[Smcwg-public] Individual email addresses in OV certs
Berge, Jochem Van den
jochem.vanden.berge at logius.nl
Fri Sep 15 15:17:30 UTC 2023
I’ve gone over the SBRGs and reading section 3.2.2 of the SBRGs I think you might have a point that it is not defined in the SBRG:
This section defines the permitted processes and procedures for confirming the Applicant’s
control of Mailbox Addresses to be included in issued Certificates.
As far as I can see, if the Applicant (or it’s representative) can demonstrate control over the mailbox in question it looks like it is allowed. Other entries in section 3 or in section 7 are mute on this point.
If you look at TLS certificates the relation between the (owner of a) FQDN and the organization included in the certificate can be (and often is) different (provided the applicant can prove to have control over the FQDN).
The same kind of mechanic could apply here. I think it boils down to if it ever was the intent to derive any identifying information from an email address or only use it for a cryptographic link (like TLS)?
If the decision would be that the email address should have some identifying properties I just realized that except for the obvious cases (like the one you addressed) it is very difficult to put such a requirement into words. What would be the definition of an organization controlled email address? And how would a CA be able to check that it is? The example you list of sole proprietorships can also be tricky to check by a CA, and potentially opens up a can of worms.
Long story short, my take is that it is possible and that isn’t something we can easily fix. I think it boils down to a more fundamental choice of what the intent is of the different types of profiles as defined in the SBRGs. Seeing that I wasn’t involved with the earliest beginning of this WG I can’t answer that question but I hope that other can shed some light on it ☺.
Jochem van den Berge
Digital Government Service
Ministry of the Interior and Kingdom Relations
M (+31) (0)6 – 21 16 26 89
T (+31) (0)70 - 888 76 91
jochem.vanden.berge at logius.nl<mailto:jochem.vanden.berge at logius.nl>
workdays Mo-Tue & Thu-Fri
Van: Smcwg-public <smcwg-public-bounces at cabforum.org> Namens Adriano Santoni via Smcwg-public
Verzonden: vrijdag 15 september 2023 06:55
Aan: smcwg-public at cabforum.org
Onderwerp: [Smcwg-public] Individual email addresses in OV certs
given that an S/MIME OV certificate is characterized by the fact that it conveys the identity of an organization, it is acceptable for an OV certificate to contain an email address that is clearly associated with an individual mailbox (e.g. name.surname at companydomain.tld<mailto:name.surname at companydomain.tld>) ?
If I'm not mistaken, this aspect is not touched on in the BR and it therefore seems reasonable to assume that the above case is permitted. However, the fact that the Applicant only controls an individual email address somehow feels "inappropriate" for an OV certificate, so to say.
It seems okay for sole proprietorships, but in other cases (legal persons with several employees) it seems inconsistent.
Maybe the answer is already there, in the BR, but I cannot see it.
Any comments welcome.
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Smcwg-public