[Smcwg-public] [EXTERNAL]-Re: Common Name contents

Doug Beattie doug.beattie at globalsign.com
Thu Mar 10 13:46:56 UTC 2022

I agree that we should not permit completely unvalidated in in the certificates, but can we delegate the validation of these 3 fields to the Enterprise RA to not include “misleading” information (without requiring CA and Enterprise audits)?  Mandating formal audits of this data is a no-go, imo.  


From: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr> 
Sent: Thursday, March 10, 2022 7:59 AM
To: Doug Beattie <doug.beattie at globalsign.com>; SMIME Certificate Working Group <smcwg-public at cabforum.org>; Henschel, Andreas <a.henschel at d-trust.net>
Subject: Re: [Smcwg-public] [EXTERNAL]-Re: Common Name contents



On 10/3/2022 2:22 μ.μ., Doug Beattie wrote:

If there are usecases that demand more, then let’s let them define those rules and policy OIDs to be used in the certificates on top of the profiles we’re defining here.

I'm afraid I can't support that position. We have always had rules to include validated information in the certificates, even "any other method" that the CA deems appropriate. Even for the subject:organizationalUnitName field, there were rules describing what the CA MUST NOT allow. Allowing fields without any vetting whatsoever is not correct IMHO. It should not be considered "appropriate" from the CA because it is not performing any sort of validation!

BTW, I agree with the position to bring in use cases and define rules. The WG needs to be a bit more active in that regard because it is the only way that existing use cases will be discussed, analyzed and safe practices included in the SMBRs. However, until we have those use cases brought forward so that the WG can define rules, I believe we should not allow them.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220310/581e1ab2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8404 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220310/581e1ab2/attachment.p7s>

More information about the Smcwg-public mailing list