<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
font-size:10.0pt;
font-family:"Courier New";}
p.m-5224068849881471405msolistparagraph, li.m-5224068849881471405msolistparagraph, div.m-5224068849881471405msolistparagraph
{mso-style-name:m_-5224068849881471405msolistparagraph;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
mso-ligatures:none;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1773281871;
mso-list-template-ids:-306681462;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Hi Ben,<o:p></o:p></p><p class=MsoNormal>I’m unsure of how many CAs have implemented ACME for S/MIME (RFC 8823), but section 3, step 8 of that RFC specifies that the CSR MUST contain the requested email addresses in the SAN [1]. The inclusion of the email address in the CSR is useful from the perspective of creating a binding of the CSR to the specific certificate request.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal>Corey<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>[1] <a href="https://www.rfc-editor.org/rfc/rfc8823.html#name-use-of-acme-for-issuing-end">https://www.rfc-editor.org/rfc/rfc8823.html#name-use-of-acme-for-issuing-end</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Smcwg-public <smcwg-public-bounces@cabforum.org> <b>On Behalf Of </b>Ben Wilson via Smcwg-public<br><b>Sent:</b> Thursday, October 5, 2023 5:02 PM<br><b>To:</b> Berge, Jochem Van den <jochem.vanden.berge@logius.nl>; SMIME Certificate Working Group <smcwg-public@cabforum.org><br><b>Subject:</b> Re: [Smcwg-public] [External Sender] Re: Re: [EXTERNAL]-Re: Fields for S/MIME CSRs<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>So, will all CA systems out there accept and process my S/Mime CSR if I submit it with just the public key and no Subject DN or SAN? Has that been tested?<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Thu, Oct 5, 2023, 2:51 PM Berge, Jochem Van den via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'>Hi Adriano/Rob,</span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'> </span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'>Although I can see were you’re coming from (I’ve seen plenty of examples of garbled subject info in CSRs over time) I doubt the use for such a check. Any kind of authentication or authorization is managed by different means already. If an applicant requests a certificate, is properly authenticated and the data in the TBS certificate is properly validated by the CA according to the SBRGs but the Applicant uses a CSR with garbage subject info, that is not an issue that a CA should fix IMHO. Incorrect subject information in a CSR has zero impact on the end certificate (or it’s trustworthiness).</span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'> </span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'>Having thought about it, the only use cases for subject data in a CSR I can see are either:</span><span lang=NL><o:p></o:p></span></p><ol start=1 type=1><li class=m-5224068849881471405msolistparagraph style='color:#1F497D;mso-list:l0 level1 lfo1'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>The Applicant has used the wrong CSR for a request by mistake, in which case a CA check on the subject data in the CSR could stop issuance of the certificate and alert the Applicant that a potential mistake was made. But those kind of things can also happen with CSRs with the right subject data (multiple CSRs with identical subjects and different keys, although that is maybe less common for S/MIME and more for TLS) </span><span lang=NL><o:p></o:p></span></li><li class=m-5224068849881471405msolistparagraph style='color:#1F497D;mso-list:l0 level1 lfo1'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>Easy identification of CSRs if you have a whole stack of them in the same place/system. That is mostly for the Applicant, the CA should already have a database entry for every application request and/or certificate. </span><span lang=NL><o:p></o:p></span></li></ol><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'> </span><span lang=NL><o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'> </span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'>Scenario 1 could be useful for a CA to check mainly with regards to customer service but with regards to the SBRGs it opens up another can of worms if the vetted identity data in the CA application portal uses slightly different data than the CSR. Spelling variations, diacritics etc. can make this difficult and can also make an application for an S/MIME certificate frustrating if the check is too strict, but automated checks tend to be black or white (0/1).</span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'> </span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'>In the end I agree with Clint’s original statement I think. The CSR should only be used to bind the certificate to a public key. Any other authentication data or verification of source are managed elsewhere.</span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'> </span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'> </span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'>Kind Regards,</span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'> </span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'>Jochem van den Berge</span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'>Compliance Officer PKIoverheid</span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D'> </span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-GB style='font-size:14.0pt;font-family:"Verdana",sans-serif;color:#538135'>Logius</span></b><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'> </span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'>Digital Government Service</span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'>Ministry of the Interior and Kingdom Relations</span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=FR style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'>........................................................................</span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=FR style='font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F4E79'> </span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=FR style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'>M</span></b><span lang=FR style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'> (+31) (0)6 – 21 16 26 89</span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=FR style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'>T </span></b><span lang=FR style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'>(+31) (0)70 - 888 76 91</span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL style='color:#1F497D'><a href="mailto:jochem.vanden.berge@logius.nl" target="_blank"><span lang=FR style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#0563C1'>jochem.vanden.berge@logius.nl</span></a></span><u><span lang=FR style='font-size:9.0pt;color:#0563C1'><br></span></u><span lang=NL style='color:#1F497D'><a href="https://url.avanan.click/v2/___http:/www.logius.nl/___.YXAzOmRpZ2ljZXJ0OmE6bzplMTEyNjU2Y2U3YzJlODQ4ZTc1NmI1MjY5MTNiNTlmZTo2OjI5MjU6ZmMzZTliMTExMWFkNGUxZWUzNjYwM2QzYzNkOTEyNzM2ZDZjOGQzNTU0NGNiNDMwNzg5NjU2NTdiMTg4MDY0MzpoOkY" target="_blank" title="Protected by Avanan: http://www.logius.nl/"><span lang=FR style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#0563C1'>www.logius.nl</span></a></span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=FR style='font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F4E79'> </span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=FR style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'>workdays Mo-Tue & Thu-Fri</span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D'>........................................................................</span><span lang=NL><o:p></o:p></span></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL> <o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=NL>Van:</span></b><span lang=NL> Smcwg-public <<a href="mailto:smcwg-public-bounces@cabforum.org" target="_blank">smcwg-public-bounces@cabforum.org</a>> <b>Namens </b>Adriano Santoni via Smcwg-public<br><b>Verzonden:</b> dinsdag 3 oktober 2023 08:52<br><b>Aan:</b> <a href="mailto:smcwg-public@cabforum.org" target="_blank">smcwg-public@cabforum.org</a><br><b>Onderwerp:</b> Re: [Smcwg-public] [External Sender] Re: Re: [EXTERNAL]-Re: Fields for S/MIME CSRs<o:p></o:p></span></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL> <o:p></o:p></span></p><p><span lang=NL>I agree with Rob.<o:p></o:p></span></p><p><span lang=NL>Adriano<o:p></o:p></span></p><p><span lang=NL> <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>Il 02/10/2023 20:45, Robert Lee via Smcwg-public ha scritto:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>Hi all,<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>So, I can see the sense to Clint’s argument that fields in the CSR may be confirmatory but shouldn’t be the only source of the information that gets put into a certificate because it should be coming from the store of vetted information held by the CA. But what if the fields in a provided CSR are explicitly contradictory to what is to be in the requested certificate?<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>Providing a CSR with no subject information in it to support the certificate request is one thing, but what if a subscriber provides a CSR containing subject information completely different to that which should be put into the certificate? If I am requesting a certificate for <a href="mailto:rob@example.com" target="_blank">rob@example.com</a> and the CSR I send to the CA to provide my public key and proof-of-possession contains only the email address “<a href="mailto:definitelynotrob@definitelynotexample.com" target="_blank">definitelynotrob@definitelynotexample.com</a>” then there is a reasonable argument to be made that something strange is going on and that my CSR does not support my certificate request because the information it does contain doesn’t match what should be included in my certificate.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>I guess I’d argue for a position of “The CSR doesn’t need to contain everything, but what is in there should at least be correct” which I _<i>think</i>_ mostly aligns with Clint’s position.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>Best Regards,<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>Rob<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL> <o:p></o:p></span></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white'><b><span lang=NL style='color:#18376A'>Dr. Robert Lee MEng PhD</span></b><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white'><span lang=NL style='color:#18376A;background:white'>Senior Software Engineer with Cryptography SME</span><span lang=NL><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white'><span lang=NL style='color:black'><a href="https://url.avanan.click/v2/___http:/www.globalsign.co.uk/___.YXAzOmRpZ2ljZXJ0OmE6bzplMTEyNjU2Y2U3YzJlODQ4ZTc1NmI1MjY5MTNiNTlmZTo2OjU1ZmY6MzQzN2Y1YWE1YzAwYTM5NzA1ZjcxZTVmZTJmNzUyN2RmZTBmY2E1MjQ2YmNmMWIzMTZmOGM5MzMzNzZmNjBhYjpoOkY" target="_blank" title="Protected by Avanan: http://www.globalsign.co.uk/"><span style='color:#0563C1'>www.globalsign.co.uk</span></a></span><span lang=NL style='color:#18376A'>|</span><span lang=NL style='color:black'><a href="https://url.avanan.click/v2/___http:/www.globalsign.eu/___.YXAzOmRpZ2ljZXJ0OmE6bzplMTEyNjU2Y2U3YzJlODQ4ZTc1NmI1MjY5MTNiNTlmZTo2OmY0YzQ6MWYxY2U4MThmYjI0NTYwYWZhMTljOTY1MmQxZGYxNzQ0NDllNTA3NzA2YWU5MjEzOGEwZTI4ZWQyYWQwYjc0ZDpoOkY" target="_blank" title="Protected by Avanan: http://www.globalsign.eu/"><span style='color:#0B4CB4'>www.globalsign.eu</span></a></span><span lang=NL><o:p></o:p></span></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL> <o:p></o:p></span></p><div id="m_-5224068849881471405mail-editor-reference-message-container"><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><b><span lang=NL style='font-size:12.0pt;color:black'>From: </span></b><span lang=NL style='font-size:12.0pt;color:black'>Smcwg-public <a href="mailto:smcwg-public-bounces@cabforum.org" target="_blank"><smcwg-public-bounces@cabforum.org></a> on behalf of Adriano Santoni via Smcwg-public <a href="mailto:smcwg-public@cabforum.org" target="_blank"><smcwg-public@cabforum.org></a><br><b>Date: </b>Monday, 2 October 2023 at 07:57<br><b>To: </b><a href="mailto:smcwg-public@cabforum.org" target="_blank">smcwg-public@cabforum.org</a> <a href="mailto:smcwg-public@cabforum.org" target="_blank"><smcwg-public@cabforum.org></a><br><b>Subject: </b>Re: [Smcwg-public] [External Sender] Re: [EXTERNAL]-Re: Fields for S/MIME CSRs</span><span lang=NL><o:p></o:p></span></p></div><p><span lang=NL>Not necessarily: the email address can be transmitted to the CA as a separate datum. <o:p></o:p></span></p><p><span lang=NL>Indeed, I would say that this is preferable because it allows syntax checking on the email address without even starting to look at the CSR, from which in my opinion only the public key should be taken.<o:p></o:p></span></p><p><span lang=NL>Adriano<o:p></o:p></span></p><p><span lang=NL> <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>Il 29/09/2023 21:21, Ben Wilson via Smcwg-public ha scritto:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div align=center><table class=MsoNormalTable border=1 cellspacing=3 cellpadding=0 width="30%" style='width:30.0%'><tr><td valign=top style='background:yellow;padding:1.5pt 1.5pt 1.5pt 1.5pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:red'>NOTICE:</span><span style='color:black'> Pay attention - external email - Sender is <a href="mailto:0100018ae263a9a7-3e84e260-b7d7-43c5-85cb-d1425682cb27-000000@amazonses.com" target="_blank">0100018ae263a9a7-3e84e260-b7d7-43c5-85cb-d1425682cb27-000000@amazonses.com</a> </span><o:p></o:p></p></td></tr></table></div><p class=MsoNormal align=center style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:center'><span lang=NL> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL> <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>Shouldn't at least the email address be included, and verified, of course, by the CA?<o:p></o:p></span></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL> <o:p></o:p></span></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>On Fri, Sep 29, 2023, 11:35 AM Pedro FUENTES <<a href="mailto:pfuentes@wisekey.com" target="_blank">pfuentes@wisekey.com</a>> wrote:<o:p></o:p></span></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>+1<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span lang=NL> <o:p></o:p></span></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span lang=NL>Le 29 sept. 2023 à 17:52, Clint Wilson via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org" target="_blank">smcwg-public@cabforum.org</a>> a écrit :<o:p></o:p></span></p></blockquote></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>Hi all, <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>In my opinion, CSRs should really be limited to conveying the public key and a proof of possession of the private key; the fields included therein <i>may</i> act as confirmatory signals for a CA, but shouldn’t be directly relied upon e.g. to generate a tbsCertificate. Rather, the values placed in fields of a tbsCertificate should originate from the CA’s validated data store to ensure that the only paths for data to become part of a signed certificate are through static configurations (e.g. signatureAlgorithm) or known-validated data.<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>There’s plenty of nuance we can discuss as well, but generally speaking I believe it’s bad practice to rely on fields in the CSR.<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>Cheers,<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>-Clint<o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span lang=NL> <o:p></o:p></span></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>On Sep 29, 2023, at 8:27 AM, Ben Wilson via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org" target="_blank">smcwg-public@cabforum.org</a>> wrote:<o:p></o:p></span></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL> <o:p></o:p></span></p><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>All,<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>I'm interested in gathering information from Certificate Issuers about the kind of information that they would like to collect/extract from the CSRs they receive from S/MIME certificate applicants. This information could be used to refine a system to generate CSRs that result in certificates compliant with the various profiles defined in the S/MIME BRs. Alternatively, what is the minimum amount of information that CAs might expect to obtain from CSRs? In other words, which fields should a CSR generator integrated with a Certificate Consumer's software support?<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>Thanks,<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>Ben<o:p></o:p></span></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>_______________________________________________<br>Smcwg-public mailing list<br><a href="mailto:Smcwg-public@cabforum.org" target="_blank">Smcwg-public@cabforum.org</a><br><a href="https://url.avanan.click/v2/___https:/lists.cabforum.org/mailman/listinfo/smcwg-public___.YXAzOmRpZ2ljZXJ0OmE6bzplMTEyNjU2Y2U3YzJlODQ4ZTc1NmI1MjY5MTNiNTlmZTo2OjI4YzA6ZGE0OTEzNWZmMTFhNWYxMGNjYTkyNTFjMDVjMDYyNWJhNTM5YjBjZWU4YzIyNTkzYjJiZDRiYTY3MjQ1MzczZjpoOkY" target="_blank" title="Protected by Avanan: https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></span></p></div></blockquote></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL> <o:p></o:p></span></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=NL>_______________________________________________<br>Smcwg-public mailing list<br><a href="mailto:Smcwg-public@cabforum.org" target="_blank">Smcwg-public@cabforum.org</a><br><a href="https://url.avanan.click/v2/___https:/urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=SdzPRXhti18pWLmVPVZwDOe4My0SBGtWzL3HSt02tHKsXpWQUw9YUb_QzXtxZYtw&s=5yodJ9UuvfVvN_CqY53dyFJyNwYRRJDEfhmuysvXrQA&e=___.YXAzOmRpZ2ljZXJ0OmE6bzplMTEyNjU2Y2U3YzJlODQ4ZTc1NmI1MjY5MTNiNTlmZTo2OjA0Y2I6MWU1ZjA0NDUxMjAwYWQwZjU3MGMzNzJkY2RlNDNiYTczYTliZTY5YWJmY2JmMGNiOWY4ZjE5MzRhMTk5NGVmNjpoOkY" target="_blank" title="Protected by Avanan: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=SdzPRXhti18pWLmVPVZwDOe4My0">https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=SdzPRXhti18pWLmVPVZwDOe4My0SBGtWzL3HSt02tHKsXpWQUw9YUb_QzXtxZYtw&s=5yodJ9UuvfVvN_CqY53dyFJyNwYRRJDEfhmuysvXrQA&e=</a><o:p></o:p></span></p></div></blockquote></div></blockquote></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span lang=NL> <o:p></o:p></span></p><pre><span lang=NL>_______________________________________________<o:p></o:p></span></pre><pre><span lang=NL>Smcwg-public mailing list<o:p></o:p></span></pre><pre><span lang=NL><a href="mailto:Smcwg-public@cabforum.org" target="_blank">Smcwg-public@cabforum.org</a><o:p></o:p></span></pre><pre><span lang=NL><a href="https://url.avanan.click/v2/___https:/lists.cabforum.org/mailman/listinfo/smcwg-public___.YXAzOmRpZ2ljZXJ0OmE6bzplMTEyNjU2Y2U3YzJlODQ4ZTc1NmI1MjY5MTNiNTlmZTo2OjAzNWM6OWNmMmIzZTM2ZGU2M2ZiZjcxYWI5ZGY1MGMxZjE5OTFkMGUxNDkxY2IyNTI4ZDA1NDJlOTg5NjMxMWY3MTU5MDpoOkY" target="_blank" title="Protected by Avanan: https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></span></pre></blockquote></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span lang=NL><o:p> </o:p></span></p><pre><span lang=NL>_______________________________________________<o:p></o:p></span></pre><pre><span lang=NL>Smcwg-public mailing list<o:p></o:p></span></pre><pre><span lang=NL><a href="mailto:Smcwg-public@cabforum.org" target="_blank">Smcwg-public@cabforum.org</a><o:p></o:p></span></pre><pre><span lang=NL><a href="https://url.avanan.click/v2/___https:/lists.cabforum.org/mailman/listinfo/smcwg-public___.YXAzOmRpZ2ljZXJ0OmE6bzplMTEyNjU2Y2U3YzJlODQ4ZTc1NmI1MjY5MTNiNTlmZTo2OjIxNjY6YjBhYmYwYWE0ODhiYjE1MWViZThhYTg2MDVkNzU2OGEwMzVjMmMzYjhiNTgzMjczY2EyYTk5OWFmM2NmOTI2NTpoOkY" target="_blank" title="Protected by Avanan: https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></span></pre></blockquote></div><p class=MsoNormal><span lang=NL><o:p> </o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span lang=NL><hr size=2 width="100%" align=center></span></div><p class=MsoNormal><span lang=NL style='font-size:7.5pt;font-family:"Arial",sans-serif;color:gray'>Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.<br>This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. </span><span lang=NL><o:p></o:p></span></p></div><p class=MsoNormal>_______________________________________________<br>Smcwg-public mailing list<br><a href="mailto:Smcwg-public@cabforum.org" target="_blank">Smcwg-public@cabforum.org</a><br><a href="https://url.avanan.click/v2/___https:/lists.cabforum.org/mailman/listinfo/smcwg-public___.YXAzOmRpZ2ljZXJ0OmE6bzplMTEyNjU2Y2U3YzJlODQ4ZTc1NmI1MjY5MTNiNTlmZTo2OmJlMTA6MmM1YWU5NjE1NDA0N2RiY2YxODFkMWE2YzhmYTA0NjZlYWE0MGZiZGMxYTIwZTUxOWU0NjA0OGNhMTA4YTMzOTpoOkY" target="_blank" title="Protected by Avanan: https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></p></blockquote></div></div></body></html>