[Smcwg-public] [External Sender] Re: Fields for S/MIME CSRs
Adriano Santoni
adriano.santoni at staff.aruba.it
Sat Sep 30 06:48:09 UTC 2023
I fully concur with Clint Wilson.
Adriano
Il 29/09/2023 17:52, Clint Wilson via Smcwg-public ha scritto:
> Hi all,
>
> In my opinion, CSRs should really be limited to conveying the public
> key and a proof of possession of the private key; the fields included
> therein /may/ act as confirmatory signals for a CA, but shouldn’t be
> directly relied upon e.g. to generate a tbsCertificate. Rather, the
> values placed in fields of a tbsCertificate should originate from the
> CA’s validated data store to ensure that the only paths for data to
> become part of a signed certificate are through static configurations
> (e.g. signatureAlgorithm) or known-validated data.
>
> There’s plenty of nuance we can discuss as well, but generally
> speaking I believe it’s bad practice to rely on fields in the CSR.
>
> Cheers,
> -Clint
>
>> On Sep 29, 2023, at 8:27 AM, Ben Wilson via Smcwg-public
>> <smcwg-public at cabforum.org> wrote:
>>
>> All,
>> I'm interested in gathering information from Certificate Issuers
>> about the kind of information that they would like to collect/extract
>> from the CSRs they receive from S/MIME certificate applicants. This
>> information could be used to refine a system to generate CSRs that
>> result in certificates compliant with the various profiles defined in
>> the S/MIME BRs. Alternatively, what is the minimum amount of
>> information that CAs might expect to obtain from CSRs? In other
>> words, which fields should a CSR generator integrated with a
>> Certificate Consumer's software support?
>> Thanks,
>> Ben
>> _______________________________________________
>> Smcwg-public mailing list
>> Smcwg-public at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230930/167d240d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230930/167d240d/attachment.p7s>
More information about the Smcwg-public
mailing list