[Smcwg-public] SubjectDirectoryAttributes in MV-Legacy

Russ Housley housley at vigilsec.com
Wed Apr 19 18:02:14 UTC 2023 

I was thinking about a Qualified Certificate that also includes a subjectAltName with an rfc822Name.  I think this should be allowed if the mailbox is validated.

Russ


> On Apr 19, 2023, at 1:54 PM, Stephen Davidson <Stephen.Davidson at digicert.com> wrote:
> 
> Thanks Russ!
> True.
> But on the counterpoint: are there Qualified certificates that match the Mailbox-validated profile?
> It seems a lot of work to validate identity for such a constrained profile.
> ETSI EN 319 412-2 requires a subject contain at least C, GN/SN or Pseudonym, and CN.
> Best, Stephen
> 
> 
> 
> From: Russ Housley <housley at vigilsec.com <mailto:housley at vigilsec.com>>
> Sent: Wednesday, April 19, 2023 2:35 PM
> To: Stephen Davidson <Stephen.Davidson at digicert.com <mailto:Stephen.Davidson at digicert.com>>; SMIME Certificate Working Group <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org>>
> Subject: Re: [Smcwg-public] SubjectDirectoryAttributes in MV-Legacy
> 
> Stephen:
> 
> Qualified Certificates allows SubjectDirectoryAttributes extension.  See section 3.2.2 of RFC 3739.  So, I think think it should be allowed.
> 
> Russ
> 
> 
> 
> On Apr 18, 2023, at 6:40 PM, Stephen Davidson via Smcwg-public <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org>> wrote:
> 
> Hello:
> 
> In working out lints for the S/MIME linter (more info to come), Corey observed that we didn't explicitly ban SubjectDirectoryAttributes extension in a Mailbox-validated cert.  See (j) of https://github.com/cabforum/smime/blob/main/SBR.md#7123-subscriber-certificates <https://github.com/cabforum/smime/blob/main/SBR.md#7123-subscriber-certificates>.
> 
> We did allow the SubjectDirectoryAttributes extension to be used in the Legacy generation profiles, knowing that it is used in many legacy implementations, and that the Legacy generation will eventually be deprecated.
> 
> However, it seems odd to allow its use in the Mailbox-validated Legacy profile, which otherwise blocks the inclusion of Subject Identity information.
> 
> Does the SMCWG believe that the SubjectDirectoryAttributes extension should be allowed or disallowed in Mailbox-validated Legacy certs?
> In the event that the SubjectDirectoryAttributes extension is disallowed, is this acceptable to be clarified in the Erratum ballot or should it be defined as a new ballot?
> 
> This will be on agenda for our next call, but feel free to begin discussion.
> 
> Best, Stephen
> 
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org <mailto:Smcwg-public at cabforum.org>
> https://lists.cabforum.org/mailman/listinfo/smcwg-public <https://lists.cabforum.org/mailman/listinfo/smcwg-public>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230419/86755561/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230419/86755561/attachment.sig>

More information about the Smcwg-public mailing list