[Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

Pedro FUENTES pfuentes at WISEKEY.COM
Thu Sep 29 09:40:43 UTC 2022


Hi there,
I was just thinking on the discussion yesterday about the Country, and the issue detected about the “Subject being validated” (and included in the certificate) to be the country where the company is registered (and I said “registered” because I understood there were opinions saying that this field would be redundant as we had already the organisation identifier, which is related to the country of registration).

Although we follow already this practice, so currently for MPKI customers we include the country of the company, as verified, this has recurrently annoyed some customers that have employees in different locations (sometimes changing the state/province, not necessarily the country), so maybe this deserves some discussion.

My first question would be… is there really consensus about setting the country as the country (and state, if present) where the company is registered? The current writing of the guidelines talks about the “Country of the Subject”, so until now it could be understood that this was about the person, not the company… I heard some discordant voices and for me wasn’t clear the general opinion.

My second question would be… could we specify in the certificate the country where the company “operates”, instead of the country where is registered? My rational for this question is as follows: Same as in the BR for SSL, it’s required to be done a “validation of physical existence”, and this could eventually allow to include in the certificate dutifully validated countries (or states) where the company operates, and not necessarily the country where the company is registered… This in fact opens up a possibility… Could it be understood that the company operates where the employee that gets the certificate is located?

My third question… once there’s intent to take the BR for SSL as reference… what about the obligation to include the state/province and country if the organisation name is present? Was this discussed? (maybe I missed that call) 

Best,
Pedro

WISeKey SA
Pedro Fuentes
CSO - Trust Services Manager
Office: + 41 (0) 22 594 30 00
Mobile: + 41 (0) 791 274 790
Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland
Stay connected with WISeKey <http://www.wisekey.com/>

THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks

CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender

DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220929/b1a8089f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3398 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220929/b1a8089f/attachment-0001.p7s>


More information about the Smcwg-public mailing list