<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font face="Calibri">Ashish,</font></p>
<p><font face="Calibri">my intent would not be to prohibit anything,
but rather to make two types of certificates (OV, SV)
distinguishable that otherwise are not, and to make the S/MIME
baseline requirements consistent with the definition of
Sponsor-Validated.<br>
<br>
Furthermore, I don't understand why what I'm proposing could
cause problems for those who need, for their legacy use case,
S/MIME certificates that simultaneously contain
Subject.organizationName AND <i>any type </i>of email address
in the Subject.commonName (like <a class="moz-txt-link-abbreviated" href="mailto:department@example.com">department@example.com</a> or
<a class="moz-txt-link-abbreviated" href="mailto:ashish.dhiman@globalsign.com">ashish.dhiman@globalsign.com</a> to quote your examples), plus of
course locality and organizationIdentifier. In fact, in such use
case you can very well use OV-type S/MIME certificates. Don't
you?<br>
</font></p>
<p><font face="Calibri">Adriano</font></p>
<p><font face="Calibri"><br>
</font></p>
<div class="moz-cite-prefix">Il 20/10/2023 10:20, Ashish Dhiman ha
scritto:<br>
</div>
<blockquote type="cite"
cite="mid:KL1PR03MB83179F73DE6B81E3A51689138CDBA@KL1PR03MB8317.apcprd03.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}code
{mso-style-priority:99;
font-family:"Courier New";}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}div.WordSection1
{page:WordSection1;}</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<title></title>
<div align="center">
<table width="30%" cellspacing="2" cellpadding="2" border="1">
<tbody>
<tr>
<td valign="top" bgcolor="#ffff00"> <span
style="color: red;">NOTICE:</span> Pay attention -
external email - Sender is <a class="moz-txt-link-abbreviated" href="mailto:ashish.dhiman@globalsign.com">ashish.dhiman@globalsign.com</a>
</td>
</tr>
</tbody>
</table>
<br>
</div>
<br>
<div class="WordSection1">
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt">Respected: CA/B – S/MIME Forum
Members.
<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt">I feel the problem that we are
trying to solve
by prohibiting email address from CN in Legacy will only
make
things complex rather than solve it. During our discussion,
the
intent for legacy, always was to have minimum impact on
existing
practices and give time for wider industry to move to
multipurpose
or strict profile. I feel, we are defeating the whole
purpose of
legacy with suggested change, as I am trying to understand
how;
eliminating email address from CN will help us differentiate
a
sponsor profile from organization profile. As, Technically,
people
can still use <a href="mailto:department@example.com"
target="_blank" title="mailto:department@example.com"
moz-do-not-send="true" class="moz-txt-link-freetext">department@example.com</a>
in
sponsor profile as email address and also use <a
href="mailto:ashish.dhiman@globalsign.com" target="_blank"
title="mailto:ashish.dhiman@globalsign.com"
moz-do-not-send="true" class="moz-txt-link-freetext">ashish.dhiman@globalsign.com</a>
in Organization Profile as email address.<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt">On the other hand, this change will
also deviate
from current practices for CN use for legacy use cases Also,
during
implementation, we see in most of the cases; email address
used in
Sponsor profiles are correct. <o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt">I think removing email in CN makes
legacy no
longer like legacy and seems to make it stricter than multi
and
strict where its allowed. There is also no indication that
the
intent for changes, will be achieved without mandatory use
of Given
Name and Sur Name in Legacy profile, which is again a big
change
considering legacy intent, and make these profiles similar
to multi
and strict version. Overall, this change seems to defeat its
goal
of supporting wider ecosystem for a
while. <o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt">Ashish<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:11.0pt"
lang="EN-US">From:</span></b> <span
style="font-size:11.0pt" lang="EN-US">Smcwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public-bounces@cabforum.org"><smcwg-public-bounces@cabforum.org></a> <b>On Behalf
Of</b>
Adriano Santoni via Smcwg-public<br>
<b>Sent:</b> Thursday, October 19, 2023 5:00 PM<br>
<b>To:</b> Martijn Katerbarg
<a class="moz-txt-link-rfc2396E" href="mailto:martijn.katerbarg@sectigo.com"><martijn.katerbarg@sectigo.com></a>;
SMIME Certificate Working Group
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public@cabforum.org"><smcwg-public@cabforum.org></a><br>
<b>Subject:</b> Re: [Smcwg-public] [External Sender] Re:
Re: Re: SV
certificates devoid of individual attributes<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>I have created the pull request below. <o:p></o:p></p>
<p><a href="https://github.com/cabforum/smime/pull/218"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/smime/pull/218</a><o:p></o:p></p>
<p>Even if there exists some niche legacy uses cases, I believe
it
would be highly preferable to avoid allowing SV certificates
that
do not match the SV definition and are indistinguishable from
OV
certs. Besides, it appears that in such particular contexts OV
certificates would still meet the need.<o:p></o:p></p>
<p>Looking for endorsers.<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p><o:p> </o:p></p>
<div>
<p class="MsoNormal">Il 16/10/2023 18:38, Martijn Katerbarg ha
scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"
lang="EN-US">Happy to work with
you on that. I do wonder what the cause and original
intent behind
this was.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"
lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"
lang="EN-US">I wonder if they key
lies in the Note added to section 7.1.4.2.5:</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"
lang="EN-US">“</span>Legacy
Generation profiles MAY omit the <code>subject:givenName</code>,
<code>subject:surname</code>, and <code>subject:pseudonym</code>
attributes and include only the <code>subject:commonName</code>
as
described in <a
href="https://github.com/cabforum/smime/blob/main/SBR.md#71422-subject-distinguished-name-fields"
moz-do-not-send="true">
Section 7.1.4.2.2(a)</a>.<span lang="EN-US">”</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">Could it be that the original intent here was
that subject:givenName, subject:surname and
subject:pseudonym are
allowed to be left out, <b>only</b> if subject:commonName
was
included <b>and</b> had either the pseudonym or
givenName+surname
in it? <br>
<br>
<br>
</span> <o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">I
could see that as a possible legacy use case, with the
intend to
deprecate. I’m not sure if any CA needs that use case at
current
though.<br>
<br>
Regards,<br>
<br>
Martijn</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<div id="mail-editor-reference-message-container">
<div>
<div
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span
style="font-size:12.0pt;color:black">From:</span></b>
<span style="font-size:12.0pt;color:black">Smcwg-public
<a href="mailto:smcwg-public-bounces@cabforum.org"
moz-do-not-send="true"><smcwg-public-bounces@cabforum.org></a>
on behalf of Adriano Santoni via Smcwg-public <a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true"><smcwg-public@cabforum.org></a><br>
<b>Date:</b> Monday, 16 October 2023 at 18:09<br>
<b>To:</b> <a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">smcwg-public@cabforum.org</a>
<a href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true"><smcwg-public@cabforum.org></a><br>
<b>Subject:</b> Re: [Smcwg-public] [External Sender]
Re: Re: SV
certificates devoid of individual attributes</span><o:p></o:p></p>
</div>
<div
style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03">
<span style="color:black">CAUTION: This email
originated from
outside of the organization. Do not click links or
open attachments
unless you recognize the sender and know the content
is
safe.</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<div>
<p>I would suggest an amendment in order to correct this
unintended
result; I'm available to dratf a proposal it if there
are any
endorsers.<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p> <o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">Il
16/10/2023
17:17, Dimitris Zacharopoulos via Smcwg-public ha
scritto:</span><o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div align="center">
<table class="MsoNormalTable" style="width:30.0%"
width="30%" cellspacing="3" cellpadding="0"
border="1">
<tbody>
<tr>
<td
style="background:yellow;padding:1.5pt 1.5pt 1.5pt 1.5pt" valign="top">
<p class="MsoNormal"><span
style="font-size:11.0pt;color:red">NOTICE:</span>
<span style="font-size:11.0pt;color:black">Pay
attention - external email -
Sender is <a
href="mailto:0100018b3910b1a1-5f63e11d-cb86-4599-8385-07abf817d4d1-000000@amazonses.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">
0100018b3910b1a1-5f63e11d-cb86-4599-8385-07abf817d4d1-000000@amazonses.com</a></span>
<o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal" style="text-align:center"
align="center">
<span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif">I
agree
it's not a good thing. The SV profile was to
support certificates
that include attributes of individuals validated
by the Enterprise
RA. If we allow those to be missing, making it
effectively an OV
Certificate, seems like an unintended result.<br>
<br>
Best regards,</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"><br>
<br>
<br>
</span> <o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Smcwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Smcwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a
href="https://lists.cabforum.org/mailman/listinfo/smcwg-public"
moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></pre>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</body>
</html>