[Smcwg-public] [External Sender] Re: Re: SV certificates devoid of individual attributes

Tue Oct 17 05:50:08 UTC 2023

Hi,

Telia had a legacy use case to create smime certificates to enterprise RA for some teams instead of a single persons. For that purpose it would be good to omit subject:givenName and subject:surname and put group name to CN and still use O value also. I suppose this is one use case for the conditions below?

Br Pekka
Telia

From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Martijn Katerbarg via Smcwg-public
Sent: Monday, October 16, 2023 7:38 PM
To: Adriano Santoni <adriano.santoni at staff.aruba.it>; SMIME Certificate Working Group <smcwg-public at cabforum.org>
Subject: Re: [Smcwg-public] [External Sender] Re: Re: SV certificates devoid of individual attributes

Happy to work with you on that. I do wonder what the cause and original intent behind this was.

I wonder if they key lies in the Note added to section 7.1.4.2.5:
“Legacy Generation profiles MAY omit the subject:givenName, subject:surname, and subject:pseudonym attributes and include only the subject:commonName as described in Section 7.1.4.2.2(a)<https://github.com/cabforum/smime/blob/main/SBR.md#71422-subject-distinguished-name-fields>.”

Could it be that the original intent here was that subject:givenName, subject:surname and subject:pseudonym are allowed to be left out, only if subject:commonName was included and had either the pseudonym or givenName+surname in it?
I could see that as a possible legacy use case, with the intend to deprecate. I’m not sure if any CA needs that use case at current though.

Regards,

Martijn

From: Smcwg-public <smcwg-public-bounces at cabforum.org<mailto:smcwg-public-bounces at cabforum.org>> on behalf of Adriano Santoni via Smcwg-public <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>>
Date: Monday, 16 October 2023 at 18:09
To: smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org> <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>>
Subject: Re: [Smcwg-public] [External Sender] Re: Re: SV certificates devoid of individual attributes
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

I would suggest an amendment in order to correct this unintended result; I'm available to dratf a proposal it if there are any endorsers.

Adriano

Il 16/10/2023 17:17, Dimitris Zacharopoulos via Smcwg-public ha scritto:
NOTICE: Pay attention - external email - Sender is 0100018b3910b1a1-5f63e11d-cb86-4599-8385-07abf817d4d1-000000 at amazonses.com<mailto:0100018b3910b1a1-5f63e11d-cb86-4599-8385-07abf817d4d1-000000 at amazonses.com>

I agree it's not a good thing. The SV profile was to support certificates that include attributes of individuals validated by the Enterprise RA. If we allow those to be missing, making it effectively an OV Certificate, seems like an unintended result.

Best regards,

_______________________________________________

Smcwg-public mailing list

Smcwg-public at cabforum.org<mailto:Smcwg-public at cabforum.org>

https://lists.cabforum.org/mailman/listinfo/smcwg-public

This email may contain information which is privileged or protected against unauthorized disclosure or communication. If you are not the intended recipient, please notify the sender and delete this message and any attachments from your system without producing, distributing or retaining copies thereof or disclosing its contents to any other person.

Telia Company processes emails and other files that may contain personal data in accordance with Telia Company’s Privacy Policy<https://www.teliacompany.com/en/about-the-company/privacy/>.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20231017/3490c64e/attachment.html>