[Smcwg-public] Sponsored profile overlap
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Wed Aug 4 18:03:40 UTC 2021
On 4/8/2021 8:36 μ.μ., Stefan Selbitschka via Smcwg-public wrote:
> Hi,
>
> I want to continue our today's discussion about the sponsored validation
> overlap.
>
> >From my understanding (till today) we had 4 profiles for different use
> cases and different validated content in the certificate:
> - Mailbox -> email must be validated
> - Organization -> email and organization must be validated
> - Individual -> email and givenname + surname must be validated
> - Sponsored -> organization must be validated, email and/or givenname +
> surname validation may be delegated to sponsor
>
> This leads me to this picture
> (https://next.rundquadrat.at/s/Rx8PXs3bBdyq9Ae) and it was quite clear
> for me.
Thanks Stefan, this is a nice summary. I would like to echo your
concerns and make sure that, as a Working Group, we will find good and
secure practices to include in the SMBRs.
With that said, for the "Sponsored" profile, I always thought that ONLY
the *individual's name (givenName, surname)* and the "local part" or
even sub-domains of the "domain part" (provided that an appropriate
Domain Validation Method for wildcards is used) of the emailAddress
would be allowed to be delegated by the CA to the Organization to
validate. The remaining information associated with the Organization:
* countryName
* stateOrProvinceName
* localityName
* organizationName
* organizationalUnitName (???)
* organizationIdentifier
* ...more org-related fields...
* Base Domain Name (e.g. "example.com")
would be validated by the CA and would have to be re-validated periodically.
That Organization would be allowed to validate the local part under
"example.com" and even subdomains (e.g. "sub1.example.com"), and the
full name of an individual associated with that Organization.
HARICA would not support rules that would allow a non-audited third
party to validate an email address for a Domain Name that has not been
validated by an audited CA. Even if this delegation practice is
performed by some CAs, it seems to be very insecure for the basic
property this WG is trying to protect, the email address in a
publicly-trusted S/MIME Certificate. If and when such a Baseline
document is adopted, it could have an transition date before CAs comply
to it.
Dimitris.
>
> Now Stephen pointed out that we could have an organization within a
> certificate of individual profile I get confused.
>
> If we now mixing an organization to the individual profile I got puzzled:
> - which countryName will be applied, the country of residence of the
> individual or the country of juristiction of the organization?
> - are the businessCategory and juridsiction* fields included in an
> individual certificate including an organization?
>
> Maybe someone can find a better summary of the different profiles for me
> to solve my confusion?
>
> thanks
>
> regards
>
> stefan
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20210804/79277285/attachment-0001.html>
More information about the Smcwg-public
mailing list