[Smcwg-public] On the subject:serialNumber attribute

Adriano Santoni adriano.santoni at staff.aruba.it
Wed Apr 13 12:29:14 UTC 2022

I see your point, Wendy, however this seems to me a valid reason for not 
mandating the approach I am proposing, not for not recommending it 
(wherever possible).

We should ask ourselves how effectively does the triad of attributes 
(givenName, surname, a CA-assigned number) identify the subscriber of an 
IV certificate towards relying parties. While in the OV case the 
subscriber identification is accurate (thanks to the mandatory 
organizationalIdentifier attribute), in the IV case it seems to me 
rather weak/ambiguous.


Il 13/04/2022 13:15, Wendy Brown - QT3LB-C via Smcwg-public ha scritto:
> I would really be against requiring the serial number for individual 
> SMIME certificates contain a number assigned to the individual by the 
> government. This would be very problematic in the US.  What we 
> discussed about the use of this field was to enable the CA to ensure 
> uniqueness when the name of the individual may be common
> Wendy
> Wendy Brown
> Supporting GSA FPKI
> Protiviti Government Services
>  703-965-2990 (cell)
> wendy.brown at gsa.gov
> wendy.brown at protiviti.com
> On Wed, Apr 13, 2022 at 3:03 AM Dimitris Zacharopoulos (HARICA) via 
> Smcwg-public <smcwg-public at cabforum.org> wrote:
>     On 4/4/2022 1:02 μ.μ., Adriano Santoni via Smcwg-public wrote:
>>     Hi all,
>>     I have some doubts about this part, in connection with IV and SV
>>     certificates:
>>>     * Subject distinguished name fields*
>>>     g. *Certificate Field*: subject:serialNumber (
>>>     *Contents*: If present, the subject:serialNumber MAY be used to
>>>     contain an identifier assigned by the CA or RA to identify
>>>     and/or to disambiguate the Subscriber.
>>     I'm rather dubious about "an identifier assigned by the CA or RA"
>>     being appropriate. Unless a pseudonym is used, the Subscriber
>>     identity should be clear to Relying Parties without a need to
>>     query the CA or RA, which would however be necessary if such
>>     identifier was assigned by the CA or RA and the certificate
>>     contained no other disambiguating information.
>>     How about we decide, instead, that the subject: serialNumber MAY
>>     contain, for disambiguating purposes, a unique identifier of the
>>     Subscriber assigned to him/her by a government agency? It could
>>     be taken from the identity document that has been verified
>>     according to section 3.2.4 (Authentication of individual identity
>>     ) and encoded according to ETSI EN 319 412-1 Section 5.1.3 (e.g.
>>     IDCxx-nnnnn, PASxx-nnnnn, TINxx-nnnnn and so on).
>>     Apart from this, it seems to me that the purpose and requirements
>>     of this attribute are not very well explained in the various
>>     cases (MV, IV, OV, SV). For example, since the
>>     organizationIdentifier attribute is mandatory in the OV case,
>>     what would be the use of having the serialNumber in the subject
>>     as well?
>>     Adriano
>     Sorry if this has already been discussed in S/MIME calls.
>     Adriano, I don't think this is the situation today. According to
>     ETSI, a CA is allowed to use a unique identifier in the
>     subject:serialNumber field to disambiguate a natural person in
>     collision cases. The use of TIN, IDC, PAS, etc is obviously
>     allowed but not the only way to add a serialNumber. In fact, the
>     use of these cases are associated with the semanticsIdentifier of
>     the qcStatements. You can totally avoid that today and be
>     compliant with the ETSI profiles.
>     Thanks,
>     Dimitris.
>>     _______________________________________________
>>     Smcwg-public mailing list
>>     Smcwg-public at cabforum.org
>>     https://lists.cabforum.org/mailman/listinfo/smcwg-public
>     _______________________________________________
>     Smcwg-public mailing list
>     Smcwg-public at cabforum.org
>     https://lists.cabforum.org/mailman/listinfo/smcwg-public
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220413/b198b7fd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220413/b198b7fd/attachment.p7s>

More information about the Smcwg-public mailing list