[Smcwg-public] On the subject:serialNumber attribute

Adriano Santoni adriano.santoni at staff.aruba.it
Wed Apr 13 08:42:49 UTC 2022

Hi Dimitris,

I was not implying that this is the situation today, nor that we have to 
be compliant with the ETSI profiles.

I was just suggesting that we might adopt the ETSI-style of natural 
person identifier so to put in the subject:serialNumber a "talking" 
disambiguating datum.

Let's consider the following example: two (fictional) ladies both named 
"Katerina Papadopoulos", possibly living in the same town, request an IV 
(Individual Validated) S/MIME certificate.

In order to disambiguate their identities in the Subject field, the CA 
would add a serialNumber containing a unique number of their choice (the 
CA's). Consequently, we would end up with the two certificates having a 
Subject field like the following:

Cert #1)     givenName=Katerina, surname=Papadopoulos, serialNumber=722486

Cert #2)     givenName=Katerina, surname=Papadopoulos, serialNumber=907235

Now, if I receive an email signed by one of the two certificates above, 
I have no hints about which of the two Katerina Papadopoulos wrote to me....

I might rely on some other Subject information, such as address 
attributes (L, S, C) but that would not necessarily solve the ambiguity.

However, should the serialNumber contain an ETSI-style natural person 
identifier, I would have more chances to understand who is the sender, 
based on what I know of the expected sender.

I am not asking to revise the BR so to mandate this coding, I was just 
sharing the proposal to get some opinions. After all, the current BR 
draft does not forbid using an ETSI natural person identifier in the 
Subject:serialNumber, so I suppose nothing would prevent a CA from doing 
so. But maybe this could be the preferred way to go rather that just a 
possibility... ?

At any rate, we have already adopted the ETSI unique identifier for 
legal persons (the draft BR requires the organizationalIdentifier 
attribute in OV and SV certificates), so I am not clear why we shouldn't 
do the same for natural persons.


Il 13/04/2022 09:02, Dimitris Zacharopoulos (HARICA) via Smcwg-public ha 
> Adriano, I don't think this is the situation today. According to ETSI, 
> a CA is allowed to use a unique identifier in the subject:serialNumber 
> field to disambiguate a natural person in collision cases. The use of 
> TIN, IDC, PAS, etc is obviously allowed but not the only way to add a 
> serialNumber. In fact, the use of these cases are associated with the 
> semanticsIdentifier of the qcStatements. You can totally avoid that 
> today and be compliant with the ETSI profiles.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220413/2ac159c6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220413/2ac159c6/attachment-0001.p7s>

More information about the Smcwg-public mailing list