[Smcwg-public] Sponsored profile overlap

Thu Aug 5 13:29:29 UTC 2021

Hi Stefan et all - thank you for your responses.

We are reaching the same conclusion - and I am glad to have this clear consensus as it differs from what had previously been discussed in the WG.

To be clear, email validation is never delegated in our current draft SMIME BR.  The CA is always responsible for email validation - similar to domain validation under the TLS BR.  https://github.com/srdavidson/smime/blob/preSBR/SBR.md

To summarise our past work:

-                      Our current profiles describe three that are solidly defined by Subject type:  Mailbox, Organisation, and Individual (which currently may be Personal [no O] or Corporate [including a verified O relationship]).

-                      The remaining current profile - Sponsored - has up until now been defined in our discussions by 'who is verifying the certificate' ... a delegated RA.  As defined, it's a duck amongst the chickens which is why I wanted to loop back to this.

See also "SMIME Types" at https://docs.google.com/spreadsheets/d/1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU/edit#gid=1070281704

As captured by Matthias I am proposing:

-                      That the profile names change to Mailbox, Organisation, Individual Corporate, Individual Personal.  This should simplify the definition of the profiles by their content alone.

-                      The Individual Corporate is effectively a combination of verified fields from Organisation and Individual Personal fields.

This will help us ensure consistency across SMIME later, no matter if the verification is done by the CA, an Enterprise RA, or a wider delegated RA.  It will also facilitate writing the SMIME BR as:

-                      When we start defining verification steps, we can assign which fields must be done by CA and which may be delegated.

-                      Then, audit/compliance obligations will be simpler to describe for Enterprise RA vs larger delegated RA.

We may later choose to "mark" certificates where verification is performed by a delegated RA, for example with an extension.

Regards, Stephen

-----Original Message-----
From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Stefan Selbitschka via Smcwg-public
Sent: Wednesday, August 4, 2021 2:36 PM
To: smcwg-public <smcwg-public at cabforum.org>
Subject: [Smcwg-public] Sponsored profile overlap

Hi,

I want to continue our today's discussion about the sponsored validation overlap.

>From my understanding (till today) we had 4 profiles for different use cases and different validated content in the certificate:

- Mailbox -> email must be validated

- Organization -> email and organization must be validated

- Individual -> email and givenname + surname must be validated

- Sponsored -> organization must be validated, email and/or givenname + surname validation may be delegated to sponsor

This leads me to this picture

(https://next.rundquadrat.at/s/Rx8PXs3bBdyq9Ae) and it was quite clear for me.

Now Stephen pointed out that we could have an organization within a certificate of individual profile I get confused.

If we now mixing an organization to the individual profile I got puzzled:

- which countryName will be applied, the country of residence of the individual or the country of juristiction of the organization?

- are the businessCategory and juridsiction* fields included in an individual certificate including an organization?

Maybe someone can find a better summary of the different profiles for me to solve my confusion?

thanks

regards

stefan

_______________________________________________

Smcwg-public mailing list

Smcwg-public at cabforum.org<mailto:Smcwg-public at cabforum.org>

https://lists.cabforum.org/mailman/listinfo/smcwg-public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20210805/443985ee/attachment-0001.html>