[Smcwg-public] CommonNames, Pseudonyms, GivenNames and Surnames
Stephen.Davidson at digicert.com
Tue Jul 18 14:25:00 UTC 2023
Yes, thank you Rob and Clint.
Please add it to the issues list in Github, so we can add track it for the next ballot.
As it happens, I think that Psuedonyms have been an area of interest in the Sponsor-validated type during the implementation of the SBR, so a “revisit” based on that experience may be in order after September.
From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Clint Wilson via Smcwg-public
Sent: Monday, July 17, 2023 3:16 PM
To: Robert Lee <robert.lee at globalsign.com>; SMIME Certificate Working Group <smcwg-public at cabforum.org>
Subject: Re: [Smcwg-public] CommonNames, Pseudonyms, GivenNames and Surnames
I think minimally filing an issue in https://github.com/cabforum/smime/issues <https://url.avanan.click/v2/___https:/github.com/cabforum/smime/issues___.YXAzOmRpZ2ljZXJ0OmE6bzo3YWFhOWVmNWIwZjZhYTc1YmY4NzNiZmMxMWYzYjkxNDo2OmM0MWQ6MjNjMTc2M2NmMjc5ZTA2MWMyNzU0ZDE2M2NkYzQ4ZTJjN2E3YjE4MWE5NzhjZjMxMDZlNjA4MTcyY2FkMDZmMjpoOkY> would be a good thing to do to track this potential conflict.
FWIW, I also think the issue identified is indeed an issue (though probably not major) and your proposed updates seem reasonable to me as well.
On Jul 13, 2023, at 6:52 AM, Robert Lee via Smcwg-public <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> > wrote:
I’m emailing because I think some further clarification may be needed in section 184.108.40.206.2(a) around commonNames as Personal Names or Pseudonyms (capital ‘P’ based on SMC03 changes).
What I think is needed is to align some of the uses of commonNames with the existing rules around if subject:pseudonym is present then subject:givenName/subject:surname SHALL NOT be present and the vice versa rule. My understanding/assumption is that the pseudonym/givenName/surname rules are in place to make an SMIME certificate a Pseudonym cert or a Personal Name cert and not to be both at the same time (especially as putting one’s name into the cert would dramatically reduce any privacy afforded by using a Pseudonym).
However, the options for commonName in sponsor and individual validated certificates don't entirely work with the above as currently you _could_ have a subject:pseudonym and then put your Personal Name in the commonName which doesn't track with my understanding/assumption of what the pseudonym/givenName/surname rules are supposed to achieve.
I don’t think it’s a difficult thing to fix though. Adding the following lines to 220.127.116.11.2(a) should close this hole effectively enough:
“If the subject:commonName contains a Pseudonym, then the subject:givenName and/or subject:surname attributes SHALL NOT be present.”
“If the subject:commonName contains a Personal Name, then the subject:pseudonym attribute SHALL NOT be present.”
If people broadly agree with my suggestion then I’m happy to make a PR into the BRs or somewhere else if, like SMC03, there’ll be a branch collecting changes in someone’s fork of the document.
Dr. Robert Lee MEng PhD
Senior Software Engineer with Cryptography SME
<https://url.avanan.click/v2/___http:/www.globalsign.co.uk/___.YXAzOmRpZ2ljZXJ0OmE6bzo3YWFhOWVmNWIwZjZhYTc1YmY4NzNiZmMxMWYzYjkxNDo2Ojg0ZmY6YmUwYjE5MTJlYWUzNDc3ZDAwODE0NDQzMGRmMjM2ZGUxY2FlMTBlYWY2ZDk1OWUzMDc0ZWE3N2Q2YjYzMzVmMjpoOkY> www.globalsign.co.uk| <https://url.avanan.click/v2/___http:/www.globalsign.eu/___.YXAzOmRpZ2ljZXJ0OmE6bzo3YWFhOWVmNWIwZjZhYTc1YmY4NzNiZmMxMWYzYjkxNDo2OjI5YWQ6M2NiZTEwY2QyYmNlNDQ4ZTE1ZmUyZjk1ZTFjZjFiNTgyNGQwOTc5NTIwNTRiNzlhODFmYWNhZDhkOGQ4ODUzMDpoOkY> www.globalsign.eu
Smcwg-public mailing list
<mailto:Smcwg-public at cabforum.org> Smcwg-public at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5263 bytes
Desc: not available
More information about the Smcwg-public