[Smcwg-public] Stable Draft of S/MIME Certificate Profiles

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Wed Oct 27 11:37:54 UTC 2021

Hi Matthias,

I agree that forbidding "pseudonym" is a conflict with eIDAS and I 
believe the WG might consider lifting this restriction provided we were 
able to document good validation practices to support it.

On a separate matter, S/MIME Certificates do not need to be 
"eIDAS-compatible" but I can relate to TSPs that want to combine 
multiple trust schemes.


On 26/10/2021 10:21 π.μ., Wiedenhorst, Matthias via Smcwg-public wrote:
> Hi Stephen, all,
> a few points regarding the profiles from my perspective.
> My understanding was that the “Sponsored Individual” profile was to be 
> a merge of the “Org-validation” and the “Personal Individual” 
> profiles. While that is true for the Organization part, it is not for 
> the Individual part. Givenname und Surname are mandatory in the Strict 
> and Multipurpose Personal Individual Profile, but only a “may” in the 
> Sponsored Individual.
> Pseudonym is forbidden (see separate remark below) in Personal 
> Individual, but a “may” in Sponsored Individual.
> Is there any reason for this?
> If someone would issue a Sponsored Individual certificate and an 
> Org-validation cert that include only the mandatory DN fields (O, C, 
> orgIdentifier), than this two would be identical in profile.
> With regard to pseudonym:
> In the “Personal Individual”-profile the use of “pseudonym” is 
> declared as “must not”. However, the European eIDAS regulation states 
> in Article 5 No.2 :”/Without prejudice to the legal effect given to 
> pseudonyms under national law, the use of pseudonyms in electronic 
> transactions shall not be prohibited./” I am not a lawyer, but it 
> seems that this “must not” might be in conflict with law in Europe.
> Best regards
> Matthias
> *Von:* Smcwg-public <smcwg-public-bounces at cabforum.org> *Im Auftrag 
> von *Stephen Davidson via Smcwg-public
> *Gesendet:* Donnerstag, 30. September 2021 22:56
> *An:* smcwg-public at cabforum.org
> *Betreff:* [Smcwg-public] Stable Draft of S/MIME Certificate Profiles
> Hello:
> The S/MIME Certificate Working Group has now completed work on a 
> stable draft of the certificate profiles that will be included in the 
> future S/MIME Baseline Requirements.
> The WG requests that members share this with their product and 
> technical teams seeking feedback as the pace will pick up to turn 
> these worksheets into a draft standard:
> https://docs.google.com/spreadsheets/d/1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU/edit#gid=0 
> The S/MIME BR will apply to “trusted” leaf certs with emailProtection 
> EKU and at least one email address in Subject / SAN.
> By way of explanation of the worksheet:
> •             SMIME Types – explains the OID structure and cert 
> profile types
> •             Leaf Profile – explains the certificate fields common to 
> the various cert profile types
> There are then 4 major cert profiles showing the major differences in 
> Subject, eKU, keyUsage, and extensions:
> •             Mailbox - The simplest S/MIME, including only email 
> address. The same email control verification methods apply across all 
> S/MIME types.
> • Organizational - Includes Organization details (legal entity). 
> Example uses include invoice or statement mailers, etc.
> •             Sponsored Individual - Includes personal details (for 
> natural person, which may be validated by Enterprise RA) in 
> association with Organisation details (validated by the CA).
> •             Personal Individual - Includes personal details (for 
> natural person).
> Each of the cert profile types will have three available levels:
> •             Legacy - Allows all public S/MIME to an auditable 
> framework but includes flexibility in allowed field usages and 
> verification.  The intent is that this profile will eventually be 
> sunsetted.
> • Multipurpose - Aligned with the Strict profile, but with more 
> flexibility in the eKU (primarily to allow overlap with existing use 
> cases such as document signing).
> •             Strict - The final goal profile.  Strict definition and 
> dedicated eKU.
> Discussion is welcomed on list, but we will also dedicate time in our 
> meeting on October 27 for feedback.  Tentatively, we will also start 
> considering CA profiles at that time.
> With kind regards,
> Stephen Davidson
> Chair, S/MIME Certificate Working Group
> *______________________________________________________________________________________________________________________* 
> *Sitz der Gesellschaft/Headquarter:* TÜV Informationstechnik GmbH * Am 
> TÜV 1 * 45307 Essen, Germany *Registergericht/Register Court:* 
> Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 
> 176132277 * Steuer-Nr./Tax No.: 111/57062251 
> *Geschäftsführung/Management Board:* Dirk Kretzschmar
> Expertise for your Success
> *Please visit our website: www.tuv-nord.com <http://www.tuv-nord.com> 
> Besuchen Sie unseren Internetauftritt: www.tuev-nord.de 
> <http://www.tuev-nord.de>*
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20211027/32369ff2/attachment.html>

More information about the Smcwg-public mailing list