[Smcwg-public] Fields for S/MIME CSRs

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Sat Sep 30 14:12:33 UTC 2023

On 30/9/2023 4:39 μ.μ., Stephen Davidson via Smcwg-public wrote:
> Hello all:
> If widely supported, should we consider documenting this in the S/MIME BR?

I had the impression that this is was the common understanding and 
already a dominating practice (using only the public key out of a CSR). 
There are many documented CA incidents 
(https://wiki.mozilla.org/CA/Closed_Incidents) that explain that using 
any information inside a CSR other than the public key, is dangerous and 
could result even in attribute encoding issues.

I am very supportive of adding this clarification/guidance into the 
S/MIME BRs and other BRs :)


> Best, Stephen
> *From:* Smcwg-public <smcwg-public-bounces at cabforum.org> *On Behalf Of 
> *Clint Wilson via Smcwg-public
> *Sent:* Friday, September 29, 2023 12:52 PM
> *To:* Ben Wilson <bwilson at mozilla.com>; SMIME Certificate Working 
> Group <smcwg-public at cabforum.org>
> *Subject:* Re: [Smcwg-public] Fields for S/MIME CSRs
> Hi all,
> In my opinion, CSRs should really be limited to conveying the public 
> key and a proof of possession of the private key; the fields included 
> therein /may/ act as confirmatory signals for a CA, but shouldn’t be 
> directly relied upon e.g. to generate a tbsCertificate. Rather, the 
> values placed in fields of a tbsCertificate should originate from the 
> CA’s validated data store to ensure that the only paths for data to 
> become part of a signed certificate are through static configurations 
> (e.g. signatureAlgorithm) or known-validated data.
> There’s plenty of nuance we can discuss as well, but generally 
> speaking I believe it’s bad practice to rely on fields in the CSR.
> Cheers,
> -Clint
>     On Sep 29, 2023, at 8:27 AM, Ben Wilson via Smcwg-public
>     <smcwg-public at cabforum.org> wrote:
>     All,
>     I'm interested in gathering information from Certificate Issuers
>     about the kind of information that they would like to
>     collect/extract from the CSRs they receive from S/MIME certificate
>     applicants. This information could be used to refine a system to
>     generate CSRs that result in certificates compliant with the
>     various profiles defined in the S/MIME BRs. Alternatively, what is
>     the minimum amount of information that CAs might expect to obtain
>     from CSRs? In other words, which fields should a CSR generator
>     integrated with a Certificate Consumer's software support?
>     Thanks,
>     Ben
>     _______________________________________________
>     Smcwg-public mailing list
>     Smcwg-public at cabforum.org
>     https://url.avanan.click/v2/___https://lists.cabforum.org/mailman/listinfo/smcwg-public___.YXAzOmRpZ2ljZXJ0OmE6bzo0ODEzZjE5MTQ3NmQzMzBiY2EzZTg1MTAwNWYzODA0NTo2OjgzYjE6YjY4YzcwZWIwNTgwZmY3MmVlMjljNzM5Yzg0YmE4OWMyYTUwMDJmODE3NWY5ZTBjOWI5NzFiZjllODc2YjMwMjp0OkY
>     <https://url.avanan.click/v2/___https:/lists.cabforum.org/mailman/listinfo/smcwg-public___.YXAzOmRpZ2ljZXJ0OmE6bzo0ODEzZjE5MTQ3NmQzMzBiY2EzZTg1MTAwNWYzODA0NTo2OjgzYjE6YjY4YzcwZWIwNTgwZmY3MmVlMjljNzM5Yzg0YmE4OWMyYTUwMDJmODE3NWY5ZTBjOWI5NzFiZjllODc2YjMwMjp0OkY>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230930/5f8d550e/attachment.html>

More information about the Smcwg-public mailing list