[Smcwg-public] Technically Constrained S/MIME SubCas
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Mon Nov 15 13:13:09 UTC 2021
On 12/11/2021 6:03 μ.μ., Stephen Davidson wrote:
>
> Thank you Dimitris.
>
> The current draft language for the S/MIME BR is at
> https://github.com/cabforum/smime/blob/preSBR/SBR.md#715--name-constraints
>
Hi Stephen,
Reading the challenges described in past discussions, are we sure we
want to add a requirement for directoryName constraints in
S/MIME-capable Technically constrained subCA Certificates? Would it be
easy for such a subCA to issue an end-entity certificate that includes
the subject: "C=US,CN=John Doe,Email=john.doe at example.com"?
Perhaps we should avoid setting requirements for directoryName
constraints at the first version of the SMBRs.
I'm also having trouble following the connection with section 7.1.2.4 in
the following text:
"For each |directoryName| in |permittedSubtrees|, the CA MUST confirm
the Applicant's and/or Subsidiary's Organizational name and location
such that end entity certificates issued from the subordinate CA
Certificate will be in compliance with Section 7.1.2.4
<https://github.com/cabforum/smime/blob/preSBR/SBR.md#7124-all-certificates>."
Perhaps 7.1.4.3 is more close to what you were looking for?
Dimitris.
//
>
> Regards, Stephen
>
> *From:* Smcwg-public <smcwg-public-bounces at cabforum.org> *On Behalf Of
> *Dimitris Zacharopoulos (HARICA) via Smcwg-public
> *Sent:* Wednesday, November 10, 2021 12:25 PM
> *To:* smcwg-public at cabforum.org
> *Subject:* [Smcwg-public] Technically Constrained S/MIME SubCas
>
> Following-up on today's meeting, here are some links of discussion
> threads regarding the technical constraints for S/MIME-capable subCAs:
>
> * (discussion in 2017)
> https://groups.google.com/g/mozilla.dev.security.policy/c/Flo8rkX5WB4/m/2TZxoqK9BQAJ
> * (most recent one)
> https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/n1vLLXwNbuM/m/uvQ705e-BAAJ?utm_medium=email&utm_source=footer
> <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/n1vLLXwNbuM/m/uvQ705e-BAAJ?utm_medium=email&utm_source=footer>
>
> Dimitris.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20211115/f36cffb0/attachment.html>
More information about the Smcwg-public
mailing list