<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-IN" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt">Respected: CA/B ā S/MIME Forum Members. <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt">I feel the problem that we are trying to solve by prohibiting email address from CN in Legacy will only make things complex rather than solve it.
During our discussion, the intent for legacy, always was to have minimum impact on existing practices and give time for wider industry to move to multipurpose or strict profile. I feel, we are defeating the whole purpose of legacy with suggested change, as
I am trying to understand how; eliminating email address from CN will help us differentiate a sponsor profile from organization profile. As, Technically, people can still use
<a href="mailto:department@example.com" target="_blank" title="mailto:department@example.com">
department@example.com</a> in sponsor profile as email address and also use <a href="mailto:ashish.dhiman@globalsign.com" target="_blank" title="mailto:ashish.dhiman@globalsign.com">
ashish.dhiman@globalsign.com</a> in Organization Profile as email address.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt">On the other hand, this change will also deviate from current practices for CN use for legacy use cases Also, during implementation, we see in most
of the cases; email address used in Sponsor profiles are correct. <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt">I think removing email in CN makes legacy no longer like legacy and seems to make it stricter than multi and strict where its allowed. There is also
no indication that the intent for changes, will be achieved without mandatory use of Given Name and Sur Name in Legacy profile, which is again a big change considering legacy intent, and make these profiles similar to multi and strict version. Overall, this
change seems to defeat its goal of supporting wider ecosystem for a while. <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt">Ashish<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt">From:</span></b><span lang="EN-US" style="font-size:11.0pt"> Smcwg-public <smcwg-public-bounces@cabforum.org>
<b>On Behalf Of </b>Adriano Santoni via Smcwg-public<br>
<b>Sent:</b> Thursday, October 19, 2023 5:00 PM<br>
<b>To:</b> Martijn Katerbarg <martijn.katerbarg@sectigo.com>; SMIME Certificate Working Group <smcwg-public@cabforum.org><br>
<b>Subject:</b> Re: [Smcwg-public] [External Sender] Re: Re: Re: SV certificates devoid of individual attributes<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>I have created the pull request below. <o:p></o:p></p>
<p><a href="https://github.com/cabforum/smime/pull/218">https://github.com/cabforum/smime/pull/218</a><o:p></o:p></p>
<p>Even if there exists some niche legacy uses cases, I believe it would be highly preferable to avoid allowing SV certificates that do not match the SV definition and are indistinguishable from OV certs. Besides, it appears that in such particular contexts
OV certificates would still meet the need.<o:p></o:p></p>
<p>Looking for endorsers.<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p><o:p> </o:p></p>
<div>
<p class="MsoNormal">Il 16/10/2023 18:38, Martijn Katerbarg ha scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US">Happy to work with you on that. I do wonder what the cause and original intent behind this was.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US">I wonder if they key lies in the Note added to section 7.1.4.2.5:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US">ā</span>Legacy Generation profiles MAY omit the
<code>subject:givenName</code>, <code>subject:surname</code>, and <code>subject:pseudonym</code> attributes and include only the
<code>subject:commonName</code> as described in <a href="https://github.com/cabforum/smime/blob/main/SBR.md#71422-subject-distinguished-name-fields">
Section 7.1.4.2.2(a)</a>.<span lang="EN-US">ā</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt">Could it be that the original intent here was that subject:givenName, subject:surname and subject:pseudonym are allowed to be left out,
<b>only</b> if subject:commonName was included <b>and</b> had either the pseudonym or givenName+surname in it?
<br>
<br>
<br>
</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt">I could see that as a possible legacy use case, with the intend to deprecate. Iām not sure if any CA needs that use case at current though.<br>
<br>
Regards,<br>
<br>
Martijn</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<div id="mail-editor-reference-message-container">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">Smcwg-public <a href="mailto:smcwg-public-bounces@cabforum.org">
<smcwg-public-bounces@cabforum.org></a> on behalf of Adriano Santoni via Smcwg-public
<a href="mailto:smcwg-public@cabforum.org"><smcwg-public@cabforum.org></a><br>
<b>Date: </b>Monday, 16 October 2023 at 18:09<br>
<b>To: </b><a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>
<a href="mailto:smcwg-public@cabforum.org"><smcwg-public@cabforum.org></a><br>
<b>Subject: </b>Re: [Smcwg-public] [External Sender] Re: Re: SV certificates devoid of individual attributes</span><o:p></o:p></p>
</div>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal" style="line-height:12.0pt;background:#FAFA03"><span style="color:black">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<div>
<p>I would suggest an amendment in order to correct this unintended result; I'm available to dratf a proposal it if there are any endorsers.<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p> <o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">Il 16/10/2023 17:17, Dimitris Zacharopoulos via Smcwg-public ha scritto:</span><o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div align="center">
<table class="MsoNormalTable" border="1" cellspacing="3" cellpadding="0" width="30%" style="width:30.0%">
<tbody>
<tr>
<td valign="top" style="background:yellow;padding:1.5pt 1.5pt 1.5pt 1.5pt">
<p class="MsoNormal"><span style="font-size:11.0pt;color:red">NOTICE:</span><span style="font-size:11.0pt;color:black"> Pay attention - external email - Sender is
<a href="mailto:0100018b3910b1a1-5f63e11d-cb86-4599-8385-07abf817d4d1-000000@amazonses.com">
0100018b3910b1a1-5f63e11d-cb86-4599-8385-07abf817d4d1-000000@amazonses.com</a> </span>
<o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal" align="center" style="text-align:center"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">I agree it's not a good thing. The SV profile was to support certificates that include attributes of individuals validated by the Enterprise RA. If we allow those to be missing,
making it effectively an OV Certificate, seems like an unintended result.<br>
<br>
Best regards,</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"><br>
<br>
<br>
</span><o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Smcwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></pre>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</body>
</html>