[Smcwg-public] Validation requirements for otherName SANs

[Russ Housley]

> On May 3, 2021, at 1:21 PM, Corey Bonnell via Smcwg-public <smcwg-public at cabforum.org> wrote:
> 
> Hello,
> As discussed on last week’s call, we indicated a desire to require validation of email addresses that are contained in a subset of SAN types. I think we all agreed that rfc822Names must be validated, but there was a discussion on otherNames. The IANA registry for otherNames is located here: https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.8 <https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.8>
> 
> From this registry, the only entry that I can see as requiring validation in an S/MIME context is id-on-SmtpUTF8Mailbox (which I brought up on the call); all the other ones appear to be unrelated. Given this, I believe for the legacy profile, we can safely state that all rfc822Names and otherNames of type id-on-SmtpUTF8Mailbox must be validated and otherNames of any other type do not need to be validated (such as UPN, etc).
> 
> Thoughts?

I agree that id-on-SmtpUTF8Mailbox needs to be validated, if it is present.  You can learn more about it in RFC 8398.

Russ

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20210503/74c86be7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20210503/74c86be7/attachment.sig>