<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:18.0pt;
font-family:"Calibri",sans-serif;
color:black;}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:13.5pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
mso-add-space:auto;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
mso-add-space:auto;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
mso-add-space:auto;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
mso-add-space:auto;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Calibri",sans-serif;
color:black;
font-weight:bold;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Calibri",sans-serif;
color:black;
font-weight:bold;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1107000848;
mso-list-type:hybrid;
mso-list-template-ids:-1775843842 -888100970 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:6;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<h2>Minutes of SMCWG<o:p></o:p></h2>
<p class="MsoNormal">September 2, 2020<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">These are the final approved Minutes of the Teleconference described in the subject of this message.
<o:p></o:p></p>
<h3>Attendees <o:p></o:p></h3>
<p class="MsoNormal">Matthias Wiedenhorst (ACAB'c), Arno Fiedler (Arno Fiedler), Mads Henriksveen (BuyPass), Qiu Dawei (CFCA), Zhang Danmeng (CFCA), Li-Chun Chen (Chunghwa Telecom), Andreas Henschel (D-TRUST), Enrico Entschew (D-TRUST), Dean Coclin (DigiCert),
Stephen Davidson (DigiCert), Bruce Morton (Entrust DataCard), India Donald (Federal PKI), Wendy Brown (Federal PKI), Thomas Connelly (Federal PKI), James Knapp (Federal PKI), Doug Beattie (GlobalSign), Hugh Mercer (GlobalSign), Atsushi Inaba (GlobalSign),
Hongquan Yin (Microsoft), Ben Wilson (Mozilla), Hazhar Ismail (MSC Trustgate.com), Ahmad Syafiq Md Zaini (MSC Trustgate.com), Nazmi Abd Hadi (MSC Trustgate.com), Patrycja Tulinska (PSW), Rich Smith (Sectigo), Chris Kemmerer (SSL.com), Thanos Vrachnos (SSL.com),
Markus Wichmann (TeleTrust), Morad Abou Nasser (TeleTrust), Corey Bonnell (Trustwave), Janet Hines (Trustwave), Russ Housley (Vigil Security, LLC), Jeff Ward (WebTrust), Don Sheehy (WebTrust), Tim Crawford (WebTrust), Burkhard Wiegel (Zertificon), Nathalie
Weiler (Nathalie Weiler)<o:p></o:p></p>
<h3>1. Roll Call<o:p></o:p></h3>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The Roll Call was taken.<o:p></o:p></p>
<h3>2. Read Antitrust Statement<o:p></o:p></h3>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The Antitrust/Compliance Statement was read.<o:p></o:p></p>
<h3>3. Review Agenda<o:p></o:p></h3>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Dean Coclin proposed that the WG return to the confirmation of a Vice Chairman, which was tabled from the meeting of July 22, 2020. It was agreed. The Chair nominated WG member
Mads Henriksveen of BuyPass. A discussion was held on voting in accordance with the Charter, and it was confirmed there were no other nominations. A subsequent consensus vote confirmed Mads as Vice Chair of the SMCWG.<o:p></o:p></p>
<h3>4. Approval of minutes from last teleconference<o:p></o:p></h3>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The minutes of the August 19 teleconference were approved.<o:p></o:p></p>
<h3>5. New Members<o:p></o:p></h3>
<p class="MsoNormal">No new members, but Tim Crawford of BDO has joined the WebTrust representation on the SMCWG.<o:p></o:p></p>
<h3>6. Discussion of approach and deliverables<o:p></o:p></h3>
<p class="MsoNormal">A discussion was held of major use cases for S/MIME certificates:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">SIGNING<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
to protect integrity<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
to assert authenticity/origin<o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
for content commitment or wilful acts<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">ENCRYPTING<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
to protect confidentiality<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There was discussion regarding individual S/MIME certs versus those used on gateways, as well as a high level discussion of email control validation including for an individual (challenge/response) versus an enterprise (which could also
conceivably use BR domain methods, CAA, or MX records)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">KEYGEN AND/OR KEY STORAGE<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
keygen by CA<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
crypto token <o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
operating system (NSS, CAPI, etc)<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
web browser (browser crypto)<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
application (on iOS, Android, etc)<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
enterprise email gateway (including domain certs)<o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
cloud signer/encryptor (cloud user agent)<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There was discussion relating to <o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
Protection of the private key; attestation by token/HSM – the difficulty of finding a balance between encouraging agility with shorter validity periods and recognizing the security of keys on tokens<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
Dual use (sign/encrypt in one cert) or split keys (separate certs for sign and encrypt)<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
Marking a certificate if the private key is escrowed, potentially forcing split keys<o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
The possibility of creating a CABF OID (as exists for DV, OV, EV, and codesigning) to mark compliance with the eventual SMCWG requirements<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The discussion continued to continue reviewing known example requirements that apply to S/MIME certificates.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There was a discussion regarding gateway certs (if they adhere to RFC 3183/domain Security Services for S/MIME) or if they were standard certs. It appears there is variation in practice with some being issued to a group email address while
others apply to an entire domain. Many are used for gateway-to-gateway authentication. Further investigation is required into standardization of these domain certs. Ben Wilson raised the Direct profile which includes a domain cert that appears to match that
description – and offered to add it to the standards sheet:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><a href="https://docs.google.com/spreadsheets/d/1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU/edit?usp=sharing">https://docs.google.com/spreadsheets/d/1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU/edit?usp=sharing</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The Chair suggested setting up a separate sheet to gather different CA profiles, given the wide apparent practice in S/MIME.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<h3 style="mso-margin-top-alt:1.0pt;margin-right:0in;margin-bottom:1.0pt;margin-left:0in">
6. Any Other Business<o:p></o:p></h3>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">No other business.<o:p></o:p></p>
<h3>7. Next call<o:p></o:p></h3>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The next call will take place on September 16, 2020 at 11:00am Eastern Time.
<o:p></o:p></p>
<h3><span lang="DE">Adjourned</span><o:p></o:p></h3>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
</div>
</body>
</html>