[Smcwg-public] On the subject:serialNumber attribute

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Wed Apr 13 08:51:25 UTC 2022

On 13/4/2022 11:42 π.μ., Adriano Santoni via Smcwg-public wrote:
> Hi Dimitris,
> I was not implying that this is the situation today, nor that we have 
> to be compliant with the ETSI profiles.
> I was just suggesting that we might adopt the ETSI-style of natural 
> person identifier so to put in the subject:serialNumber a "talking" 
> disambiguating datum.
> Let's consider the following example: two (fictional) ladies both 
> named "Katerina Papadopoulos", possibly living in the same town, 
> request an IV (Individual Validated) S/MIME certificate.
> In order to disambiguate their identities in the Subject field, the CA 
> would add a serialNumber containing a unique number of their choice 
> (the CA's). Consequently, we would end up with the two certificates 
> having a Subject field like the following:
> Cert #1)     givenName=Katerina, surname=Papadopoulos, serialNumber=722486
> Cert #2)     givenName=Katerina, surname=Papadopoulos, serialNumber=907235
> Now, if I receive an email signed by one of the two certificates 
> above, I have no hints about which of the two Katerina Papadopoulos 
> wrote to me....
> I might rely on some other Subject information, such as address 
> attributes (L, S, C) but that would not necessarily solve the ambiguity.
> However, should the serialNumber contain an ETSI-style natural person 
> identifier, I would have more chances to understand who is the sender, 
> based on what I know of the expected sender.
> I am not asking to revise the BR so to mandate this coding, I was just 
> sharing the proposal to get some opinions. After all, the current BR 
> draft does not forbid using an ETSI natural person identifier in the 
> Subject:serialNumber, so I suppose nothing would prevent a CA from 
> doing so. But maybe this could be the preferred way to go rather that 
> just a possibility... ?
> At any rate, we have already adopted the ETSI unique identifier for 
> legal persons (the draft BR requires the organizationalIdentifier 
> attribute in OV and SV certificates), so I am not clear why we 
> shouldn't do the same for natural persons.
> Adriano

I agree with your position that for IV certificates we SHOULD have some 
*uniquely *personally identifiable information that *Relying Parties* 
could use without the assistance of the CA.

> Il 13/04/2022 09:02, Dimitris Zacharopoulos (HARICA) via Smcwg-public 
> ha scritto:
>> Adriano, I don't think this is the situation today. According to 
>> ETSI, a CA is allowed to use a unique identifier in the 
>> subject:serialNumber field to disambiguate a natural person in 
>> collision cases. The use of TIN, IDC, PAS, etc is obviously allowed 
>> but not the only way to add a serialNumber. In fact, the use of these 
>> cases are associated with the semanticsIdentifier of the 
>> qcStatements. You can totally avoid that today and be compliant with 
>> the ETSI profiles.
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220413/81bf5e8a/attachment.html>

More information about the Smcwg-public mailing list