[Smcwg-public] On the subject:serialNumber attribute

[Adriano Santoni]

Hi all,

I have some doubts about this part, in connection with IV and SV 
certificates:

> *7.1.4.2.2 Subject distinguished name fields*
>
> g. *Certificate Field*: subject:serialNumber (2.5.4.5)
> *Contents*: If present, the subject:serialNumber MAY be used to 
> contain an identifier assigned by the CA or RA to identify and/or to 
> disambiguate the Subscriber.

I'm rather dubious about "an identifier assigned by the CA or RA" being 
appropriate. Unless a pseudonym is used, the Subscriber identity should 
be clear to Relying Parties without a need to query the CA or RA, which 
would however be necessary if such identifier was assigned by the CA or 
RA and the certificate contained no other disambiguating information.

How about we decide, instead, that the subject: serialNumber MAY 
contain, for disambiguating purposes, a unique identifier of the 
Subscriber assigned to him/her by a government agency? It could be taken 
from the identity document that has been verified according to section 
3.2.4 (Authentication of individual identity ) and encoded according to 
ETSI EN 319 412-1 Section 5.1.3 (e.g. IDCxx-nnnnn, PASxx-nnnnn, 
TINxx-nnnnn and so on).

Apart from this, it seems to me that the purpose and requirements of 
this attribute are not very well explained in the various cases (MV, IV, 
OV, SV). For example, since the organizationIdentifier attribute is 
mandatory in the OV case, what would be the use of having the 
serialNumber in the subject as well?

Adriano

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220404/e4f1de43/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220404/e4f1de43/attachment.p7s>