[Smcwg-public] On the subject:serialNumber attribute

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Wed Apr 13 07:02:48 UTC 2022 


On 4/4/2022 1:02 μ.μ., Adriano Santoni via Smcwg-public wrote:
>
> Hi all,
>
> I have some doubts about this part, in connection with IV and SV 
> certificates:
>
>> *7.1.4.2.2 Subject distinguished name fields*
>>
>> g. *Certificate Field*: subject:serialNumber (2.5.4.5)
>> *Contents*: If present, the subject:serialNumber MAY be used to 
>> contain an identifier assigned by the CA or RA to identify and/or to 
>> disambiguate the Subscriber.
>
> I'm rather dubious about "an identifier assigned by the CA or RA" 
> being appropriate. Unless a pseudonym is used, the Subscriber identity 
> should be clear to Relying Parties without a need to query the CA or 
> RA, which would however be necessary if such identifier was assigned 
> by the CA or RA and the certificate contained no other disambiguating 
> information.
>
> How about we decide, instead, that the subject: serialNumber MAY 
> contain, for disambiguating purposes, a unique identifier of the 
> Subscriber assigned to him/her by a government agency? It could be 
> taken from the identity document that has been verified according to 
> section 3.2.4 (Authentication of individual identity ) and encoded 
> according to ETSI EN 319 412-1 Section 5.1.3 (e.g. IDCxx-nnnnn, 
> PASxx-nnnnn, TINxx-nnnnn and so on).
>
> Apart from this, it seems to me that the purpose and requirements of 
> this attribute are not very well explained in the various cases (MV, 
> IV, OV, SV). For example, since the organizationIdentifier attribute 
> is mandatory in the OV case, what would be the use of having the 
> serialNumber in the subject as well?
>
> Adriano
>

Sorry if this has already been discussed in S/MIME calls.

Adriano, I don't think this is the situation today. According to ETSI, a 
CA is allowed to use a unique identifier in the subject:serialNumber 
field to disambiguate a natural person in collision cases. The use of 
TIN, IDC, PAS, etc is obviously allowed but not the only way to add a 
serialNumber. In fact, the use of these cases are associated with the 
semanticsIdentifier of the qcStatements. You can totally avoid that 
today and be compliant with the ETSI profiles.

Thanks,
Dimitris.

>
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220413/b636db13/attachment.html>

More information about the Smcwg-public mailing list