[Smcwg-public] email addresses in S/MIME certificates

Doug Beattie doug.beattie at globalsign.com
Fri Nov 20 07:08:44 MST 2020

Mozilla’s email validation policy does not  apply to the UPN and since this is used for authentication, not secure mail, I hope we can keep it that way in this spec.




I think we should permit more than 1 email address in the SAN for those customer that have multiple aliases.  For me, doug.beattie and douglas.beattie are both supported, and I know that come companies periodically change the domain for their employees.  For example, I’ve noticed that Entrust is using a mix of entrustdatacard.com and entrust.com.


I’d recommend that we permit a max of one email address in the certificate subject DN, but multiple in the SAN:RFC822




From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Wendy Brown - QT3LB-C via Smcwg-public
Sent: Friday, November 20, 2020 8:07 AM
To: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>; SMIME Certificate Working Group <smcwg-public at cabforum.org>
Subject: Re: [Smcwg-public] email addresses in S/MIME certificates


Also I do not remember a discussion that the UPN, if present, has to be identical to the email address.  Although I may have missed at least 1 of the calls.  I do not think this is always the case.

Another question is will we allow more than one email address SAN?




Wendy Brown
Supporting GSA FPKI
Protiviti Government Services

 703-965-2990 (cell)

 <mailto:wendy.brown at gsa.gov> wendy.brown at gsa.gov
wendy.brown at protiviti.com <mailto:wendy.brown at protiviti.com> 



On Fri, Nov 20, 2020 at 6:19 AM Dimitris Zacharopoulos (HARICA) via Smcwg-public <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> > wrote:

I believe this proposal prohibits directoryName values in the subjectAltName extention. I remember that the intent of the first version of S/MIME requirements was not to prohibit identity information to be included in the Certificate Profile.


On 20/11/2020 12:11 π.μ., Stephen Davidson via Smcwg-public wrote:

To date our discussion related to email addresses in S/MIME has been a general reference to rfc822Name along the lines of:


Extension ID:                      subjectAlternateName

Required?:                          Yes

Critical:                                 Yes if the subject is an empty sequence; otherwise, SHOULD NOT be critical

Permitted Value(s):        MUST contain at least one rfc822Name value. MUST NOT contain values of type: dNSName, iPAddress, uniformResourceIdentifier. otherName values (such as Microsoft UPN) MAY be included if the value is identical to an rfc822Name expressed in the SAN extension. Any rfc822Name and otherName value in the Subject DN must be repeated in the SAN extension.  Each rfc822Name and otherName value must be verified with publicly documented and audited measures in accordance with Section 3.2.2.

References:                        RFC 5280, Section


S/MIME and rfc822Name has enjoyed a proliferation of standards which leads to the question:

*	Do we wish to summarise those rules relating to rfc822Name in this standard or in an informative appendix?
*	Or do wish simply to provide a listing of the relevant standards?


If the latter, I believe the most relevant would include RFC 5322 (internet message format, sections 3.2.3 and 3.4.1), RFC 3696 (informational, checking of names), and RFC 8398 (internationalized email addresses).


Missing anything?  Comments?


Best regards, Stephen


RFC 5322: https://tools.ietf.org/html/rfc5322

RFC 3696: https://tools.ietf.org/html/rfc3696

RFC 8398: https://tools.ietf.org/html/rfc8398



Smcwg-public mailing list
Smcwg-public at cabforum.org <mailto:Smcwg-public at cabforum.org> 


Smcwg-public mailing list
Smcwg-public at cabforum.org <mailto:Smcwg-public at cabforum.org> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201120/bcfb49c9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5708 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201120/bcfb49c9/attachment-0001.p7s>

More information about the Smcwg-public mailing list