<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Hi Christophe, please allow me to jump in the conversation,<br>
<br>
According to the early discussions and the intent of the Sponsored
Validated profile, the SV (Enterprise RA) is only allowed to
validate the identity of the individual, even for the legacy
profile, and add that information in the S/MIME Certificate under
the SV-Legacy profile.<br>
<br>
Your use case does not include any identity information of an
individual in the final SV-legacy end-entity S/MIME Certificate.
Identity information (first and last name) can be conveyed only via
the specific attributes in the subject of the certificate, namely
givenName, surname and commonName. If the CA chooses to use the
commonName attribute to include the identity of the individual
associated with an organization (sponsor), then the CA should add
"John Doe" in the commonName, that's ok. However, if the CA wants to
use the commonName attribute to include an email address to convey
the identity information, then I believe this can be challenged
because it will be very difficult to find an official name in an
official identity document with the value <a class="moz-txt-link-rfc2396E" href="mailto:john.doe@example.com">"john.doe@example.com"</a>.<br>
<br>
With that said, I agree with Adriano that a certificate with a
subject of "C=XX, O=Example Inc., <a class="moz-txt-link-abbreviated" href="mailto:CN=john.doe@example.com">CN=john.doe@example.com</a>" does not
match the expectations of the Sponsored Validation profile because
the Sponsor has no identity to validate :)<br>
<br>
<br>
Best regards,<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 24/10/2023 11:14 π.μ., Christophe
Bonjean via Smcwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100018b60c04ab3-6686cf28-c933-422e-9676-4662c322077f-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}code
{mso-style-priority:99;
font-family:"Courier New";}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Arial",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif">Hi Adriano,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif">There’s no
definition to support that a mailbox address is an
individual attribute in all cases, but as you indicated
there are circumstances where it is (i.e. If the Subscriber
or the Enterprise RA assert this is a mailbox address for an
individual). I'm not convinced that this is sufficient
reason to ban it completely.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif">Although
the purpose might be to align with the definition, we are
changing the permitted contents of the CommonName, which is
a significant change. I also think it’s up to the wider
community to indicate whether this is a niche use case,
before we consider this a fact.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif">Can we put
this on the agenda for further discussion?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif">Christophe<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span
style="font-size:11.0pt"> Adriano Santoni
<a class="moz-txt-link-rfc2396E" href="mailto:adriano.santoni@staff.aruba.it"><adriano.santoni@staff.aruba.it></a> <br>
<b>Sent:</b> Tuesday, October 24, 2023 9:43 AM<br>
<b>To:</b> Christophe Bonjean
<a class="moz-txt-link-rfc2396E" href="mailto:christophe.bonjean@globalsign.com"><christophe.bonjean@globalsign.com></a>; SMIME
Certificate Working Group
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public@cabforum.org"><smcwg-public@cabforum.org></a>; Ashish Dhiman
<a class="moz-txt-link-rfc2396E" href="mailto:ashish.dhiman@globalsign.com"><ashish.dhiman@globalsign.com></a>; Martijn Katerbarg
<a class="moz-txt-link-rfc2396E" href="mailto:martijn.katerbarg@sectigo.com"><martijn.katerbarg@sectigo.com></a><br>
<b>Subject:</b> Re: [External Sender] RE: [Smcwg-public]
RE: Re: Re: Re: SV certificates devoid of individual
attributes<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hi Christophe,<o:p></o:p></p>
<p>frankly, it seems obvious to me that an email address is not,
generally speaking, an individual attribute. Would you argue
that <a href="mailto:info@example.com" moz-do-not-send="true"
class="moz-txt-link-freetext">info@example.com</a> is a
natural person's attribute? It may be so in specific cases
(for example when it is of the type <a
href="mailto:givenname.surname@example.com"
moz-do-not-send="true" class="moz-txt-link-freetext">givenname.surname@example.com</a>
and the email service provider applies a rule that ensures
proper attribution to users and disambiguation of similar
names), but it certainly is not so by definition. <o:p></o:p></p>
<p>Evidently a natural person (or more likely more than one) can
have access to the mailbox at an address like <a
href="mailto:info@example.com" moz-do-not-send="true"
class="moz-txt-link-freetext">info@example.com</a>, but it
is evident that such address is not specific to any particular
natural person in the same sense and in the same way in which
givenname and surname are attributes of a natural person.<o:p></o:p></p>
<p class="MsoNormal">And no, no intent at all to modify the SV
profile; quite the opposite: to respect its definition even in
the legacy case (where among other things, the needs of niche
use cases can very well be satisfied by OV certificates).<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p><o:p> </o:p></p>
<div>
<p class="MsoNormal">Il 24/10/2023 09:25, Christophe Bonjean
ha scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif">Hi
Adriano,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif">From your
proposed change, it seems that you are not considering a
mailbox address as an individual (natural person)
attribute? Could you provide some context on that?</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif">We should
also keep in mind the initial purpose of the legacy
profile. Even though the suggestion of using an OV profile
for CN=email, O=Company might be sensible, we’re still
fundamentally modifying the legacy SV profile.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif">Christophe</span><o:p></o:p></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span
style="font-size:11.0pt"> Smcwg-public <a
href="mailto:smcwg-public-bounces@cabforum.org"
moz-do-not-send="true"><smcwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Adriano Santoni via Smcwg-public<br>
<b>Sent:</b> Friday, October 20, 2023 10:33 AM<br>
<b>To:</b> Ashish Dhiman <a
href="mailto:ashish.dhiman@globalsign.com"
moz-do-not-send="true"><ashish.dhiman@globalsign.com></a>;
SMIME Certificate Working Group <a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true"><smcwg-public@cabforum.org></a>;
Martijn Katerbarg <a
href="mailto:martijn.katerbarg@sectigo.com"
moz-do-not-send="true"><martijn.katerbarg@sectigo.com></a><br>
<b>Subject:</b> Re: [Smcwg-public] [External Sender]
RE: Re: Re: Re: SV certificates devoid of individual
attributes</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p>Ashish,<o:p></o:p></p>
<p>my intent would not be to prohibit anything, but rather to
make two types of certificates (OV, SV) distinguishable that
otherwise are not, and to make the S/MIME baseline
requirements consistent with the definition of
Sponsor-Validated.<br>
<br>
Furthermore, I don't understand why what I'm proposing could
cause problems for those who need, for their legacy use
case, S/MIME certificates that simultaneously contain
Subject.organizationName AND <i>any type </i>of email
address in the Subject.commonName (like <a
href="mailto:department@example.com"
moz-do-not-send="true" class="moz-txt-link-freetext">department@example.com</a>
or <a href="mailto:ashish.dhiman@globalsign.com"
moz-do-not-send="true" class="moz-txt-link-freetext">ashish.dhiman@globalsign.com</a>
to quote your examples), plus of course locality and
organizationIdentifier. In fact, in such use case you can
very well use OV-type S/MIME certificates. Don't you?<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p> <o:p></o:p></p>
<div>
<p class="MsoNormal">Il 20/10/2023 10:20, Ashish Dhiman ha
scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div align="center">
<table class="MsoNormalTable" style="width:30.0%"
width="30%" cellpadding="0" border="1">
<tbody>
<tr>
<td
style="background:yellow;padding:1.5pt 1.5pt 1.5pt 1.5pt" valign="top">
<p class="MsoNormal"><span
style="font-size:11.0pt;color:red">NOTICE:</span><span
style="font-size:11.0pt;color:black"> Pay
attention - external email - Sender is <a
href="mailto:ashish.dhiman@globalsign.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">ashish.dhiman@globalsign.com</a>
</span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal" style="text-align:center"
align="center"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt">Respected: CA/B – S/MIME Forum
Members. </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt">I feel the problem that we are
trying to solve by prohibiting email address from CN in
Legacy will only make things complex rather than solve
it. During our discussion, the intent for legacy, always
was to have minimum impact on existing practices and
give time for wider industry to move to multipurpose or
strict profile. I feel, we are defeating the whole
purpose of legacy with suggested change, as I am trying
to understand how; eliminating email address from CN
will help us differentiate a sponsor profile from
organization profile. As, Technically, people can still
use <a href="mailto:department@example.com"
target="_blank" title="mailto:department@example.com"
moz-do-not-send="true" class="moz-txt-link-freetext">department@example.com</a>
in sponsor profile as email address and also use <a
href="mailto:ashish.dhiman@globalsign.com"
target="_blank"
title="mailto:ashish.dhiman@globalsign.com"
moz-do-not-send="true" class="moz-txt-link-freetext">ashish.dhiman@globalsign.com</a>
in Organization Profile as email address.</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt">On the other hand, this change
will also deviate from current practices for CN use for
legacy use cases Also, during implementation, we see in
most of the cases; email address used in Sponsor
profiles are correct. </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt">I think removing email in CN
makes legacy no longer like legacy and seems to make it
stricter than multi and strict where its allowed. There
is also no indication that the intent for changes, will
be achieved without mandatory use of Given Name and Sur
Name in Legacy profile, which is again a big change
considering legacy intent, and make these profiles
similar to multi and strict version. Overall, this
change seems to defeat its goal of supporting wider
ecosystem for a while. </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt">Ashish</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:11.0pt">From:</span></b>
<span style="font-size:11.0pt">Smcwg-public <a
href="mailto:smcwg-public-bounces@cabforum.org"
moz-do-not-send="true"><smcwg-public-bounces@cabforum.org></a>
<b>On Behalf Of</b> Adriano Santoni via Smcwg-public<br>
<b>Sent:</b> Thursday, October 19, 2023 5:00 PM<br>
<b>To:</b> Martijn Katerbarg <a
href="mailto:martijn.katerbarg@sectigo.com"
moz-do-not-send="true"><martijn.katerbarg@sectigo.com></a>;
SMIME Certificate Working Group <a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true"><smcwg-public@cabforum.org></a><br>
<b>Subject:</b> Re: [Smcwg-public] [External Sender]
Re: Re: Re: SV certificates devoid of individual
attributes</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p>I have created the pull request below. <o:p></o:p></p>
<p><a href="https://github.com/cabforum/smime/pull/218"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/smime/pull/218</a><o:p></o:p></p>
<p>Even if there exists some niche legacy uses cases, I
believe it would be highly preferable to avoid allowing SV
certificates that do not match the SV definition and are
indistinguishable from OV certs. Besides, it appears that
in such particular contexts OV certificates would still
meet the need.<o:p></o:p></p>
<p>Looking for endorsers.<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p> <o:p></o:p></p>
<div>
<p class="MsoNormal">Il 16/10/2023 18:38, Martijn
Katerbarg ha scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt">Happy
to work with you on that. I do wonder what the cause
and original intent behind this was.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I
wonder if they key lies in the Note added to section
7.1.4.2.5:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">“</span>Legacy
Generation profiles MAY omit the <code>subject:givenName</code>,
<code>subject:surname</code>, and <code>subject:pseudonym</code>
attributes and include only the <code>subject:commonName</code>
as described in <a
href="https://github.com/cabforum/smime/blob/main/SBR.md#71422-subject-distinguished-name-fields"
moz-do-not-send="true">Section 7.1.4.2.2(a)</a>.”<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Could
it be that the original intent here was that
subject:givenName, subject:surname and
subject:pseudonym are allowed to be left out, <b>only</b>
if subject:commonName was included <b>and</b> had
either the pseudonym or givenName+surname in it? <br>
<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I
could see that as a possible legacy use case, with the
intend to deprecate. I’m not sure if any CA needs that
use case at current though.<br>
<br>
Regards,<br>
<br>
Martijn</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<div id="mail-editor-reference-message-container">
<div>
<div
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span
style="font-size:12.0pt;color:black">From:</span></b>
<span style="font-size:12.0pt;color:black">Smcwg-public
<a
href="mailto:smcwg-public-bounces@cabforum.org" moz-do-not-send="true"><smcwg-public-bounces@cabforum.org></a>
on behalf of Adriano Santoni via Smcwg-public <a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true"><smcwg-public@cabforum.org></a><br>
<b>Date:</b> Monday, 16 October 2023 at 18:09<br>
<b>To:</b> <a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">smcwg-public@cabforum.org</a>
<a href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true"><smcwg-public@cabforum.org></a><br>
<b>Subject:</b> Re: [Smcwg-public] [External
Sender] Re: Re: SV certificates devoid of
individual attributes</span><o:p></o:p></p>
</div>
<div
style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="color:black">CAUTION: This email
originated from outside of the organization. Do
not click links or open attachments unless you
recognize the sender and know the content is
safe.</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<div>
<p>I would suggest an amendment in order to correct
this unintended result; I'm available to dratf a
proposal it if there are any endorsers.<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p> <o:p></o:p></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt">Il 16/10/2023 17:17,
Dimitris Zacharopoulos via Smcwg-public ha
scritto:</span><o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div align="center">
<table class="MsoNormalTable"
style="width:30.0%" width="30%"
cellspacing="3" cellpadding="0" border="1">
<tbody>
<tr>
<td
style="background:yellow;padding:1.5pt 1.5pt 1.5pt 1.5pt" valign="top">
<p class="MsoNormal"><span
style="font-size:11.0pt;color:red">NOTICE:</span><span
style="color:black"> </span><span
style="font-size:11.0pt;color:black">Pay
attention - external email - Sender
is <a
href="mailto:0100018b3910b1a1-5f63e11d-cb86-4599-8385-07abf817d4d1-000000@amazonses.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">0100018b3910b1a1-5f63e11d-cb86-4599-8385-07abf817d4d1-000000@amazonses.com</a></span><span
style="color:black"> </span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal" style="text-align:center"
align="center"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif">I
agree it's not a good thing. The SV profile
was to support certificates that include
attributes of individuals validated by the
Enterprise RA. If we allow those to be
missing, making it effectively an OV
Certificate, seems like an unintended
result.<br>
<br>
Best regards,</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt"><br>
<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Smcwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Smcwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a
href="https://lists.cabforum.org/mailman/listinfo/smcwg-public"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></pre>
</blockquote>
</div>
</div>
</div>
</blockquote>
</blockquote>
</blockquote>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>