[Smcwg-public] Validation requirements for otherName SANs

Curt Spann cspann at apple.com
Fri May 7 00:04:03 UTC 2021


I agree for the legacy profile, we can safely state that all rfc822Names and otherNames of type id-on-SmtpUTF8Mailbox must be validated, but I am concerned with allowing otherNames of any other type to be included without that information being validated. As with the Subject DN, do we want to allow for unvalidated information in these certificates? Do we feel it is acceptable because we are only discussing the legacy profile?

- Curt

> On May 4, 2021, at 1:20 AM, Dimitris Zacharopoulos (HARICA) via Smcwg-public <smcwg-public at cabforum.org> wrote:
> 
> +1
> 
> On 3/5/2021 9:16 μ.μ., Russ Housley via Smcwg-public wrote:
>> 
>> 
>>> On May 3, 2021, at 1:21 PM, Corey Bonnell via Smcwg-public <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org>> wrote:
>>> 
>>> Hello,
>>> As discussed on last week’s call, we indicated a desire to require validation of email addresses that are contained in a subset of SAN types. I think we all agreed that rfc822Names must be validated, but there was a discussion on otherNames. The IANA registry for otherNames is located here: https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.8 <https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.8>
>>>  
>>> From this registry, the only entry that I can see as requiring validation in an S/MIME context is id-on-SmtpUTF8Mailbox (which I brought up on the call); all the other ones appear to be unrelated. Given this, I believe for the legacy profile, we can safely state that all rfc822Names and otherNames of type id-on-SmtpUTF8Mailbox must be validated and otherNames of any other type do not need to be validated (such as UPN, etc).
>>>  
>>> Thoughts?
>> 
>> I agree that id-on-SmtpUTF8Mailbox needs to be validated, if it is present.  You can learn more about it in RFC 8398.
>> 
>> Russ
>> 
>> 
>> 
>> _______________________________________________
>> Smcwg-public mailing list
>> Smcwg-public at cabforum.org <mailto:Smcwg-public at cabforum.org>
>> https://lists.cabforum.org/mailman/listinfo/smcwg-public <https://lists.cabforum.org/mailman/listinfo/smcwg-public>
> 
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20210506/e6eea2cf/attachment.html>


More information about the Smcwg-public mailing list