[Smcwg-public] Stable Draft of S/MIME Certificate Profiles

Wiedenhorst, Matthias M.Wiedenhorst at tuvit.de
Tue Oct 26 07:20:58 UTC 2021

Hi Stephen, all,

a few points regarding the profiles from my perspective.

My understanding was that the “Sponsored Individual” profile was to be a merge of the “Org-validation” and the “Personal Individual” profiles. While that is true for the Organization part, it is not for the Individual part. Givenname und Surname are mandatory in the Strict and Multipurpose Personal Individual Profile, but only a “may” in the Sponsored Individual.
Pseudonym is forbidden (see separate remark below) in Personal Individual, but a “may” in Sponsored Individual.
Is there any reason for this?
If someone would issue a Sponsored Individual certificate and an Org-validation cert that include only the mandatory DN fields (O, C, orgIdentifier), than this two would be identical in profile.

With regard to pseudonym:
In the “Personal Individual”-profile the use of “pseudonym” is declared as “must not”. However, the European eIDAS regulation states in Article 5 No.2 :” Without prejudice to the legal effect given to pseudonyms under national law, the use of pseudonyms in electronic transactions shall not be prohibited.” I am not a lawyer, but it seems that this “must not” might be in conflict with law in Europe.

Best regards

Von: Smcwg-public <smcwg-public-bounces at cabforum.org> Im Auftrag von Stephen Davidson via Smcwg-public
Gesendet: Donnerstag, 30. September 2021 22:56
An: smcwg-public at cabforum.org
Betreff: [Smcwg-public] Stable Draft of S/MIME Certificate Profiles


The S/MIME Certificate Working Group has now completed work on a stable draft of the certificate profiles that will be included in the future S/MIME Baseline Requirements.

The WG requests that members share this with their product and technical teams seeking feedback as the pace will pick up to turn these worksheets into a draft standard:

The S/MIME BR will apply to “trusted” leaf certs with emailProtection EKU and at least one email address in Subject / SAN.

By way of explanation of the worksheet:

•             SMIME Types – explains the OID structure and cert profile types
•             Leaf Profile – explains the certificate fields common to the various cert profile types

There are then 4 major cert profiles showing the major differences in Subject, eKU, keyUsage, and extensions:
•             Mailbox - The simplest S/MIME, including only email address. The same email control verification methods apply across all S/MIME types.
•             Organizational - Includes Organization details (legal entity). Example uses include invoice or statement mailers, etc.
•             Sponsored Individual - Includes personal details (for natural person, which may be validated by Enterprise RA) in association with Organisation details (validated by the CA).
•             Personal Individual - Includes personal details (for natural person).

Each of the cert profile types will have three available levels:
•             Legacy - Allows all public S/MIME to an auditable framework but includes flexibility in allowed field usages and verification.  The intent is that this profile will eventually be sunsetted.
•             Multipurpose - Aligned with the Strict profile, but with more flexibility in the eKU (primarily to allow overlap with existing use cases such as document signing).
•             Strict - The final goal profile.  Strict definition and dedicated eKU.

Discussion is welcomed on list, but we will also dedicate time in our meeting on October 27 for feedback.  Tentatively, we will also start considering CA profiles at that time.

With kind regards,
Stephen Davidson
Chair, S/MIME Certificate Working Group

Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH * Am TÜV 1 * 45307 Essen, Germany
Registergericht/Register Court: Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251
Geschäftsführung/Management Board: Dirk Kretzschmar

Expertise for your Success

Please visit our website: www.tuv-nord.com<http://www.tuv-nord.com>
Besuchen Sie unseren Internetauftritt: www.tuev-nord.de<http://www.tuev-nord.de>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20211026/444d9625/attachment.html>

More information about the Smcwg-public mailing list