[Smcwg-public] Sponsored profile overlap

Wiedenhorst, Matthias M.Wiedenhorst at tuvit.de
Thu Aug 5 07:39:40 UTC 2021 

Dear all,

I share the confusion expressed by Stefan as well.

To sort this out, I would strongly suggest to separate the discussion according to the following areas:

1. Certificate Profile => Which content must be present, must not be present or may be present for a certain type of certificate.
Profile definition should be based e.g. on the use case (e.g. signature, encryption, ...) and/or the "type" of the subject.
The profiles currently foreseen by this WG are:
- Mailbox only ("Mailbox")
- Natural person ("Individual")
- Legal person ("Organisation")
- Natural person associated with a legal person ("Sponsored")
These unsurprisingly already match with the typical subject types and for example also with the definition of possible subject as given in ETSI EN 319 411-1.
In my opinion it should be up to the CA whether they want to sell all of these profiles on a retail basis or if some are only available through Enterprise RAs. But maybe in that case, "Sponsored" is not the very best name for that profile anymore...

2. Content Validation => What are the accepted methods to validate a certain type of content
This part is hopefully rather clear. Acceptable validation methods need to be specified.

3. Acceptable registration authorities => Who may perform the validation
I think the main question here would be, which parts of the validation and maybe even which of the generally accepted methods may be performed by an (un-audited) Enterprise RA. The typical scenario I see in practice is, that such Enterprise RAs have a certain, CA-validated scope (e.g. Organization Name and Information, Domain names) and may only act within that validated scope (validation of mailboxes under their domain names, natural persons associated with the organizations). But within that scope, they want to be able to issue certificates according to many or even all profiles defined above. Hence it might not be desirable to limit them only to, let's say, certificates for "natural persons associated with an organisation".
I don't remember to have ever seen a CA allowing Enterprise RA's to validate arbitrary users or mailboxes and, speaking personally, I don't think this should be allowed.


Best regards
Matthias

-----Ursprüngliche Nachricht-----
Von: Smcwg-public <smcwg-public-bounces at cabforum.org> Im Auftrag von Stefan Selbitschka via Smcwg-public
Gesendet: Mittwoch, 4. August 2021 19:36
An: smcwg-public <smcwg-public at cabforum.org>
Betreff: [Smcwg-public] Sponsored profile overlap

Hi,

I want to continue our today's discussion about the sponsored validation overlap.

From my understanding (till today) we had 4 profiles for different use cases and different validated content in the certificate:
- Mailbox -> email must be validated
- Organization -> email and organization must be validated
- Individual -> email and givenname + surname must be validated
- Sponsored -> organization must be validated, email and/or givenname + surname validation may be delegated to sponsor

This leads me to this picture
(https://next.rundquadrat.at/s/Rx8PXs3bBdyq9Ae) and it was quite clear for me.

Now Stephen pointed out that we could have an organization within a certificate of individual profile I get confused.

If we now mixing an organization to the individual profile I got puzzled:
- which countryName will be applied, the country of residence of the individual or the country of juristiction of the organization?
- are the businessCategory and juridsiction* fields included in an individual certificate including an organization?

Maybe someone can find a better summary of the different profiles for me to solve my confusion?

thanks

regards

stefan
_______________________________________________
Smcwg-public mailing list
Smcwg-public at cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

______________________________________________________________________________________________________________________
Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH * Langemarckstr. 20 * 45141 Essen, Germany
Registergericht/Register Court: Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251
Geschäftsführung/Management Board: Dirk Kretzschmar


TÜV NORD GROUP
Expertise for your Success


Please visit our website: www.tuv-nord.com<http://www.tuv-nord.com>
Besuchen Sie unseren Internetauftritt: www.tuev-nord.de<http://www.tuev-nord.de>

More information about the Smcwg-public mailing list