[Smcwg-public] Sponsored profile overlap
Adriano Santoni
adriano.santoni at staff.aruba.it
Thu Aug 5 06:45:25 UTC 2021
+1
Il 04/08/2021 20:03, Dimitris Zacharopoulos (HARICA) via Smcwg-public ha
scritto:
>
>
> On 4/8/2021 8:36 μ.μ., Stefan Selbitschka via Smcwg-public wrote:
>> Hi,
>>
>> I want to continue our today's discussion about the sponsored validation
>> overlap.
>>
>> >From my understanding (till today) we had 4 profiles for different use
>> cases and different validated content in the certificate:
>> - Mailbox -> email must be validated
>> - Organization -> email and organization must be validated
>> - Individual -> email and givenname + surname must be validated
>> - Sponsored -> organization must be validated, email and/or givenname +
>> surname validation may be delegated to sponsor
>>
>> This leads me to this picture
>> (https://next.rundquadrat.at/s/Rx8PXs3bBdyq9Ae) and it was quite clear
>> for me.
>
> Thanks Stefan, this is a nice summary. I would like to echo your
> concerns and make sure that, as a Working Group, we will find good and
> secure practices to include in the SMBRs.
>
> With that said, for the "Sponsored" profile, I always thought that
> ONLY the *individual's name (givenName, surname)* and the "local part"
> or even sub-domains of the "domain part" (provided that an appropriate
> Domain Validation Method for wildcards is used) of the emailAddress
> would be allowed to be delegated by the CA to the Organization to
> validate. The remaining information associated with the Organization:
>
> * countryName
> * stateOrProvinceName
> * localityName
> * organizationName
> * organizationalUnitName (???)
> * organizationIdentifier
> * ...more org-related fields...
> * Base Domain Name (e.g. "example.com")
>
> would be validated by the CA and would have to be re-validated
> periodically.
>
> That Organization would be allowed to validate the local part under
> "example.com" and even subdomains (e.g. "sub1.example.com"), and the
> full name of an individual associated with that Organization.
>
> HARICA would not support rules that would allow a non-audited third
> party to validate an email address for a Domain Name that has not been
> validated by an audited CA. Even if this delegation practice is
> performed by some CAs, it seems to be very insecure for the basic
> property this WG is trying to protect, the email address in a
> publicly-trusted S/MIME Certificate. If and when such a Baseline
> document is adopted, it could have an transition date before CAs
> comply to it.
>
>
> Dimitris.
>
>> Now Stephen pointed out that we could have an organization within a
>> certificate of individual profile I get confused.
>>
>> If we now mixing an organization to the individual profile I got puzzled:
>> - which countryName will be applied, the country of residence of the
>> individual or the country of juristiction of the organization?
>> - are the businessCategory and juridsiction* fields included in an
>> individual certificate including an organization?
>>
>> Maybe someone can find a better summary of the different profiles for me
>> to solve my confusion?
>>
>> thanks
>>
>> regards
>>
>> stefan
>> _______________________________________________
>> Smcwg-public mailing list
>> Smcwg-public at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20210805/f3312e81/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20210805/f3312e81/attachment.p7s>
More information about the Smcwg-public
mailing list