<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font face="Calibri">Well, in my opinion that's not a good thing.</font></p>
<p><font face="Calibri">Adriano<br>
</font></p>
<div class="moz-cite-prefix">Il 16/10/2023 16:16, Martijn Katerbarg
ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:MW5PR17MB6012A778E1286DA28BBA3A12E3D7A@MW5PR17MB6012.namprd17.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0cm;}ul
{margin-bottom:0cm;}</style>
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"
lang="EN-US">Hi Adriano,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"
lang="EN-US"><br>
Yes, I do believe you’re correct. Taking your example, the
only difference would be the Policy OID in the certificate.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"
lang="EN-US">I’m not sure why anyone would in that case opt
for a Sponsor Validated cert over OV, however it does appear
to be compliant, yet only for Legacy templates.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"
lang="EN-US">Regards,<br>
<br>
Martijn<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div id="mail-editor-reference-message-container">
<div>
<div
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span
style="font-size:12.0pt;color:black">From: </span></b><span
style="font-size:12.0pt;color:black">Smcwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public-bounces@cabforum.org"><smcwg-public-bounces@cabforum.org></a> on behalf of
Adriano Santoni via Smcwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public@cabforum.org"><smcwg-public@cabforum.org></a><br>
<b>Date: </b>Monday, 16 October 2023 at 15:52<br>
<b>To: </b><a class="moz-txt-link-abbreviated" href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public@cabforum.org"><smcwg-public@cabforum.org></a><br>
<b>Subject: </b>[Smcwg-public] SV certificates devoid
of individual attributes<o:p></o:p></span></p>
</div>
<div
style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="color:black">CAUTION: This email originated
from outside of the organization. Do not click links
or open attachments unless you recognize the sender
and know the content is safe.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div>
<p>Hello all,<o:p></o:p></p>
<p>I have the impression that the current SMBRs allow to
issue Sponsor-Validated certificates which, contrary to
the definition of this type of certificate, do not
contain any "Individual (Natural Person) attributes"
(quoting from the definition of Sponsor-Validated). At
least, this seems to hold for the "Legacy Generation
profiles".<o:p></o:p></p>
<ul type="disc">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1"><span
style="font-size:11.0pt">according to §3.1.1 and
§7.1.4.2.2, the commonName does not necessarily have
to contain a Personal Name (in fact it MAY contain a
Mailbox Address)<o:p></o:p></span></li>
</ul>
<ul type="disc">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo2"><span
style="font-size:11.0pt">according to §7.1.4.2.5,
givenName and surname attributes are not required in
"Legacy Generation profiles".<o:p></o:p></span></li>
</ul>
<p>Furthermore, as already discussed in a previous thread,
there is no requirement that a personal email address
have a "personal" appearance (e.g. <a
href="mailto:forename.surname@company.com"
moz-do-not-send="true" class="moz-txt-link-freetext">forename.surname@company.com</a>).<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Therefore,
if I understand correctly, a Subject of the following
type within a "Legacy" SV (Sponsor-Validated)
certificate would be 100% compliant:<o:p></o:p></span></p>
<p> <a href="mailto:CN=info@example.com"
moz-do-not-send="true" class="moz-txt-link-freetext">CN=info@example.com</a>,
O=Example HmbH, organizationIdentifier=NTRXX-xxxxx, C=XX<o:p></o:p></p>
<p>If this is true, it would make no difference if the
certificate was OV rather than SV: the Subject could be
identical in the two cases, and it would be devoid of
"Individual (Natural Person) attibutes".<o:p></o:p></p>
<p>Is the above correct, or am I missing something?<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</blockquote>
</body>
</html>