[Smcwg-public] email addresses in S/MIME certificates

Buschart, Rufus rufus.buschart at siemens.com
Mon Nov 23 03:16:58 MST 2020


I totally share this opinion. We discussed something like this also in the GitHub repo of the Mozilla Root Store policy: Clarify S/MIME Validation practices for domains controlled by the CA or an Affiliate · Issue #196 · mozilla/pkipolicy (github.com)<https://github.com/mozilla/pkipolicy/issues/196>

(posting not in my Siemens role but in my TeleTrust role)

With best regards,
Rufus Buschart

Siemens AG
IT IN COR
Freyeslebenstr. 1
91058 Erlangen, Germany
Tel.: +49 1522 2894134
mailto:rufus.buschart at siemens.com
www.twitter.com/siemens<http://www.twitter.com/siemens>
www.siemens.com<https://siemens.com>
[cid:image001.gif at 01D6C18A.27310560]
Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Klaus Helmrich, Cedrik Neike, Matthias Rebellius, Ralf P. Thomas, Judith Wiese; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin-Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322

From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Wendy Brown - QT3LB-C via Smcwg-public
Sent: Freitag, 20. November 2020 15:35
To: Corey Bonnell <Corey.Bonnell at digicert.com>
Cc: SMIME Certificate Working Group <smcwg-public at cabforum.org>
Subject: Re: [Smcwg-public] email addresses in S/MIME certificates

I haven't really thought through the validation aspects yet, but I mainly support an environment where the certs are issued to those affiliated with an organization and the CA has a direct relationship with that organization.  If the DNS portion of the UPN matches the DNS portion of an email that has been validated, I would consider that sufficient if the portion of the UPN in front of the @ was supplied by the organization, which is also responsible for assigning that UPN to the individual.  As others have said the UPN value is for authentication not secure email and at this time may not have to be fully validated to the same level as the email address.  But should not be prohibited from being included in the certificate as it may break many current implementations unnecessarily.

thanks,

Wendy

Wendy Brown
Supporting GSA FPKI
Protiviti Government Services

 703-965-2990 (cell)

wendy.brown at gsa.gov<mailto:wendy.brown at gsa.gov>
wendy.brown at protiviti.com<mailto:wendy.brown at protiviti.com>


On Fri, Nov 20, 2020 at 9:17 AM Corey Bonnell <Corey.Bonnell at digicert.com<mailto:Corey.Bonnell at digicert.com>> wrote:
Hi Wendy,
I realize that we haven’t quite yet discussed the validation processes for SAN entries, but how would you envision such a validation process for UPNs to work if we permit a UPN SAN to not match one of the validated email addresses?

Thanks,
Corey

From: Smcwg-public <smcwg-public-bounces at cabforum.org<mailto:smcwg-public-bounces at cabforum.org>> On Behalf Of Wendy Brown - QT3LB-C via Smcwg-public
Sent: Friday, November 20, 2020 8:07 AM
To: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr<mailto:dzacharo at harica.gr>>; SMIME Certificate Working Group <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>>
Subject: Re: [Smcwg-public] email addresses in S/MIME certificates

Also I do not remember a discussion that the UPN, if present, has to be identical to the email address.  Although I may have missed at least 1 of the calls.  I do not think this is always the case.
Another question is will we allow more than one email address SAN?

thanks,

Wendy

Wendy Brown
Supporting GSA FPKI
Protiviti Government Services

 703-965-2990 (cell)

wendy.brown at gsa.gov<mailto:wendy.brown at gsa.gov>
wendy.brown at protiviti.com<mailto:wendy.brown at protiviti.com>


On Fri, Nov 20, 2020 at 6:19 AM Dimitris Zacharopoulos (HARICA) via Smcwg-public <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>> wrote:

I believe this proposal prohibits directoryName values in the subjectAltName extention. I remember that the intent of the first version of S/MIME requirements was not to prohibit identity information to be included in the Certificate Profile.

Dimitris.
On 20/11/2020 12:11 π.μ., Stephen Davidson via Smcwg-public wrote:
To date our discussion related to email addresses in S/MIME has been a general reference to rfc822Name along the lines of:

Extension ID:                      subjectAlternateName
Required?:                          Yes
Critical:                                 Yes if the subject is an empty sequence; otherwise, SHOULD NOT be critical
Permitted Value(s):        MUST contain at least one rfc822Name value. MUST NOT contain values of type: dNSName, iPAddress, uniformResourceIdentifier. otherName values (such as Microsoft UPN) MAY be included if the value is identical to an rfc822Name expressed in the SAN extension. Any rfc822Name and otherName value in the Subject DN must be repeated in the SAN extension.  Each rfc822Name and otherName value must be verified with publicly documented and audited measures in accordance with Section 3.2.2.
References:                        RFC 5280, Section 4.2.1.6

S/MIME and rfc822Name has enjoyed a proliferation of standards which leads to the question:

  *   Do we wish to summarise those rules relating to rfc822Name in this standard or in an informative appendix?
  *   Or do wish simply to provide a listing of the relevant standards?

If the latter, I believe the most relevant would include RFC 5322 (internet message format, sections 3.2.3 and 3.4.1), RFC 3696 (informational, checking of names), and RFC 8398 (internationalized email addresses).

Missing anything?  Comments?

Best regards, Stephen

RFC 5322: https://tools.ietf.org/html/rfc5322<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc5322&data=04%7C01%7Crufus.buschart%40siemens.com%7Ced7721e7d6a648b6459308d88d617692%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637414797024475684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2B0IPh01Xqlo%2BFUaOl0IJxi4vbO9Nzh7lnOiC%2BfAhWlI%3D&reserved=0>
RFC 3696: https://tools.ietf.org/html/rfc3696<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc3696&data=04%7C01%7Crufus.buschart%40siemens.com%7Ced7721e7d6a648b6459308d88d617692%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637414797024485635%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=csF5puDjoSirURdMHELs6%2FB6h0eWOGP3eBv2DOXVekk%3D&reserved=0>
RFC 8398: https://tools.ietf.org/html/rfc8398<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc8398&data=04%7C01%7Crufus.buschart%40siemens.com%7Ced7721e7d6a648b6459308d88d617692%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637414797024485635%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=RBaVDNes%2By68KO0UKVbw5XrqYTSMPjnHLx%2Bk09i00sQ%3D&reserved=0>



_______________________________________________

Smcwg-public mailing list

Smcwg-public at cabforum.org<mailto:Smcwg-public at cabforum.org>

https://lists.cabforum.org/mailman/listinfo/smcwg-public<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fsmcwg-public&data=04%7C01%7Crufus.buschart%40siemens.com%7Ced7721e7d6a648b6459308d88d617692%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637414797024495590%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=2Ug%2FuFL%2FAe3rBuauwiaKqKq9G2YFRKAqDsgpvTOvvSE%3D&reserved=0>

_______________________________________________
Smcwg-public mailing list
Smcwg-public at cabforum.org<mailto:Smcwg-public at cabforum.org>
https://lists.cabforum.org/mailman/listinfo/smcwg-public<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fsmcwg-public&data=04%7C01%7Crufus.buschart%40siemens.com%7Ced7721e7d6a648b6459308d88d617692%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637414797024495590%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=2Ug%2FuFL%2FAe3rBuauwiaKqKq9G2YFRKAqDsgpvTOvvSE%3D&reserved=0>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201123/cf2b46f8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2730 bytes
Desc: image001.gif
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201123/cf2b46f8/attachment-0001.gif>


More information about the Smcwg-public mailing list