[Smcwg-public] SV certificates devoid of individual attributes
Martijn Katerbarg
martijn.katerbarg at sectigo.com
Mon Oct 16 14:16:31 UTC 2023
Hi Adriano,
Yes, I do believe you’re correct. Taking your example, the only difference would be the Policy OID in the certificate.
I’m not sure why anyone would in that case opt for a Sponsor Validated cert over OV, however it does appear to be compliant, yet only for Legacy templates.
Regards,
Martijn
From: Smcwg-public <smcwg-public-bounces at cabforum.org> on behalf of Adriano Santoni via Smcwg-public <smcwg-public at cabforum.org>
Date: Monday, 16 October 2023 at 15:52
To: smcwg-public at cabforum.org <smcwg-public at cabforum.org>
Subject: [Smcwg-public] SV certificates devoid of individual attributes
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hello all,
I have the impression that the current SMBRs allow to issue Sponsor-Validated certificates which, contrary to the definition of this type of certificate, do not contain any "Individual (Natural Person) attributes" (quoting from the definition of Sponsor-Validated). At least, this seems to hold for the "Legacy Generation profiles".
* according to §3.1.1 and §7.1.4.2.2, the commonName does not necessarily have to contain a Personal Name (in fact it MAY contain a Mailbox Address)
* according to §7.1.4.2.5, givenName and surname attributes are not required in "Legacy Generation profiles".
Furthermore, as already discussed in a previous thread, there is no requirement that a personal email address have a "personal" appearance (e.g. forename.surname at company.com <mailto:forename.surname at company.com>).
Therefore, if I understand correctly, a Subject of the following type within a "Legacy" SV (Sponsor-Validated) certificate would be 100% compliant:
CN=info at example.com <mailto:CN=info at example.com>, O=Example HmbH, organizationIdentifier=NTRXX-xxxxx, C=XX
If this is true, it would make no difference if the certificate was OV rather than SV: the Subject could be identical in the two cases, and it would be devoid of "Individual (Natural Person) attibutes".
Is the above correct, or am I missing something?
Adriano
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20231016/f866a6e9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 8254 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20231016/f866a6e9/attachment-0001.bin>
More information about the Smcwg-public
mailing list