<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
Li-Chun,<br>
<br>
The applicable audit requirements for S/MIME Issuing CAs are
described in the various Root Program sites. Check out the following
for Mozilla and Microsoft:<br>
<ul>
<li><a class="moz-txt-link-freetext" href="https://github.com/mozilla/pkipolicy/blob/2.7/rootstore/policy.md#312-required-audits">https://github.com/mozilla/pkipolicy/blob/2.7/rootstore/policy.md#312-required-audits</a></li>
<li><a class="moz-txt-link-freetext" href="https://docs.microsoft.com/en-us/security/trusted-root/audit-requirements#a-webtrust-audits">https://docs.microsoft.com/en-us/security/trusted-root/audit-requirements#a-webtrust-audits</a></li>
</ul>
Hope this helps.<br>
<br>
<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 2020-10-22 4:17 π.μ., 陳立群 via
Smcwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:018601d6a811$32144d30$963ce790$@cht.com.tw">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:新細明體;
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:"MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:細明體;
panose-1:2 2 5 9 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@新細明體";
panose-1:2 1 6 1 0 1 1 1 1 1;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Malgun Gothic";
panose-1:2 11 5 3 2 0 0 2 0 4;}
@font-face
{font-family:"\@Malgun Gothic";}
@font-face
{font-family:"\@MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:"Trebuchet MS";
panose-1:2 11 6 3 2 2 2 2 2 4;}
@font-face
{font-family:"\@細明體";
panose-1:2 1 6 9 0 1 1 1 1 1;}
@font-face
{font-family:trebuchet;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"新細明體",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"新細明體",serif;}
pre
{mso-style-priority:99;
mso-style-link:"HTML 預設格式 字元";
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:細明體;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"新細明體",serif;}
span.baec5a81-e4d6-4674-97f3-e9220f0136c1
{mso-style-name:baec5a81-e4d6-4674-97f3-e9220f0136c1;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"新細明體",serif;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.HTML
{mso-style-name:"HTML 預設格式 字元";
mso-style-priority:99;
mso-style-link:"HTML 預設格式";
font-family:細明體;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif;color:#1F497D"
lang="EN-US"><o:p> </o:p></span></p>
<pre style="text-indent:30.0pt"><span style="font-family:"Calibri",sans-serif" lang="EN-US">if we setup a new intermediate S/MIME CA chains up to our Root with EKU such as Secured Email, Client Authentication, Server Authentication. The S/MIME CA’s CA certificate and EE Certificates will contain an id-kp-emailProtection and Client authentication Extended Key Usage (EKU) extension. From RFC 5280, this CA will not has the ability to issue SSL/TLS certs. Besides Web Trust for CA , will this new intermediate S/MIME CA need to pass the Principles 4 of WebTurst for CA-SSL BR with Network Security Audit (It corresponds to NETWORK AND CERTIFICATE SYSTEMSECURITY REQUIREMENTS )? For Google or Mozilla, they use EKU Chaining and from Mozilla</span><span style="font-size:10.5pt;font-family:"Trebuchet MS",sans-serif" lang="EN-US"> policy 3.1.2.1, the n</span><span style="font-family:"Calibri",sans-serif" lang="EN-US">ew intermediate S/MIME CA</span><span style="font-size:10.5pt;font-family:"Trebuchet MS",sans-serif" lang="EN-US"> need not </span><span style="font-family:"Calibri",sans-serif" lang="EN-US"> pass the Principles 4 of WebTurst for CA-SSL BR with Network Security Audit . But It is not clear in Apple’s Root Program Policy. Does CISCO support S/MIME trust bit/EKU? <o:p></o:p></span></pre>
<pre><span style="font-family:"Calibri",sans-serif" lang="EN-US"><o:p> </o:p></span></pre>
<pre style="text-indent:18.0pt"><span style="font-family:"Calibri",sans-serif" lang="EN-US">But from Page 1 of these Network and Certificate System Security Requirements (Requirements) , it said “it apply to all publicly trusted Certification Authorities (CAs). Or Network and Certificate System Security Requirements (Requirements) only apples to SSL CA. Principles 4 of WebTurst for CA-SSL BR with Network Security Audit only applies to an intermediate CA with CA certificates that contained anyEKU or without EKU but those intermediate CA doesn’t issue SSL/TLS certificates.<o:p></o:p></span></pre>
<pre style="text-indent:18.0pt"><span style="font-family:"Calibri",sans-serif" lang="EN-US"><o:p> </o:p></span></pre>
<pre><span style="font-family:"Calibri",sans-serif" lang="EN-US"><o:p> </o:p></span></pre>
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif;color:#1F497D"
lang="EN-US"> </span><span
style="font-family:"Calibri",sans-serif"
lang="EN-US"> Li-Chun Chen</span><span
style="font-family:"Calibri",sans-serif;color:#1F497D"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif;color:#1F497D"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif;color:#1F497D"
lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"> Jeff Ward <a class="moz-txt-link-rfc2396E" href="mailto:jward@bdo.com"><jward@bdo.com></a> <br>
<b>Sent:</b> Sunday, August 23, 2020 4:59 AM<br>
<b>To:</b> </span><span style="font-size:11.0pt">陳立群</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"> <a class="moz-txt-link-rfc2396E" href="mailto:realsky@cht.com.tw"><realsky@cht.com.tw></a>; 'SMIME
Certificate Working Group'
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public@cabforum.org"><smcwg-public@cabforum.org></a><br>
<b>Subject:</b> [</span><span style="font-size:11.0pt">外部郵件</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">] Re: [Smcwg-public] Audit Schem of a
S/MIME CA<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif;color:black"
lang="EN-US">If the CA either issues or has the ability to
issue SSL/TLS certs, baseline requirements apply. <o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif;color:black"
lang="EN-US"><o:p> </o:p></span></p>
</div>
<div id="Signature">
<div>
<div id="divtagdefaultwrapper">
<div>
<p style="background:white"><b><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040"
lang="EN-US">Jeff Ward, CPA, CGMA, CITP, CISA,
CISSP, CEH<o:p></o:p></span></b></p>
<p style="background:white"><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040"
lang="EN-US">National Managing Partner Third Party
Attestation</span><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"
lang="EN-US"><o:p></o:p></span></p>
<p style="background:white"><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040"
lang="EN-US">(SOC/WebTrust/Cybersecurity)</span><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"
lang="EN-US"><o:p></o:p></span></p>
<p style="background:white"><span
class="baec5a81-e4d6-4674-97f3-e9220f0136c1"><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040"
lang="EN-US">314-889-1220<span
style="color:blue"><img
style="width:.1666in;height:.1666in"
id="_x0000_i1025"
src="cid:part1.F756868A.AA0FA829@harica.gr"
class="" width="16" height="16"></span></span></span><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040"
lang="EN-US"> (Direct) 347-1220 (Internal)<o:p></o:p></span></p>
<p style="background:white"><span
class="baec5a81-e4d6-4674-97f3-e9220f0136c1"><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#ED1A3B"
lang="EN-US"><a href="mailto:jward@bdo.com"
moz-do-not-send="true">jward@bdo.com</a> </span></span><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040"
lang="EN-US"><o:p></o:p></span></p>
<p style="background:white"><b><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040"
lang="EN-US">BDO<o:p></o:p></span></b></p>
<p style="background:white"><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040"
lang="EN-US">101 S Hanley Rd, #800<o:p></o:p></span></p>
<p style="background:white"><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040"
lang="EN-US">St. Louis, MO 63105<o:p></o:p></span></p>
<p style="background:white"><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040"
lang="EN-US">UNITED STATES<o:p></o:p></span></p>
<p style="background:white"><span
class="baec5a81-e4d6-4674-97f3-e9220f0136c1"><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040"
lang="EN-US">314-889-1100<span
style="color:blue"><img
style="width:.1666in;height:.1666in"
id="_x0000_i1026"
src="cid:part1.F756868A.AA0FA829@harica.gr"
class="" width="16" height="16" border="0"></span></span></span><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040"
lang="EN-US"><o:p></o:p></span></p>
<p style="background:white"><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#ED1A3B"
lang="EN-US"><a href="http://www.bdo.com"
moz-do-not-send="true">www.bdo.com</a><o:p></o:p></span></p>
<p style="background:white"><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#1BC237"
lang="EN-US">Please consider the environment
before printing this e-mail<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif;color:black"
lang="EN-US"><o:p> </o:p></span></p>
</div>
<div class="MsoNormal" style="text-align:center"
align="center"><span lang="EN-US">
<hr width="98%" size="2" align="center"></span></div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"
lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"
lang="EN-US"> </span><span
style="font-size:11.0pt;color:black">陳立群</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"
lang="EN-US"> <<a href="mailto:realsky@cht.com.tw"
moz-do-not-send="true">realsky@cht.com.tw</a>><br>
<b>Sent:</b> Friday, August 21, 2020 6:59 AM<br>
<b>To:</b> Jeff Ward <<a href="mailto:jward@bdo.com"
moz-do-not-send="true">jward@bdo.com</a>>; 'SMIME
Certificate Working Group' <<a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true">smcwg-public@cabforum.org</a>><br>
<b>Subject:</b> RE: [Smcwg-public] Audit Schem of a
S/MIME CA</span><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
<div>
<div style="border:solid black 1.5pt;padding:0cm 0cm 0cm
0cm;margin-bottom:24.0pt">
<p style="background:lightgreen"><span lang="EN-US">Attention:
This email was sent from someone outside of BDO USA.
Always use caution when opening attachments or
clicking links from unknown senders or when receiving
unexpected emails.<o:p></o:p></span></p>
</div>
<div>
<div>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US">Dear Jeff,</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"> Thank you very much for your
information.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"> In the example diagram, issuing
CA 2 would need to receive a Webtrust for CA based
on Microsoft Audit Requirements of Microsoft Trusted
Root Certificate Program. Issuing CA 2 need not to
receive the Network Security Requirements (Principle
4). Right?</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"> <a
href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsecurity%2Ftrusted-root%2Faudit-requirements&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934723710&sdata=bjuQGRuH%2F2ZpSoMCd5QS5SE4o1kiw3GkM4VqhsdZ9QA%3D&reserved=0"
moz-do-not-send="true">https://docs.microsoft.com/en-us/security/trusted-root/audit-requirements</a></span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"><img
style="width:10.2604in;height:8.625in"
id="x_圖片_x0020_1"
src="cid:part9.98450C0B.D35EDE43@harica.gr"
class="" width="985" height="828" border="0"></span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"> It is not clear about audit
scheme for S/MIME CA from Apple</span><span
style="color:#1F497D">’<span lang="EN-US">s root
program webpage <a
href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.apple.com%2Fcertificateauthority%2Fca_program.html&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934733666&sdata=5i%2BqhxM2B%2BbS3jTlJ6GoQWCW93cEt3ZpjqtBaJUbYrM%3D&reserved=0"
moz-do-not-send="true">https://www.apple.com/certificateauthority/ca_program.html</a>
and Chrome</span>’<span lang="EN-US">s Root
Certificate Policy <a
href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsites.google.com%2Fa%2Fchromium.org%2Fdev%2FHome%2Fchromium-security%2Froot-ca-policy&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934733666&sdata=D50EiEdUS5ZasG3Feo%2BBCMMb2Aqg0E3noyQ%2F0GettuU%3D&reserved=0"
moz-do-not-send="true">https://sites.google.com/a/chromium.org/dev/Home/chromium-security/root-ca-policy</a>
.</span></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"> Li-Chun Chen</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"> Chunghwa Telecom </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="xmsonormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Jeff Ward <<a
href="mailto:jward@bdo.com"
moz-do-not-send="true">jward@bdo.com</a>> <br>
<b>Sent:</b> Thursday, August 20, 2020 10:26 PM<br>
<b>To:</b> </span>陳立群<span lang="EN-US"> <<a
href="mailto:realsky@cht.com.tw"
moz-do-not-send="true">realsky@cht.com.tw</a>>;
SMIME Certificate Working Group <<a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true">smcwg-public@cabforum.org</a>><br>
<b>Subject:</b> [</span>外部郵件<span lang="EN-US">]
RE: [Smcwg-public] Audit Schem of a S/MIME CA<o:p></o:p></span></p>
</div>
</div>
<p class="xmsonormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="xmsonormal"><span
style="font-size:10.5pt;font-family:"Trebuchet
MS",sans-serif" lang="EN-US">In the example
diagram, Issuing CA 2 would need to receive a
WebTrust for CA based on Mozilla policy 3.1.2.1. </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span
style="font-size:10.5pt;font-family:"Trebuchet
MS",sans-serif" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span lang="EN-US"><img
style="width:8.0416in;height:4.1979in"
id="x_Picture_x0020_1"
src="cid:part15.177D7948.BD963C5B@harica.gr"
class="" width="772" height="403" border="0"><o:p></o:p></span></p>
<p class="xmsonormal"><span
style="font-size:10.5pt;font-family:"Trebuchet
MS",sans-serif" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><b><span
style="font-size:10.0pt;font-family:"Trebuchet
MS",sans-serif;color:#404040" lang="EN-US">Jeff
Ward, CPA, CGMA, CITP, CISA, CISSP, CEH</span></b><span
style="font-size:10.0pt;font-family:"Trebuchet
MS",sans-serif;color:#404040" lang="EN-US"><br>
National Managing Partner Third Party Attestation
(SOC/WebTrust/Cybersecurity)<br>
314-889-1220 (Direct) 347-1220 (Internal)<br>
314-387-0189 (Mobile)</span><span lang="EN-US"><br>
</span><span
style="font-size:10.0pt;font-family:"Trebuchet
MS",sans-serif;color:#ED1A3B" lang="EN-US"><a
href="mailto:jward@bdo.com" moz-do-not-send="true"><span
style="color:#ED1A3B">jward@bdo.com</span></a></span><span
lang="EN-US"><br>
<br>
</span><b><span
style="font-size:10.0pt;font-family:"Trebuchet
MS",sans-serif;color:#404040" lang="EN-US">BDO</span></b><span
lang="EN-US"><br>
</span><span
style="font-size:10.0pt;font-family:"Trebuchet
MS",sans-serif;color:#404040" lang="EN-US">101
S Hanley Rd, Suite 800<br>
St. Louis, MO 63105 <br>
UNITED STATES<br>
314-889-1100</span><span lang="EN-US"><br>
</span><u><span
style="font-size:10.0pt;font-family:"Trebuchet
MS",sans-serif;color:#ED1A3B" lang="EN-US"><a
href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bdo.com%2F&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934743624&sdata=MaTayfWwLCre5tMap0dIGLHxGqbD8zfoRZ3uc6kbNAI%3D&reserved=0"
moz-do-not-send="true"><span
style="color:#ED1A3B">www.bdo.com</span></a></span></u><span
lang="EN-US"><br>
<br>
</span><u><span
style="font-size:10.0pt;font-family:"Trebuchet
MS",sans-serif;color:#ED1A3B" lang="EN-US"><a
href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffileexchange.bdo.com%2F&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934743624&sdata=oC%2FLdDf2lY4unYWC5E4j29wuO%2Br334l8iuqBISNMitM%3D&reserved=0"
target="_blank" moz-do-not-send="true"><span
style="color:#ED1A3B">BDO File Exchange
(secure file sharing)</span></a></span></u><span
lang="EN-US"><br>
<br>
</span><i><span
style="font-size:10.0pt;font-family:trebuchet;color:green"
lang="EN-US">Please consider the environment
before printing this e-mail</span></i><span
lang="EN-US"><br>
<br>
<a
href="https://www.bdo.com/resource-centers/understanding-the-business-impacts-of-covid-19"
moz-do-not-send="true"><span
style="text-decoration:none"><img
style="width:2.6041in;height:.427in"
id="x__x005f_x0000_i1026"
src="https://bdousprodintwebappssta.blob.core.windows.net/osd/Icons/covid.jpg"
alt="covid-19" moz-do-not-send="true"
width="250" height="41" border="0"></span></a><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="xmsonormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Smcwg-public <<a
href="mailto:smcwg-public-bounces@cabforum.org"
moz-do-not-send="true">smcwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>??? via Smcwg-public<br>
<b>Sent:</b> Wednesday, August 19, 2020 9:29 PM<br>
<b>To:</b> 'SMIME Certificate Working Group'
<<a href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true">smcwg-public@cabforum.org</a>><br>
<b>Subject:</b> Re: [Smcwg-public] Audit Schem
of a S/MIME CA<o:p></o:p></span></p>
</div>
</div>
<p class="xmsonormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div style="border:solid black 1.5pt;padding:0cm 0cm 0cm
0cm;margin-bottom:24.0pt">
<p style="background:lightgreen"><span lang="EN-US">Attention:
This email was sent from someone outside of BDO
USA. Always use caution when opening attachments
or clicking links from unknown senders or when
receiving unexpected emails.<o:p></o:p></span></p>
</div>
<div>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US">There are some typo in previous
e-mail, such as </span><span
style="color:#1F497D">“<span lang="EN-US">audit
schema</span>”<span lang="EN-US"> should be </span>“<span
lang="EN-US">audit scheme</span>”<span
lang="EN-US">, </span>“<span lang="EN-US">I
wonder to know certificate consumers member and
CPA Canada</span>’<span lang="EN-US">s opinion.</span>”<span
lang="EN-US"> should be </span>“<span
lang="EN-US">I wonder to know certificate
consumers members</span>’<span lang="EN-US"> and
CPA Canada WebTrust Task Force</span>’<span
lang="EN-US">s opinion.</span>”</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US">Thanks. </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal" style="text-indent:24.0pt"><span
style="color:#1F497D" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"> Li-Chun</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="xmsonormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Smcwg-public <<a
href="mailto:smcwg-public-bounces@cabforum.org"
moz-do-not-send="true">smcwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b></span>陳立群<span
lang="EN-US"> via Smcwg-public<br>
<b>Sent:</b> Thursday, August 20, 2020 8:59 AM<br>
<b>To:</b> 'SMIME Certificate Working Group'
<<a href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true">smcwg-public@cabforum.org</a>><br>
<b>Subject:</b> [</span>外部郵件<span lang="EN-US">]
[Smcwg-public] Audit Schem of a S/MIME CA<o:p></o:p></span></p>
</div>
</div>
<p class="xmsonormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="xmsonormal" style="text-indent:16.5pt"><span
lang="EN-US">I wonder the audit schema of an
issuing CA issue S/MIME certificate as the issuing
CA 2 (S/MIME Certificates) in upper diagram of
page 10 of WebTrust for CA 2.2<span
style="color:#1F497D"> (<a
href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpacanada.ca%2F-%2Fmedia%2Fsite%2Foperational%2Fms-member-services%2Fdocs%2Fwebtrust%2Fwebtrust-for-ca-22.pdf%3Fla%3Den%26hash%3D76D4C1F8363D563CE7FC09031E54ACA2EBFE3E3A&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934753587&sdata=0t3UaDinP2W%2Blgg3dMVsUFNR1RTpmRgE8VbprzsaAeI%3D&reserved=0"
moz-do-not-send="true">https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/webtrust-for-ca-22.pdf?la=en&hash=76D4C1F8363D563CE7FC09031E54ACA2EBFE3E3A</a>)
.</span><o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal" style="text-indent:16.5pt"><span
lang="EN-US">From the WebTrust for Certification
Authorities - Audit Applicability Matrix<span
style="color:#1F497D"> (</span><a
href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpacanada.ca%2Fen%2Fbusiness-and-accounting-resources%2Faudit-and-assurance%2Foverview-of-webtrust-services%2Fprinciples-and-criteria&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934753587&sdata=L5nxmlULugRu7zT7nR1j7gkNyxUA%2F6AAH9bcAy%2FR5SI%3D&reserved=0"
moz-do-not-send="true">https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria</a>
) or as attached file, this issuing CA2 (S/MIME
Certificates) belong to </span>“<span
lang="EN-US">Publicly-Trusted Commercial PKI - All
other uses</span>”<span lang="EN-US"> or </span>“<span
lang="EN-US">Publicly-Trusted Government PKI - All
other uses</span>”<span lang="EN-US"> , so the
audit scheme should be RKGC, Key Protection and
WebTrust.<o:p></o:p></span></p>
<p class="xmsonormal"><span style="color:#1F497D"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="xmsonormal"
style="text-indent:16.5pt;text-autospace:none"><span
lang="EN-US">But someone may argue as the Root CA
in upper diagram of page 10 of WebTrust for CA 2.2
has website and e-mail trust bits. The issuing CA
2 (S/MIME Certificates should pass WebTurst for
CA-SSL BR with Network Security Audit Criteria
Principles 4. I see <a
href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpacanada.ca%2F-%2Fmedia%2Fsite%2Foperational%2Fms-member-services%2Fdocs%2Fwebtrust%2Fwtbr-241-final--ssl-baseline-with-network-security-june-30-2019.pdf%3Fla%3Den%26hash%3D15117D0B4FB70FB113C7D1D88802A26FE820FB60&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934763536&sdata=PaOioIzEeszSLf2OPeRav4HjhbIfeVegL%2BoOadBSmmY%3D&reserved=0"
moz-do-not-send="true"><span
style="color:windowtext;text-decoration:none">WebTrust
Principles and Criteria for Certification
Authorities </span><span
style="color:windowtext;text-decoration:none"
lang="EN-US"><span lang="EN-US">– SSL Baseline
with Network Security </span></span><span
style="color:windowtext;text-decoration:none"
lang="EN-US"><span lang="EN-US">– Version
2.4.1</span></span></a> page 3. It said
that </span>“<span lang="EN-US">However, the
Network Security Requirements (Principle 4) would
apply to all CAs </span>–<span lang="EN-US"> Root
CA, CA 1, CA 2, CA 3, and CA 4.</span>”<span
lang="EN-US">. Note that CA-3 is a S/MIME CA. <o:p></o:p></span></p>
<p class="xmsonormal"><span lang="EN-US">
<o:p></o:p></span></p>
<p class="xmsonormal"><span lang="EN-US"> I wonder
to know certificate consumers member and CPA
Canada</span>’<span lang="EN-US">s opinion. <o:p></o:p></span></p>
<p class="xmsonormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="xmsonormal"><span lang="EN-US"> Thanks.<o:p></o:p></span></p>
<p class="xmsonormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="xmsonormal"><span lang="EN-US">
Li-Chun Chen <o:p></o:p></span></p>
<p class="xmsonormal"><span lang="EN-US"> Chunghwa
Telecom <o:p></o:p></span></p>
<p class="xmsonormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<div>
<p class="xmsonormal">本信件可能包含中華電信股份有限公司機密資訊<span
lang="EN-US">,</span>非指定之收件者<span lang="EN-US">,</span>請勿蒐集、處理或利用本信件內容<span
lang="EN-US">,</span>並請銷毀此信件<span lang="EN-US">.
</span>如為指定收件者<span lang="EN-US">,</span>應確實保護郵件中本公司之營業機密及個人資料<span
lang="EN-US">,</span>不得任意傳佈或揭露<span
lang="EN-US">,</span>並應自行確認本郵件之附檔與超連結之安全性<span
lang="EN-US">,</span>以共同善盡資訊安全與個資保護責任<span
lang="EN-US">. <o:p></o:p></span></p>
</div>
<div>
<p class="xmsonormal"><span lang="EN-US">Please be
advised that this email message (including any
attachments) contains confidential information
and may be legally privileged. If you are not
the intended recipient, please destroy this
message and all attachments from your system
and do not further collect, process, or use
them. Chunghwa Telecom and all its
subsidiaries and associated companies shall
not be liable for the improper or incomplete
transmission of the information contained in
this email nor for any delay in its receipt or
damage to your system. If you are the intended
recipient, please protect the confidential
and/or personal information contained in this
email with due care. Any unauthorized use,
disclosure or distribution of this message in
whole or in part is strictly prohibited. Also,
please self-inspect attachments and hyperlinks
contained in this email to ensure the
information security and to protect personal
information.<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="xmsonormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="xmsonormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<p class="xmsonormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<div>
<p class="xmsonormal"><span
style="font-family:"MS Gothic"">本信件可能包含中華電信股份有限公司機密資訊</span><span
lang="EN-US">,</span><span
style="font-family:"MS Gothic"">非指定之收件者</span><span
lang="EN-US">,</span><span
style="font-family:"MS Gothic"">請勿蒐集、處理或利用本信件</span><span
style="font-family:"Malgun
Gothic",sans-serif">內容</span><span
lang="EN-US">,</span><span
style="font-family:"MS Gothic"">並請銷毀此信件</span><span
lang="EN-US">. </span><span
style="font-family:"MS Gothic"">如為指定收件者</span><span
lang="EN-US">,</span><span
style="font-family:"MS Gothic"">應確實保護郵件中本公司之營業機密及個人資料</span><span
lang="EN-US">,</span><span
style="font-family:"MS Gothic"">不得任意傳佈或揭露</span><span
lang="EN-US">,</span><span
style="font-family:"MS Gothic"">並應自行確認本郵件之附檔與超連結之安全性</span><span
lang="EN-US">,</span><span
style="font-family:"MS Gothic"">以共同善盡資訊安全與個資保護責任</span><span
lang="EN-US">. <o:p></o:p></span></p>
</div>
<div>
<p class="xmsonormal"><span lang="EN-US">Please be
advised that this email message (including any
attachments) contains confidential information
and may be legally privileged. If you are not
the intended recipient, please destroy this
message and all attachments from your system
and do not further collect, process, or use
them. Chunghwa Telecom and all its
subsidiaries and associated companies shall
not be liable for the improper or incomplete
transmission of the information contained in
this email nor for any delay in its receipt or
damage to your system. If you are the intended
recipient, please protect the confidential
and/or personal information contained in this
email with due care. Any unauthorized use,
disclosure or distribution of this message in
whole or in part is strictly prohibited. Also,
please self-inspect attachments and hyperlinks
contained in this email to ensure the
information security and to protect personal
information.<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="xmsonormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="xmsonormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
<p class="xmsonormal" style="margin-bottom:12.0pt"><span
lang="EN-US"><br>
<br>
</span><em><b><span
style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:black"
lang="EN-US">The health and safety of our people
and communities is our top priority, as we all
do our part to help stop the spread of COVID-19.
All BDO USA offices will be closed until further
notice. While we will be working from home, our
already-flexible work environment enables us to
make this transition seamlessly and we have the
technology in place to continue to provide the
same excellent level of service our clients are
accustomed to. We are here if you need us, just
as before, and if we can be helpful as you
navigate the uncertainty, we stand ready. </span></b></em><b><i><span
style="font-size:10.0pt;color:black"
lang="EN-US"><br>
<br>
</span></i></b><em><b><span
style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:black"
lang="EN-US">BDO USA, LLP, a Delaware limited
liability partnership, is the U.S. member of BDO
International Limited, a UK company limited by
guarantee, and forms part of the international
BDO network of independent member firms. </span></b></em><b><i><span
style="font-size:10.0pt;color:black"
lang="EN-US"><br>
<br>
</span></i></b><em><b><span
style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:black"
lang="EN-US">BDO is the brand name for the BDO
network and for each of the BDO Member Firms.</span></b></em><b><i><span
style="font-size:10.0pt;color:black"
lang="EN-US"><br>
<br>
</span></i></b><em><b><span
style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:black"
lang="EN-US">IMPORTANT NOTICES</span></b></em><b><i><span
style="font-size:10.0pt;color:black"
lang="EN-US"><br>
<br>
</span></i></b><em><b><span
style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:black"
lang="EN-US">The contents of this email and any
attachments to it may contain privileged and
confidential information from BDO USA, LLP. This
information is only for the viewing or use of
the intended recipient. If you are not the
intended recipient, you are hereby notified that
any disclosure, copying, distribution or use of,
or the taking of any action in reliance upon,
the information contained in this e-mail, or any
of the attachments to this e-mail, is strictly
prohibited and that this e-mail and all of the
attachments to this e-mail, if any, must be
immediately returned to BDO USA, LLP or
destroyed and, in either case, this e-mail and
all attachments to this e-mail must be
immediately deleted from your computer without
making any copies hereof. If you have received
this e-mail in error, please notify BDO USA, LLP
by e-mail immediately.</span></b></em><span
lang="EN-US"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal">本信件可能包含中華電信股份有限公司機密資訊<span
lang="EN-US">,</span>非指定之收件者<span lang="EN-US">,</span>請勿蒐集、處理或利用本信件內容<span
lang="EN-US">,</span>並請銷毀此信件<span lang="EN-US">. </span>如為指定收件者<span
lang="EN-US">,</span>應確實保護郵件中本公司之營業機密及個人資料<span
lang="EN-US">,</span>不得任意傳佈或揭露<span lang="EN-US">,</span>並應自行確認本郵件之附檔與超連結之安全性<span
lang="EN-US">,</span>以共同善盡資訊安全與個資保護責任<span
lang="EN-US">. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Please be
advised that this email message (including any
attachments) contains confidential information and
may be legally privileged. If you are not the
intended recipient, please destroy this message
and all attachments from your system and do not
further collect, process, or use them. Chunghwa
Telecom and all its subsidiaries and associated
companies shall not be liable for the improper or
incomplete transmission of the information
contained in this email nor for any delay in its
receipt or damage to your system. If you are the
intended recipient, please protect the
confidential and/or personal information contained
in this email with due care. Any unauthorized use,
disclosure or distribution of this message in
whole or in part is strictly prohibited. Also,
please self-inspect attachments and hyperlinks
contained in this email to ensure the information
security and to protect personal information.<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
lang="EN-US"><br>
<br>
</span><em><b><span
style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:black;mso-fareast-language:EN-US"
lang="EN-US">The health and safety of our people and
communities is our top priority, as we all do our part
to help stop the spread of COVID-19. All BDO USA offices
will be closed until further notice. While we will be
working from home, our already-flexible work environment
enables us to make this transition seamlessly and we
have the technology in place to continue to provide the
same excellent level of service our clients are
accustomed to. We are here if you need us, just as
before, and if we can be helpful as you navigate the
uncertainty, we stand ready. </span></b></em><b><i><span
style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:black;mso-fareast-language:EN-US"
lang="EN-US"><br>
<br>
<em><span
style="font-family:"Calibri",sans-serif">BDO
USA, LLP, a Delaware limited liability partnership,
is the U.S. member of BDO International Limited, a
UK company limited by guarantee, and forms part of
the international BDO network of independent member
firms. </span></em><br>
<br>
<em><span
style="font-family:"Calibri",sans-serif">BDO
is the brand name for the BDO network and for each
of the BDO Member Firms.</span></em><br>
<br>
<em><span
style="font-family:"Calibri",sans-serif">IMPORTANT
NOTICES</span></em><br>
<br>
<em><span
style="font-family:"Calibri",sans-serif">The
contents of this email and any attachments to it may
contain privileged and confidential information from
BDO USA, LLP. This information is only for the
viewing or use of the intended recipient. If you are
not the intended recipient, you are hereby notified
that any disclosure, copying, distribution or use
of, or the taking of any action in reliance upon,
the information contained in this e-mail, or any of
the attachments to this e-mail, is strictly
prohibited and that this e-mail and all of the
attachments to this e-mail, if any, must be
immediately returned to BDO USA, LLP or destroyed
and, in either case, this e-mail and all attachments
to this e-mail must be immediately deleted from your
computer without making any copies hereof. If you
have received this e-mail in error, please notify
BDO USA, LLP by e-mail immediately.</span></em></span></i></b><span
lang="EN-US"><o:p></o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a></pre>
</blockquote>
<br>
</body>
</html>