[Smcwg-public] [External Sender] Re: OrganizationIdentifier for Gov and Treaty Orgs
Stephen Davidson
Stephen.Davidson at digicert.com
Tue Aug 9 13:26:57 UTC 2022
Currently the text in 7.1.4.2.2 (d) says:
Note 2: For the following types of entities that do not have an identifier from the Registration Schemes listed in Appendix A<https://github.com/cabforum/smime/blob/preSBR/SBR.md#appendix-a---registration-schemes>:
* For Government Entities, the CA SHALL enter the text `Government Entity`.
* For International Organization Entities, the CA SHALL enter the text `International Organization Entity`. An International Organization Entity is founded by a constituent document, e.g., a charter, treaty, convention or similar document, signed by, or on behalf of, a minimum of two Sovereign State governments.
An option would be to change that text to:
Note 2: For the following types of entities that do not have an identifier from the Registration Schemes listed in Appendix A<https://github.com/cabforum/smime/blob/preSBR/SBR.md#appendix-a---registration-schemes>:
* For Government Entities, the CA SHALL enter the Registration Scheme identifier ‘GOV’ followed by the 2 character ISO 3166 country code for the nation in which the Government Entity is located. If the Government Entity is verified at a subdivision (state or province) level, then a plus "+" (0x2B (ASCII), U+002B (UTF-8)) followed by a 2 character ISO 3166-2 identifier for the subdivision is added.
* For International Organization Entities, the CA SHALL enter the Registration Scheme identifier ‘INTORG’ followed by the ISO 3166 code "XG". An International Organization Entity is founded by a constituent document, e.g., a charter, treaty, convention or similar document, signed by, or on behalf of, a minimum of two Sovereign State governments.
For example:
* GOVUS (Government Entity, United States)
* GOVUS+CA (Government Entity, United States - California)
* INTORGXG (International Organization)
Thoughts?
Regards, Stephen
From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Corey Bonnell via Smcwg-public
Sent: Tuesday, August 9, 2022 8:11 AM
To: Tim Hollebeek <tim.hollebeek at digicert.com>; SMIME Certificate Working Group <smcwg-public at cabforum.org>; Adriano Santoni <adriano.santoni at staff.aruba.it>
Subject: Re: [Smcwg-public] [External Sender] Re: OrganizationIdentifier for Gov and Treaty Orgs
We use “XG” to denote a Registration Scheme that is employed globally. Perhaps we can co-opt that for International Orgs.
From: Tim Hollebeek <tim.hollebeek at digicert.com<mailto:tim.hollebeek at digicert.com>>
Sent: Friday, August 5, 2022 11:27 AM
To: Corey Bonnell <Corey.Bonnell at digicert.com<mailto:Corey.Bonnell at digicert.com>>; SMIME Certificate Working Group <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>>; Adriano Santoni <adriano.santoni at staff.aruba.it<mailto:adriano.santoni at staff.aruba.it>>
Subject: RE: [Smcwg-public] [External Sender] Re: OrganizationIdentifier for Gov and Treaty Orgs
This is an interesting idea, and I like the fact that the disambiguation information is in a defined format and in a place that’s consistent with how we handle “normal” organizations, but how would it be extended to work for international organizations? Just use something like “INTORG” for them? Or do we require naming of at least one valid jurisdictions (the requirements require two, so one is always available), like “INTORG+US”? Do we care that NORAD could be encoded as “INTORG+CA” as well, violating encoding uniqueness? Do we go for “INTORG+US,CA” (probably not, the orgIDs are complicated enough already).
I think just “INTORG” is probably fine, as hopefully names of international organizations are more likely to be globally unique, unlike things like “Ministry of Finance” which is likely to exist in many countries and needs disambiguation.
-Tim
From: Smcwg-public <smcwg-public-bounces at cabforum.org<mailto:smcwg-public-bounces at cabforum.org>> On Behalf Of Corey Bonnell via Smcwg-public
Sent: Friday, August 5, 2022 9:21 AM
To: Adriano Santoni <adriano.santoni at staff.aruba.it<mailto:adriano.santoni at staff.aruba.it>>; SMIME Certificate Working Group <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>>
Subject: Re: [Smcwg-public] [External Sender] Re: OrganizationIdentifier for Gov and Treaty Orgs
I agree there needs to disambiguating information contained within the certificate for these cases. However, mandating the use of the physical location attributes for this specific case would make the certificate profile more complex.
As an alternative approach, I suggest we define one or more orgID registration schemes and use the orgId attribute to convey the jurisdiction information. A few examples:
- A Government Entity located in Japan would have an orgID of “GOVJP”
- A Government Entity located in California, United States would have an orgID of “GOVUS+CA”
This will provide greater consistency in the certificate profile between those organizations which have registration numbers and those that do not.
Thanks,
Corey
From: Smcwg-public <smcwg-public-bounces at cabforum.org<mailto:smcwg-public-bounces at cabforum.org>> On Behalf Of Adriano Santoni via Smcwg-public
Sent: Friday, August 5, 2022 3:04 AM
To: smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>
Subject: Re: [Smcwg-public] [External Sender] Re: OrganizationIdentifier for Gov and Treaty Orgs
I totally agree with Martijn Katerbarg.
Adriano
ACTALIS S.p.A.
Il 05/08/2022 09:02, Martijn Katerbarg via Smcwg-public ha scritto:
Should we at least subject:countryName to be present in these specific cases?
Otherwise, we could end up having certificates with a subject looking like this (OV):
subject:organizationName: Ministry of Finance
This leaves no way of telling for which country and entity this is. Possibly the email address tld could tell someone, but that shouldn’t be relied upon.
I’ve done a comparison with EV certificates. There are currently EV certificates out there with O=Ministry of Finance and SN=Government Entity, spanning 12 different country codes.
From: Smcwg-public <smcwg-public-bounces at cabforum.org><mailto:smcwg-public-bounces at cabforum.org> On Behalf Of Stephen Davidson via Smcwg-public
Sent: Thursday, 4 August 2022 16:49
To: smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>
Subject: [Smcwg-public] OrganizationIdentifier for Gov and Treaty Orgs
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hello:
In recent calls the group discussed that some Government and International Organization entities may not have identifiers.
It was agreed to adopt a similar workaround to that provided in the EV Guidelines.
I have added text implementing that change as seen at https://github.com/cabforum/smime/pull/158/files<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fsmime%2Fpull%2F158%2Ffiles&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0f411c93c7404dfc94a008da76288a32%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637952213783726589%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=MZM2OTOjk5dUNo52UbgMZKk%2B5OSnE5l9SZvf7L0tYi8%3D&reserved=0>
Regards, Stephen
Stephen Davidson
Governance, Risk & Compliance
stephen.davidson at digicert.com<mailto:stephen.davidson at digicert.com>
O 1.441.278.2803 | M 1.441.505.4908
_______________________________________________
Smcwg-public mailing list
Smcwg-public at cabforum.org<mailto:Smcwg-public at cabforum.org>
https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220809/1037d9d4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 4581 bytes
Desc: image001.png
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220809/1037d9d4/attachment-0001.png>
More information about the Smcwg-public
mailing list