[Smcwg-public] On the subject:serialNumber attribute
Adriano Santoni
adriano.santoni at staff.aruba.it
Wed Apr 13 08:42:49 UTC 2022
Hi Dimitris,
I was not implying that this is the situation today, nor that we have to
be compliant with the ETSI profiles.
I was just suggesting that we might adopt the ETSI-style of natural
person identifier so to put in the subject:serialNumber a "talking"
disambiguating datum.
Let's consider the following example: two (fictional) ladies both named
"Katerina Papadopoulos", possibly living in the same town, request an IV
(Individual Validated) S/MIME certificate.
In order to disambiguate their identities in the Subject field, the CA
would add a serialNumber containing a unique number of their choice (the
CA's). Consequently, we would end up with the two certificates having a
Subject field like the following:
Cert #1) givenName=Katerina, surname=Papadopoulos, serialNumber=722486
Cert #2) givenName=Katerina, surname=Papadopoulos, serialNumber=907235
Now, if I receive an email signed by one of the two certificates above,
I have no hints about which of the two Katerina Papadopoulos wrote to me....
I might rely on some other Subject information, such as address
attributes (L, S, C) but that would not necessarily solve the ambiguity.
However, should the serialNumber contain an ETSI-style natural person
identifier, I would have more chances to understand who is the sender,
based on what I know of the expected sender.
I am not asking to revise the BR so to mandate this coding, I was just
sharing the proposal to get some opinions. After all, the current BR
draft does not forbid using an ETSI natural person identifier in the
Subject:serialNumber, so I suppose nothing would prevent a CA from doing
so. But maybe this could be the preferred way to go rather that just a
possibility... ?
At any rate, we have already adopted the ETSI unique identifier for
legal persons (the draft BR requires the organizationalIdentifier
attribute in OV and SV certificates), so I am not clear why we shouldn't
do the same for natural persons.
Adriano
Il 13/04/2022 09:02, Dimitris Zacharopoulos (HARICA) via Smcwg-public ha
scritto:
> Adriano, I don't think this is the situation today. According to ETSI,
> a CA is allowed to use a unique identifier in the subject:serialNumber
> field to disambiguate a natural person in collision cases. The use of
> TIN, IDC, PAS, etc is obviously allowed but not the only way to add a
> serialNumber. In fact, the use of these cases are associated with the
> semanticsIdentifier of the qcStatements. You can totally avoid that
> today and be compliant with the ETSI profiles.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220413/2ac159c6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220413/2ac159c6/attachment-0001.p7s>
More information about the Smcwg-public
mailing list