[Smcwg-public] Technically Constrained S/MIME SubCas

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Mon Nov 15 13:13:09 UTC 2021 


On 12/11/2021 6:03 μ.μ., Stephen Davidson wrote:
>
> Thank you Dimitris.
>
> The current draft language for the S/MIME BR is at 
> https://github.com/cabforum/smime/blob/preSBR/SBR.md#715--name-constraints
>

Hi Stephen,

Reading the challenges described in past discussions, are we sure we 
want to add a requirement for directoryName constraints in 
S/MIME-capable Technically constrained subCA Certificates? Would it be 
easy for such a subCA to issue an end-entity certificate that includes 
the subject: "C=US,CN=John Doe,Email=john.doe at example.com"?

Perhaps we should avoid setting requirements for directoryName 
constraints at the first version of the SMBRs.

I'm also having trouble following the connection with section 7.1.2.4 in 
the following text:

"For each |directoryName| in |permittedSubtrees|, the CA MUST confirm 
the Applicant's and/or Subsidiary's Organizational name and location 
such that end entity certificates issued from the subordinate CA 
Certificate will be in compliance with Section 7.1.2.4 
<https://github.com/cabforum/smime/blob/preSBR/SBR.md#7124-all-certificates>."

Perhaps 7.1.4.3 is more close to what you were looking for?


Dimitris.
//
>
> Regards, Stephen
>
> *From:* Smcwg-public <smcwg-public-bounces at cabforum.org> *On Behalf Of 
> *Dimitris Zacharopoulos (HARICA) via Smcwg-public
> *Sent:* Wednesday, November 10, 2021 12:25 PM
> *To:* smcwg-public at cabforum.org
> *Subject:* [Smcwg-public] Technically Constrained S/MIME SubCas
>
> Following-up on today's meeting, here are some links of discussion 
> threads regarding the technical constraints for S/MIME-capable subCAs:
>
>   * (discussion in 2017)
>     https://groups.google.com/g/mozilla.dev.security.policy/c/Flo8rkX5WB4/m/2TZxoqK9BQAJ
>   * (most recent one)
>     https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/n1vLLXwNbuM/m/uvQ705e-BAAJ?utm_medium=email&utm_source=footer
>     <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/n1vLLXwNbuM/m/uvQ705e-BAAJ?utm_medium=email&utm_source=footer>
>
> Dimitris.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20211115/f36cffb0/attachment.html>

More information about the Smcwg-public mailing list