[Smcwg-public] On the subject:serialNumber attribute

Wed Apr 13 11:15:35 UTC 2022

I would really be against requiring the serial number for individual SMIME
certificates contain a number assigned to the individual by the government.
This would be very problematic in the US.  What we discussed about the use
of this field was to enable the CA to ensure uniqueness when the name of
the individual may be common

Wendy

Wendy Brown
Supporting GSA FPKI
Protiviti Government Services

 703-965-2990 (cell)

wendy.brown at gsa.gov
wendy.brown at protiviti.com

On Wed, Apr 13, 2022 at 3:03 AM Dimitris Zacharopoulos (HARICA) via
Smcwg-public <smcwg-public at cabforum.org> wrote:

>
>
> On 4/4/2022 1:02 μ.μ., Adriano Santoni via Smcwg-public wrote:
>
> Hi all,
>
> I have some doubts about this part, in connection with IV and SV
> certificates:
>
> *7.1.4.2.2 Subject distinguished name fields*
>
> g. *Certificate Field*: subject:serialNumber (2.5.4.5)
> *Contents*: If present, the subject:serialNumber MAY be used to contain
> an identifier assigned by the CA or RA to identify and/or to disambiguate
> the Subscriber.
>
>
> I'm rather dubious about "an identifier assigned by the CA or RA" being
> appropriate. Unless a pseudonym is used, the Subscriber identity should be
> clear to Relying Parties without a need to query the CA or RA, which would
> however be necessary if such identifier was assigned by the CA or RA and
> the certificate contained no other disambiguating information.
>
> How about we decide, instead, that the subject: serialNumber MAY contain,
> for disambiguating purposes, a unique identifier of the Subscriber assigned
> to him/her by a government agency? It could be taken from the identity
> document that has been verified according to section 3.2.4 (Authentication
> of individual identity ) and encoded according to ETSI EN 319 412-1 Section
> 5.1.3 (e.g. IDCxx-nnnnn, PASxx-nnnnn, TINxx-nnnnn and so on).
>
> Apart from this, it seems to me that the purpose and requirements of this
> attribute are not very well explained in the various cases (MV, IV, OV,
> SV). For example, since the organizationIdentifier attribute is mandatory
> in the OV case, what would be the use of having the serialNumber in the
> subject as well?
>
> Adriano
>
>
> Sorry if this has already been discussed in S/MIME calls.
>
> Adriano, I don't think this is the situation today. According to ETSI, a
> CA is allowed to use a unique identifier in the subject:serialNumber field
> to disambiguate a natural person in collision cases. The use of TIN, IDC,
> PAS, etc is obviously allowed but not the only way to add a serialNumber.
> In fact, the use of these cases are associated with the semanticsIdentifier
> of the qcStatements. You can totally avoid that today and be compliant with
> the ETSI profiles.
>
> Thanks,
> Dimitris.
>
>
>
> _______________________________________________
> Smcwg-public mailing listSmcwg-public at cabforum.orghttps://lists.cabforum.org/mailman/listinfo/smcwg-public
>
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220413/d54157d7/attachment.html>