[Smcwg-public] [External Sender] Re: SV certificates devoid of individual attributes

Adriano Santoni adriano.santoni at staff.aruba.it
Mon Oct 16 14:28:21 UTC 2023 

Well, in my opinion that's not a good thing.

Adriano

Il 16/10/2023 16:16, Martijn Katerbarg ha scritto:
>
> Hi Adriano,
>
>
> Yes, I do believe you’re correct. Taking your example, the only 
> difference would be the Policy OID in the certificate.
>
> I’m not sure why anyone would in that case opt for a Sponsor Validated 
> cert over OV, however it does appear to be compliant, yet only for 
> Legacy templates.
>
> Regards,
>
> Martijn
>
> *From: *Smcwg-public <smcwg-public-bounces at cabforum.org> on behalf of 
> Adriano Santoni via Smcwg-public <smcwg-public at cabforum.org>
> *Date: *Monday, 16 October 2023 at 15:52
> *To: *smcwg-public at cabforum.org <smcwg-public at cabforum.org>
> *Subject: *[Smcwg-public] SV certificates devoid of individual attributes
>
> CAUTION: This email originated from outside of the organization. Do 
> not click links or open attachments unless you recognize the sender 
> and know the content is safe.
>
> Hello all,
>
> I have the impression that the current SMBRs allow to issue 
> Sponsor-Validated certificates which, contrary to the definition of 
> this type of certificate, do not contain any "Individual (Natural 
> Person) attributes" (quoting from the definition of 
> Sponsor-Validated). At least, this seems to hold for the "Legacy 
> Generation profiles".
>
>   * according to §3.1.1 and §7.1.4.2.2, the commonName does not
>     necessarily have to contain a Personal Name (in fact it MAY
>     contain a Mailbox Address)
>
>   * according to §7.1.4.2.5, givenName and surname attributes are not
>     required in "Legacy Generation profiles".
>
> Furthermore, as already discussed in a previous thread, there is no 
> requirement that a personal email address have a "personal" appearance 
> (e.g. forename.surname at company.com).
>
> Therefore, if I understand correctly, a Subject of the following type 
> within a "Legacy" SV (Sponsor-Validated) certificate would be 100% 
> compliant:
>
> CN=info at example.com, O=Example HmbH, 
> organizationIdentifier=NTRXX-xxxxx, C=XX
>
> If this is true, it would make no difference if the certificate was OV 
> rather than SV: the Subject could be identical in the two cases, and 
> it would be devoid of "Individual (Natural Person) attibutes".
>
> Is the above correct, or am I missing something?
>
> Adriano
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20231016/b23e0fbc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20231016/b23e0fbc/attachment.p7s>

More information about the Smcwg-public mailing list