srdavidson
commented
1 year ago For reference the TLS BR text is seen at https://github.com/cabforum/servercert/blob/main/docs/BR.md#7141-name-encoding
Open robplee opened 1 year ago
srdavidson
commented
1 year ago For reference the TLS BR text is seen at https://github.com/cabforum/servercert/blob/main/docs/BR.md#7141-name-encoding
CBonnell
commented
1 year ago The TLS BR profile disallows multiple instances of givenName and surname. This is one area we may want to relax for SMBR.
jochemvdberge
commented
11 months ago @CBonnell Out of interest, why would you allow multiple instances of givenName and/or surname for a S/MIME certificate?
CBonnell
commented
11 months ago In certain regions such as Spain, it is common for subjects to have multiple given names or surnames. A cursory glance at a Spanish QTSP's certificate profiles document indicates that the use of multiple surname attributes (each one containing one of the subject's apellidos) may be employed. In the absence of CT for S/MIME, I haven't seen such a certificate in the wild. However, I think the inclusion of multiple givenName/surname attributes to cover these cases seems reasonable and should not be prohibited outright.
romanf
commented
11 months ago I would think that multiple givennames can be put into one "givenName" field. That would also avoid the problem of ordering of multiple givenNames fields or having givennames that contain e.g. hiphens ("Hans-Jürg" vs "Hans Jürg" which are both common givennames in German)...
As a side-note: At the recent CA/B F2F meeting it was discussed if the requirement for givenName/surname vs. commonName in the Multipurpose and Strict profiles should be dropped.
I think the SMIME BRs are currently a little too unclear on if subject DN attributes can appear more than once. Some of the language seems to suggest it is acceptable to have some of these attributes more than once while other text suggests it's not allowed. I think it would help to include some text concretely stating if this is allowed or not.
An examples: 7.1.4.2.2.b subject:organizationName. This section has various bits of guidance in it which could be interpreted in different directions such as "If present, the subject:organizationName field [ed. note, singular] SHALL contain ..." and also "The CA MAY include ... common variations or abbreviations [ed. note, plurals]". I appreciate I'm taking a particular interpretation on the latter one to suggest I could include two organization names to cover common variations or abbreviations. My assumption is the text is written to allow me to use some variations and abbreviations in my single subject:organizationName for example for "Three Letter Acronym Limited" I could have an organizationName of "TLA Ltd." But I think it's not as clear as it could be that I'm only allowed one organizationName.
I think this is easily rectified however. The Server Cert BRs contain some extremely clear guidance on this question of subject attributes in section 7.1.4.1 which could be copied into the SMIME BRs. Given that section 7.1.4.1 in the SMIME BRs already seems to have been lifted entirely from section 7.1.4.1 in the Server Cert BRs I would assume there wouldn't be a problem with lifting more text from the Server Cert BRs into SMIME to clarify this ambiguity.