[Smcwg-public] On the subject:serialNumber attribute
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Wed Apr 13 08:51:25 UTC 2022
On 13/4/2022 11:42 π.μ., Adriano Santoni via Smcwg-public wrote:
>
> Hi Dimitris,
>
> I was not implying that this is the situation today, nor that we have
> to be compliant with the ETSI profiles.
>
> I was just suggesting that we might adopt the ETSI-style of natural
> person identifier so to put in the subject:serialNumber a "talking"
> disambiguating datum.
>
> Let's consider the following example: two (fictional) ladies both
> named "Katerina Papadopoulos", possibly living in the same town,
> request an IV (Individual Validated) S/MIME certificate.
>
> In order to disambiguate their identities in the Subject field, the CA
> would add a serialNumber containing a unique number of their choice
> (the CA's). Consequently, we would end up with the two certificates
> having a Subject field like the following:
>
> Cert #1) givenName=Katerina, surname=Papadopoulos, serialNumber=722486
>
> Cert #2) givenName=Katerina, surname=Papadopoulos, serialNumber=907235
>
> Now, if I receive an email signed by one of the two certificates
> above, I have no hints about which of the two Katerina Papadopoulos
> wrote to me....
>
> I might rely on some other Subject information, such as address
> attributes (L, S, C) but that would not necessarily solve the ambiguity.
>
> However, should the serialNumber contain an ETSI-style natural person
> identifier, I would have more chances to understand who is the sender,
> based on what I know of the expected sender.
>
> I am not asking to revise the BR so to mandate this coding, I was just
> sharing the proposal to get some opinions. After all, the current BR
> draft does not forbid using an ETSI natural person identifier in the
> Subject:serialNumber, so I suppose nothing would prevent a CA from
> doing so. But maybe this could be the preferred way to go rather that
> just a possibility... ?
>
> At any rate, we have already adopted the ETSI unique identifier for
> legal persons (the draft BR requires the organizationalIdentifier
> attribute in OV and SV certificates), so I am not clear why we
> shouldn't do the same for natural persons.
>
> Adriano
>
I agree with your position that for IV certificates we SHOULD have some
*uniquely *personally identifiable information that *Relying Parties*
could use without the assistance of the CA.
Dimitris.
>
>
> Il 13/04/2022 09:02, Dimitris Zacharopoulos (HARICA) via Smcwg-public
> ha scritto:
>> Adriano, I don't think this is the situation today. According to
>> ETSI, a CA is allowed to use a unique identifier in the
>> subject:serialNumber field to disambiguate a natural person in
>> collision cases. The use of TIN, IDC, PAS, etc is obviously allowed
>> but not the only way to add a serialNumber. In fact, the use of these
>> cases are associated with the semanticsIdentifier of the
>> qcStatements. You can totally avoid that today and be compliant with
>> the ETSI profiles.
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220413/81bf5e8a/attachment.html>
More information about the Smcwg-public
mailing list