
<p class="MsoNormal">Thanks,</p>
</div>
<div>
<p class="MsoNormal">Ben</p>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Smcwg-public mailing list<br>
<a
href="mailto:Smcwg-public@cabforum.org" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/smcwg-public"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">_______________________________________________<br>
Smcwg-public mailing list<br>
<a href="mailto:Smcwg-public@cabforum.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a><br>
<a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=SdzPRXhti18pWLmVPVZwDOe4My0SBGtWzL3HSt02tHKsXpWQUw9YUb_QzXtxZYtw&s=5yodJ9UuvfVvN_CqY53dyFJyNwYRRJDEfhmuysvXrQA&e="
target="_blank" moz-do-not-send="true">https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=SdzPRXhti18pWLmVPVZwDOe4My0SBGtWzL3HSt02tHKsXpWQUw9YUb_QzXtxZYtw&s=5yodJ9UuvfVvN_CqY53dyFJyNwYRRJDEfhmuysvXrQA&e=</a></p>
</div>
</blockquote>
</div>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br>
</p>
<pre>_______________________________________________</pre>
<pre>Smcwg-public mailing list</pre>
<pre><a href="mailto:Smcwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a></pre>
<pre><a
href="https://lists.cabforum.org/mailman/listinfo/smcwg-public"
moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a></pre>
</blockquote>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
</body>
</html>