<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font face="Calibri">Hi Christophe,</font></p>
<p><font face="Calibri">frankly, it seems obvious to me that an
email address is not, generally speaking, an individual
attribute. </font><font face="Calibri">Would you argue that
<a class="moz-txt-link-abbreviated" href="mailto:info@example.com">info@example.com</a> is a </font><font face="Calibri">natural
person</font><font face="Calibri">'s attribute? It may be so in
specific cases (for example when it is of the type
<a class="moz-txt-link-abbreviated" href="mailto:givenname.surname@example.com">givenname.surname@example.com</a> and the email service provider
applies a rule that ensures proper attribution to users and
disambiguation of similar names), but it certainly is not so by
definition. </font></p>
<p><font face="Calibri">Evidently a natural person (or more likely
more than one) can have access to the mailbox at an address like
<a class="moz-txt-link-abbreviated" href="mailto:info@example.com">info@example.com</a>, but it is evident that such address is not
specific to any particular natural person in the same sense and
in the same way in which givenname and surname are attributes of
a natural person.</font></p>
<font face="Calibri">And no, no intent at all to modify the SV
profile; quite the opposite: to respect its definition even in the
legacy case (where among other things, the needs of niche use
cases can very well be satisfied by OV certificates).</font><br>
<p><font face="Calibri">Adriano</font></p>
<p><font face="Calibri"><br>
</font></p>
<div class="moz-cite-prefix">Il 24/10/2023 09:25, Christophe Bonjean
ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:PSAPR03MB571786660F698C69B53DF626E5DFA@PSAPR03MB5717.apcprd03.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}code
{mso-style-priority:99;
font-family:"Courier New";}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Arial",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif">Hi Adriano,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif">From your
proposed change, it seems that you are not considering a
mailbox address as an individual (natural person) attribute?
Could you provide some context on that?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif">We should
also keep in mind the initial purpose of the legacy profile.
Even though the suggestion of using an OV profile for
CN=email, O=Company might be sensible, we’re still
fundamentally modifying the legacy SV profile.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif">Christophe<o:p></o:p></span></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span
style="font-size:11.0pt"> Smcwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public-bounces@cabforum.org"><smcwg-public-bounces@cabforum.org></a> <b>On Behalf
Of </b>Adriano Santoni via Smcwg-public<br>
<b>Sent:</b> Friday, October 20, 2023 10:33 AM<br>
<b>To:</b> Ashish Dhiman
<a class="moz-txt-link-rfc2396E" href="mailto:ashish.dhiman@globalsign.com"><ashish.dhiman@globalsign.com></a>; SMIME Certificate
Working Group <a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public@cabforum.org"><smcwg-public@cabforum.org></a>; Martijn
Katerbarg <a class="moz-txt-link-rfc2396E" href="mailto:martijn.katerbarg@sectigo.com"><martijn.katerbarg@sectigo.com></a><br>
<b>Subject:</b> Re: [Smcwg-public] [External Sender] RE:
Re: Re: Re: SV certificates devoid of individual
attributes<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Ashish,<o:p></o:p></p>
<p>my intent would not be to prohibit anything, but rather to
make two types of certificates (OV, SV) distinguishable that
otherwise are not, and to make the S/MIME baseline
requirements consistent with the definition of
Sponsor-Validated.<br>
<br>
Furthermore, I don't understand why what I'm proposing could
cause problems for those who need, for their legacy use case,
S/MIME certificates that simultaneously contain
Subject.organizationName AND <i>any type </i>of email
address in the Subject.commonName (like <a
href="mailto:department@example.com" moz-do-not-send="true"
class="moz-txt-link-freetext">department@example.com</a> or
<a href="mailto:ashish.dhiman@globalsign.com"
moz-do-not-send="true" class="moz-txt-link-freetext">ashish.dhiman@globalsign.com</a>
to quote your examples), plus of course locality and
organizationIdentifier. In fact, in such use case you can very
well use OV-type S/MIME certificates. Don't you?<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p><o:p> </o:p></p>
<div>
<p class="MsoNormal">Il 20/10/2023 10:20, Ashish Dhiman ha
scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div align="center">
<table class="MsoNormalTable" style="width:30.0%"
width="30%" cellpadding="0" border="1">
<tbody>
<tr>
<td
style="background:yellow;padding:1.5pt 1.5pt 1.5pt 1.5pt" valign="top">
<p class="MsoNormal"><span
style="font-size:11.0pt;color:red">NOTICE:</span><span
style="font-size:11.0pt;color:black"> Pay
attention - external email - Sender is <a
href="mailto:ashish.dhiman@globalsign.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">ashish.dhiman@globalsign.com</a>
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal" style="text-align:center" align="center"><span
style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt">Respected: CA/B – S/MIME Forum
Members. </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt">I feel the problem that we are
trying to solve by prohibiting email address from CN in
Legacy will only make things complex rather than solve it.
During our discussion, the intent for legacy, always was
to have minimum impact on existing practices and give time
for wider industry to move to multipurpose or strict
profile. I feel, we are defeating the whole purpose of
legacy with suggested change, as I am trying to understand
how; eliminating email address from CN will help us
differentiate a sponsor profile from organization profile.
As, Technically, people can still use <a
href="mailto:department@example.com" target="_blank"
title="mailto:department@example.com"
moz-do-not-send="true" class="moz-txt-link-freetext">department@example.com</a>
in sponsor profile as email address and also use <a
href="mailto:ashish.dhiman@globalsign.com"
target="_blank"
title="mailto:ashish.dhiman@globalsign.com"
moz-do-not-send="true" class="moz-txt-link-freetext">ashish.dhiman@globalsign.com</a>
in Organization Profile as email address.</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt">On the other hand, this change
will also deviate from current practices for CN use for
legacy use cases Also, during implementation, we see in
most of the cases; email address used in Sponsor profiles
are correct. </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt">I think removing email in CN
makes legacy no longer like legacy and seems to make it
stricter than multi and strict where its allowed. There is
also no indication that the intent for changes, will be
achieved without mandatory use of Given Name and Sur Name
in Legacy profile, which is again a big change considering
legacy intent, and make these profiles similar to multi
and strict version. Overall, this change seems to defeat
its goal of supporting wider ecosystem for a while. </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt">Ashish</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:11.0pt">From:</span></b>
<span style="font-size:11.0pt">Smcwg-public <a
href="mailto:smcwg-public-bounces@cabforum.org"
moz-do-not-send="true"><smcwg-public-bounces@cabforum.org></a>
<b>On Behalf Of</b> Adriano Santoni via Smcwg-public<br>
<b>Sent:</b> Thursday, October 19, 2023 5:00 PM<br>
<b>To:</b> Martijn Katerbarg <a
href="mailto:martijn.katerbarg@sectigo.com"
moz-do-not-send="true"><martijn.katerbarg@sectigo.com></a>;
SMIME Certificate Working Group <a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true"><smcwg-public@cabforum.org></a><br>
<b>Subject:</b> Re: [Smcwg-public] [External Sender]
Re: Re: Re: SV certificates devoid of individual
attributes</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p>I have created the pull request below. <o:p></o:p></p>
<p><a href="https://github.com/cabforum/smime/pull/218"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/smime/pull/218</a><o:p></o:p></p>
<p>Even if there exists some niche legacy uses cases, I
believe it would be highly preferable to avoid allowing SV
certificates that do not match the SV definition and are
indistinguishable from OV certs. Besides, it appears that in
such particular contexts OV certificates would still meet
the need.<o:p></o:p></p>
<p>Looking for endorsers.<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p> <o:p></o:p></p>
<div>
<p class="MsoNormal">Il 16/10/2023 18:38, Martijn Katerbarg
ha scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt">Happy to
work with you on that. I do wonder what the cause and
original intent behind this was.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I wonder
if they key lies in the Note added to section 7.1.4.2.5:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">“</span>Legacy
Generation profiles MAY omit the <code>subject:givenName</code>,
<code>subject:surname</code>, and <code>subject:pseudonym</code>
attributes and include only the <code>subject:commonName</code>
as described in <a
href="https://github.com/cabforum/smime/blob/main/SBR.md#71422-subject-distinguished-name-fields"
moz-do-not-send="true">Section 7.1.4.2.2(a)</a>.”<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Could it
be that the original intent here was that
subject:givenName, subject:surname and subject:pseudonym
are allowed to be left out, <b>only</b> if
subject:commonName was included <b>and</b> had either
the pseudonym or givenName+surname in it? <br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I could
see that as a possible legacy use case, with the intend
to deprecate. I’m not sure if any CA needs that use case
at current though.<br>
<br>
Regards,<br>
<br>
Martijn</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<div id="mail-editor-reference-message-container">
<div>
<div
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span
style="font-size:12.0pt;color:black">From:</span></b>
<span style="font-size:12.0pt;color:black">Smcwg-public
<a href="mailto:smcwg-public-bounces@cabforum.org"
moz-do-not-send="true"><smcwg-public-bounces@cabforum.org></a>
on behalf of Adriano Santoni via Smcwg-public <a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true"><smcwg-public@cabforum.org></a><br>
<b>Date:</b> Monday, 16 October 2023 at 18:09<br>
<b>To:</b> <a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">smcwg-public@cabforum.org</a>
<a href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true"><smcwg-public@cabforum.org></a><br>
<b>Subject:</b> Re: [Smcwg-public] [External
Sender] Re: Re: SV certificates devoid of
individual attributes</span><o:p></o:p></p>
</div>
<div
style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="color:black">CAUTION: This email originated
from outside of the organization. Do not click
links or open attachments unless you recognize the
sender and know the content is safe.</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<div>
<p>I would suggest an amendment in order to correct
this unintended result; I'm available to dratf a
proposal it if there are any endorsers.<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p> <o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">Il
16/10/2023 17:17, Dimitris Zacharopoulos via
Smcwg-public ha scritto:</span><o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div align="center">
<table class="MsoNormalTable" style="width:30.0%"
width="30%" cellspacing="3" cellpadding="0"
border="1">
<tbody>
<tr>
<td
style="background:yellow;padding:1.5pt 1.5pt 1.5pt 1.5pt" valign="top">
<p class="MsoNormal"><span
style="font-size:11.0pt;color:red">NOTICE:</span><span
style="color:black"> </span><span
style="font-size:11.0pt;color:black">Pay
attention - external email - Sender is
<a
href="mailto:0100018b3910b1a1-5f63e11d-cb86-4599-8385-07abf817d4d1-000000@amazonses.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">0100018b3910b1a1-5f63e11d-cb86-4599-8385-07abf817d4d1-000000@amazonses.com</a></span><span
style="color:black"> </span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal" style="text-align:center"
align="center"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif">I
agree it's not a good thing. The SV profile
was to support certificates that include
attributes of individuals validated by the
Enterprise RA. If we allow those to be
missing, making it effectively an OV
Certificate, seems like an unintended result.<br>
<br>
Best regards,</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"><br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Smcwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Smcwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a
href="https://lists.cabforum.org/mailman/listinfo/smcwg-public"
moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></pre>
</blockquote>
</div>
</div>
</div>
</blockquote>
</blockquote>
</div>
</blockquote>
</body>
</html>