<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1578173602;
mso-list-type:hybrid;
mso-list-template-ids:684484828 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1
{mso-list-id:1807090586;
mso-list-template-ids:-929502772;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>And, I forgot one other important point that I wanted to call out. Microsoft commented on earlier drafts of the charter in the previous ballot, and one of their concerns was that S/MIME emails sent from automated systems and mailing lists that contain identity information could potentially be construed as out of scope. That led to language in the previous ballot explicitly including such emails in the scope.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>That language was discussed, and the consensus was that those emails remain in scope, even without the additional language, and therefore the additional language is unnecessary (and potentially harmful). So it was removed. It would be useful to know if Microsoft agrees with that interpretation, otherwise we are going to have to find another solution to that issue.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>-Tim<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Public <public-bounces@cabforum.org> <b>On Behalf Of </b>Tim Hollebeek via Public<br><b>Sent:</b> Friday, April 17, 2020 7:57 PM<br><b>To:</b> CABforum1 <public@cabforum.org><br><b>Subject:</b> [cabfpub] Update about S/MIME Charter<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>As I mentioned on the last call, I promised to give an update on the S/MIME Charter today. There was a previous draft incorporating Apple’s comments, but as that draft was being finalized, a number of useful improvements were contributed by Google. After some discussion, most of those improvements were adopted, resulting in a proposal from Apple which can be found here:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><a href="https://github.com/clintwilson/cab-docs/blob/SMCWG-draft-feedback/docs/SMCWG-charter.md">https://github.com/clintwilson/cab-docs/blob/SMCWG-draft-feedback/docs/SMCWG-charter.md</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Apple, DigiCert, and Mozilla support this proposal. If we’re reading Ryan’s github comments correctly, it seems he also supports this version of the charter, though I will let him speak for himself on that topic.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>It would be useful if people began reviewing this charter proposal, and if there are additional comments, hopefully we can get them resolved soon. We should also discuss ballot language and a potential path forward towards getting this adopted, and I agree with Ryan that it would be more useful if that discussion happened on the public list (or github).<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>DigiCert would vote for the current charter as proposed by Apple, but there is one point that I did notice while reviewing it one last time, and it relates to the following provision:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>“Certificates issued under a root certificate that is not publicly trusted SHALL be out of scope.”<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I have two comments:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo3'>The concept of “root certificate” is clear in most circumstances, but in messy PKIs that involve cross signing and other complicated trust relationships, it can get a bit fuzzy. And the S/MIME ecosystem is certainly very messy right now. One potential fix is to change it to “Root Certificate”, so it refers to the defined term in the Baseline Requirements. But then everyone has to agree that that’s what we mean, and not something else.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo3'>Second, related to the first point, “publicly trusted” can be a bit ambiguous, especially with respect to a new working group like S/MIME, where we do not know in advance who the Certificate Consumers will be. Language along the lines of “that is not trusted by any participating Certificate Consumer” would probably be more clear. And what does trusted mean? What if it chains to a trusted ICA, but that ICA has been blacklisted by all Certificate Consumers via their revocation mechanisms? It would be useful to definitively say what we mean up front, to avoid differences of interpretation later.<o:p></o:p></li></ol><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Additional clarity and precision in expressing this requirement would probably be helpful, and I’d welcome discussion and suggestions. Or we could just go with the current language, acknowledging its potential limitations.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>-Tim<o:p></o:p></p></div></div></body></html>