[Smcwg-public] [External Sender] RE: Individual email addresses in OV certs

Adriano Santoni adriano.santoni at staff.aruba.it
Sat Sep 16 05:22:51 UTC 2023

Hi Jochem,

thanks for sharing your thoughts; as you say, they don't answer my 
question, but they do add useful insight.


Il 15/09/2023 17:17, Berge, Jochem Van den ha scritto:
> NOTICE: Pay attention - external email - Sender is 
> prvs=615b3b199=jochem.vanden.berge at logius.nl
> Hi Adriano,
> I’ve gone over the SBRGs and reading section 3.2.2 of the SBRGs I 
> think you might have a point that it is not defined in the SBRG:
> /This section defines the permitted processes and procedures for 
> confirming the *Applicant’s*/
> */control/* /of Mailbox Addresses to be included in issued Certificates./
> As far as I can see, if the Applicant (or it’s representative) can 
> demonstrate control over the mailbox in question it looks like it is 
> allowed. Other entries in section 3 or in section 7 are mute on this 
> point.
> If you look at TLS certificates the relation between the (owner of a) 
> FQDN and the organization included in the certificate can be (and 
> often is) different (provided the applicant can prove to have control 
> over the FQDN).
> The same kind of mechanic could apply here. I think it boils down to 
> if it ever was the intent to derive any identifying information from 
> an email address or only use it for a cryptographic link (like TLS)?
> If the decision would be that the email address should have some 
> identifying properties I just realized that except for the obvious 
> cases (like the one you addressed) it is very difficult to put such a 
> requirement into words. What would be the definition of an 
> organization controlled email address? And how would a CA be able to 
> check that it is? The example you list of sole proprietorships can 
> also be tricky to check by a CA, and potentially opens up a can of worms.
> Long story short, my take is that it is possible and that isn’t 
> something we can easily fix. I think it boils down to a more 
> fundamental choice of what the intent is of the different types of 
> profiles as defined in the SBRGs. Seeing that I wasn’t involved with 
> the earliest beginning of this WG I can’t answer that question but I 
> hope that other can shed some light on it J.
> Kind Regards,
> Jochem van den Berge
> Architect PKIoverheid
> *Logius*
> Digital Government Service
> Ministry of the Interior and Kingdom Relations
> ........................................................................
> *M* (+31) (0)6 – 21 16 26 89
> *T * (+31) (0)70 - 888 76 91**
> jochem.vanden.berge at logius.nl <mailto:jochem.vanden.berge at logius.nl>_
> _ www.logius.nl <http://www.logius.nl/>__
> workdays Mo-Tue & Thu-Fri
> ........................................................................
> *Van:* Smcwg-public <smcwg-public-bounces at cabforum.org> *Namens* 
> Adriano Santoni via Smcwg-public
> *Verzonden:* vrijdag 15 september 2023 06:55
> *Aan:* smcwg-public at cabforum.org
> *Onderwerp:* [Smcwg-public] Individual email addresses in OV certs
> Hello all,
> given that an S/MIME OV certificate is characterized by the fact that 
> it conveys the identity of an organization, it is acceptable for an OV 
> certificate to contain an email address that is clearly associated 
> with an individual mailbox (e.g. name.surname at companydomain.tld) ?
> If I'm not mistaken, this aspect is not touched on in the BR and it 
> therefore seems reasonable to assume that the above case is permitted. 
> However, the fact that the Applicant only controls an individual email 
> address somehow feels "inappropriate" for an OV certificate, so to say.
> It seems okay for sole proprietorships, but in other cases (legal 
> persons with several employees) it seems inconsistent.
> Maybe the answer is already there, in the BR, but I cannot see it.
> Any comments welcome.
> Adriano
> ------------------------------------------------------------------------
> Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien 
> u niet de geadresseerde bent of dit bericht abusievelijk aan u is 
> toegezonden, wordt u verzocht dat aan de afzender te melden en het 
> bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor 
> schade, van welke aard ook, die verband houdt met risico's verbonden 
> aan het elektronisch verzenden van berichten.
> This message may contain information that is not intended for you. If 
> you are not the addressee or if this message was sent to you by 
> mistake, you are requested to inform the sender and delete the 
> message. The State accepts no liability for damage of any kind 
> resulting from the risks inherent in the electronic transmission of 
> messages.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230916/544371f5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4461 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230916/544371f5/attachment-0001.p7s>

More information about the Smcwg-public mailing list