<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=big5"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:新細明體;
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:"MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:細明體;
panose-1:2 2 5 9 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@新細明體";
panose-1:2 1 6 1 0 1 1 1 1 1;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Malgun Gothic";
panose-1:2 11 5 3 2 0 0 2 0 4;}
@font-face
{font-family:"\@Malgun Gothic";}
@font-face
{font-family:"\@MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:"Trebuchet MS";
panose-1:2 11 6 3 2 2 2 2 2 4;}
@font-face
{font-family:"\@細明體";
panose-1:2 1 6 9 0 1 1 1 1 1;}
@font-face
{font-family:trebuchet;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"新細明體",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"新細明體",serif;}
pre
{mso-style-priority:99;
mso-style-link:"HTML 預設格式 字元";
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:細明體;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"新細明體",serif;}
span.baec5a81-e4d6-4674-97f3-e9220f0136c1
{mso-style-name:baec5a81-e4d6-4674-97f3-e9220f0136c1;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"新細明體",serif;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.HTML
{mso-style-name:"HTML 預設格式 字元";
mso-style-priority:99;
mso-style-link:"HTML 預設格式";
font-family:細明體;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=ZH-TW link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><pre style='text-indent:30.0pt'><span lang=EN-US style='font-family:"Calibri",sans-serif'>if we setup a new intermediate S/MIME CA chains up to our Root with EKU such as Secured Email, Client Authentication, Server Authentication. The S/MIME CA’s CA certificate and EE Certificates will contain an id-kp-emailProtection and Client authentication Extended Key Usage (EKU) extension. From RFC 5280, this CA will not has the ability to issue SSL/TLS certs. Besides Web Trust for CA , will this new intermediate S/MIME CA need to pass the Principles 4 of WebTurst for CA-SSL BR with Network Security Audit (It corresponds to NETWORK AND CERTIFICATE SYSTEMSECURITY REQUIREMENTS )? For Google or Mozilla, they use EKU Chaining and from Mozilla</span><span lang=EN-US style='font-size:10.5pt;font-family:"Trebuchet MS",sans-serif'> policy 3.1.2.1, the n</span><span lang=EN-US style='font-family:"Calibri",sans-serif'>ew intermediate S/MIME CA</span><span lang=EN-US style='font-size:10.5pt;font-family:"Trebuchet MS",sans-serif'> need not </span><span lang=EN-US style='font-family:"Calibri",sans-serif'> pass the Principles 4 of WebTurst for CA-SSL BR with Network Security Audit . But It is not clear in Apple’s Root Program Policy. Does CISCO support S/MIME trust bit/EKU? <o:p></o:p></span></pre><pre><span lang=EN-US style='font-family:"Calibri",sans-serif'><o:p> </o:p></span></pre><pre style='text-indent:18.0pt'><span lang=EN-US style='font-family:"Calibri",sans-serif'>But from Page 1 of these Network and Certificate System Security Requirements (Requirements) , it said “it apply to all publicly trusted Certification Authorities (CAs). Or Network and Certificate System Security Requirements (Requirements) only apples to SSL CA. Principles 4 of WebTurst for CA-SSL BR with Network Security Audit only applies to an intermediate CA with CA certificates that contained anyEKU or without EKU but those intermediate CA doesn’t issue SSL/TLS certificates.<o:p></o:p></span></pre><pre style='text-indent:18.0pt'><span lang=EN-US style='font-family:"Calibri",sans-serif'><o:p> </o:p></span></pre><pre><span lang=EN-US style='font-family:"Calibri",sans-serif'><o:p> </o:p></span></pre><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri",sans-serif;color:#1F497D'> </span><span lang=EN-US style='font-family:"Calibri",sans-serif'> Li-Chun Chen</span><span lang=EN-US style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri",sans-serif;color:#1F497D'> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Jeff Ward <jward@bdo.com> <br><b>Sent:</b> Sunday, August 23, 2020 4:59 AM<br><b>To:</b> </span><span style='font-size:11.0pt'>陳立群</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <realsky@cht.com.tw>; 'SMIME Certificate Working Group' <smcwg-public@cabforum.org><br><b>Subject:</b> [</span><span style='font-size:11.0pt'>外部郵件</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>] Re: [Smcwg-public] Audit Schem of a S/MIME CA<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri",sans-serif;color:black'>If the CA either issues or has the ability to issue SSL/TLS certs, baseline requirements apply. <o:p></o:p></span></p></div><div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri",sans-serif;color:black'><o:p> </o:p></span></p></div><div id=Signature><div><div id=divtagdefaultwrapper><div><p style='background:white'><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040'>Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH<o:p></o:p></span></b></p><p style='background:white'><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040'>National Managing Partner Third Party Attestation</span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black'><o:p></o:p></span></p><p style='background:white'><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040'>(SOC/WebTrust/Cybersecurity)</span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black'><o:p></o:p></span></p><p style='background:white'><span class=baec5a81-e4d6-4674-97f3-e9220f0136c1><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040'>314-889-1220<span style='color:blue'><img width=16 height=16 style='width:.1666in;height:.1666in' id="_x0000_i1025" src="cid:image003.png@01D6A7C2.7D564C70"></span></span></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040'> (Direct) 347-1220 (Internal)<o:p></o:p></span></p><p style='background:white'><span class=baec5a81-e4d6-4674-97f3-e9220f0136c1><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#ED1A3B'><a href="mailto:jward@bdo.com">jward@bdo.com</a> </span></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040'><o:p></o:p></span></p><p style='background:white'><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040'>BDO<o:p></o:p></span></b></p><p style='background:white'><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040'>101 S Hanley Rd, #800<o:p></o:p></span></p><p style='background:white'><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040'>St. Louis, MO 63105<o:p></o:p></span></p><p style='background:white'><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040'>UNITED STATES<o:p></o:p></span></p><p style='background:white'><span class=baec5a81-e4d6-4674-97f3-e9220f0136c1><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040'>314-889-1100<span style='color:blue'><img border=0 width=16 height=16 style='width:.1666in;height:.1666in' id="_x0000_i1026" src="cid:image003.png@01D6A7C2.7D564C70"></span></span></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#404040'><o:p></o:p></span></p><p style='background:white'><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#ED1A3B'><a href="http://www.bdo.com">www.bdo.com</a><o:p></o:p></span></p><p style='background:white'><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#1BC237'>Please consider the environment before printing this e-mail<o:p></o:p></span></p></div></div></div></div></div><div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri",sans-serif;color:black'><o:p> </o:p></span></p></div><div class=MsoNormal align=center style='text-align:center'><span lang=EN-US><hr size=2 width="98%" align=center></span></div><div id=divRplyFwdMsg><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:black'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:black'> </span><span style='font-size:11.0pt;color:black'>陳立群</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:black'> <<a href="mailto:realsky@cht.com.tw">realsky@cht.com.tw</a>><br><b>Sent:</b> Friday, August 21, 2020 6:59 AM<br><b>To:</b> Jeff Ward <<a href="mailto:jward@bdo.com">jward@bdo.com</a>>; 'SMIME Certificate Working Group' <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>><br><b>Subject:</b> RE: [Smcwg-public] Audit Schem of a S/MIME CA</span><span lang=EN-US> <o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div></div><div><div style='border:solid black 1.5pt;padding:0cm 0cm 0cm 0cm;margin-bottom:24.0pt'><p style='background:lightgreen'><span lang=EN-US>Attention: This email was sent from someone outside of BDO USA. Always use caution when opening attachments or clicking links from unknown senders or when receiving unexpected emails.<o:p></o:p></span></p></div><div><div><p class=xmsonormal><span lang=EN-US style='color:#1F497D'>Dear Jeff,</span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'> Thank you very much for your information.</span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'> In the example diagram, issuing CA 2 would need to receive a Webtrust for CA based on Microsoft Audit Requirements of Microsoft Trusted Root Certificate Program. Issuing CA 2 need not to receive the Network Security Requirements (Principle 4). Right?</span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'> <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsecurity%2Ftrusted-root%2Faudit-requirements&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934723710&sdata=bjuQGRuH%2F2ZpSoMCd5QS5SE4o1kiw3GkM4VqhsdZ9QA%3D&reserved=0">https://docs.microsoft.com/en-us/security/trusted-root/audit-requirements</a></span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'><img border=0 width=985 height=828 style='width:10.2604in;height:8.625in' id="x_圖片_x0020_1" src="cid:image004.png@01D6A7C2.7D564C70"></span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'> It is not clear about audit scheme for S/MIME CA from Apple</span><span style='color:#1F497D'>’<span lang=EN-US>s root program webpage <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.apple.com%2Fcertificateauthority%2Fca_program.html&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934733666&sdata=5i%2BqhxM2B%2BbS3jTlJ6GoQWCW93cEt3ZpjqtBaJUbYrM%3D&reserved=0">https://www.apple.com/certificateauthority/ca_program.html</a> and Chrome</span>’<span lang=EN-US>s Root Certificate Policy <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsites.google.com%2Fa%2Fchromium.org%2Fdev%2FHome%2Fchromium-security%2Froot-ca-policy&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934733666&sdata=D50EiEdUS5ZasG3Feo%2BBCMMb2Aqg0E3noyQ%2F0GettuU%3D&reserved=0">https://sites.google.com/a/chromium.org/dev/Home/chromium-security/root-ca-policy</a> .</span></span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'> Li-Chun Chen</span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'> Chunghwa Telecom </span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=xmsonormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> Jeff Ward <<a href="mailto:jward@bdo.com">jward@bdo.com</a>> <br><b>Sent:</b> Thursday, August 20, 2020 10:26 PM<br><b>To:</b> </span>陳立群<span lang=EN-US> <<a href="mailto:realsky@cht.com.tw">realsky@cht.com.tw</a>>; SMIME Certificate Working Group <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>><br><b>Subject:</b> [</span>外部郵件<span lang=EN-US>] RE: [Smcwg-public] Audit Schem of a S/MIME CA<o:p></o:p></span></p></div></div><p class=xmsonormal><span lang=EN-US> <o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='font-size:10.5pt;font-family:"Trebuchet MS",sans-serif'>In the example diagram, Issuing CA 2 would need to receive a WebTrust for CA based on Mozilla policy 3.1.2.1. </span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='font-size:10.5pt;font-family:"Trebuchet MS",sans-serif'> </span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US><img border=0 width=772 height=403 style='width:8.0416in;height:4.1979in' id="x_Picture_x0020_1" src="cid:image005.png@01D6A7C2.7D564C70"><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='font-size:10.5pt;font-family:"Trebuchet MS",sans-serif'> </span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#404040'>Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#404040'><br>National Managing Partner Third Party Attestation (SOC/WebTrust/Cybersecurity)<br>314-889-1220 (Direct) 347-1220 (Internal)<br>314-387-0189 (Mobile)</span><span lang=EN-US><br></span><span lang=EN-US style='font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#ED1A3B'><a href="mailto:jward@bdo.com"><span style='color:#ED1A3B'>jward@bdo.com</span></a></span><span lang=EN-US><br><br></span><b><span lang=EN-US style='font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#404040'>BDO</span></b><span lang=EN-US><br></span><span lang=EN-US style='font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#404040'>101 S Hanley Rd, Suite 800<br>St. Louis, MO 63105 <br>UNITED STATES<br>314-889-1100</span><span lang=EN-US><br></span><u><span lang=EN-US style='font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#ED1A3B'><a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bdo.com%2F&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934743624&sdata=MaTayfWwLCre5tMap0dIGLHxGqbD8zfoRZ3uc6kbNAI%3D&reserved=0"><span style='color:#ED1A3B'>www.bdo.com</span></a></span></u><span lang=EN-US><br><br></span><u><span lang=EN-US style='font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#ED1A3B'><a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffileexchange.bdo.com%2F&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934743624&sdata=oC%2FLdDf2lY4unYWC5E4j29wuO%2Br334l8iuqBISNMitM%3D&reserved=0" target="_blank"><span style='color:#ED1A3B'>BDO File Exchange (secure file sharing)</span></a></span></u><span lang=EN-US><br><br></span><i><span lang=EN-US style='font-size:10.0pt;font-family:trebuchet;color:green'>Please consider the environment before printing this e-mail</span></i><span lang=EN-US><br><br><a href="https://www.bdo.com/resource-centers/understanding-the-business-impacts-of-covid-19"><span style='text-decoration:none'><img border=0 width=250 height=41 style='width:2.6041in;height:.427in' id="x__x005f_x0000_i1026" src="https://bdousprodintwebappssta.blob.core.windows.net/osd/Icons/covid.jpg" alt=covid-19></span></a><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=xmsonormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> Smcwg-public <<a href="mailto:smcwg-public-bounces@cabforum.org">smcwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>??? via Smcwg-public<br><b>Sent:</b> Wednesday, August 19, 2020 9:29 PM<br><b>To:</b> 'SMIME Certificate Working Group' <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>><br><b>Subject:</b> Re: [Smcwg-public] Audit Schem of a S/MIME CA<o:p></o:p></span></p></div></div><p class=xmsonormal><span lang=EN-US> <o:p></o:p></span></p><div style='border:solid black 1.5pt;padding:0cm 0cm 0cm 0cm;margin-bottom:24.0pt'><p style='background:lightgreen'><span lang=EN-US>Attention: This email was sent from someone outside of BDO USA. Always use caution when opening attachments or clicking links from unknown senders or when receiving unexpected emails.<o:p></o:p></span></p></div><div><p class=xmsonormal><span lang=EN-US style='color:#1F497D'>There are some typo in previous e-mail, such as </span><span style='color:#1F497D'>“<span lang=EN-US>audit schema</span>”<span lang=EN-US> should be </span>“<span lang=EN-US>audit scheme</span>”<span lang=EN-US>, </span>“<span lang=EN-US>I wonder to know certificate consumers member and CPA Canada</span>’<span lang=EN-US>s opinion.</span>”<span lang=EN-US> should be </span>“<span lang=EN-US>I wonder to know certificate consumers members</span>’<span lang=EN-US> and CPA Canada WebTrust Task Force</span>’<span lang=EN-US>s opinion.</span>”</span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'>Thanks. </span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal style='text-indent:24.0pt'><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'> Li-Chun</span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=xmsonormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> Smcwg-public <<a href="mailto:smcwg-public-bounces@cabforum.org">smcwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b></span>陳立群<span lang=EN-US> via Smcwg-public<br><b>Sent:</b> Thursday, August 20, 2020 8:59 AM<br><b>To:</b> 'SMIME Certificate Working Group' <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>><br><b>Subject:</b> [</span>外部郵件<span lang=EN-US>] [Smcwg-public] Audit Schem of a S/MIME CA<o:p></o:p></span></p></div></div><p class=xmsonormal><span lang=EN-US> <o:p></o:p></span></p><p class=xmsonormal style='text-indent:16.5pt'><span lang=EN-US>I wonder the audit schema of an issuing CA issue S/MIME certificate as the issuing CA 2 (S/MIME Certificates) in upper diagram of page 10 of WebTrust for CA 2.2<span style='color:#1F497D'> (<a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpacanada.ca%2F-%2Fmedia%2Fsite%2Foperational%2Fms-member-services%2Fdocs%2Fwebtrust%2Fwebtrust-for-ca-22.pdf%3Fla%3Den%26hash%3D76D4C1F8363D563CE7FC09031E54ACA2EBFE3E3A&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934753587&sdata=0t3UaDinP2W%2Blgg3dMVsUFNR1RTpmRgE8VbprzsaAeI%3D&reserved=0">https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/webtrust-for-ca-22.pdf?la=en&hash=76D4C1F8363D563CE7FC09031E54ACA2EBFE3E3A</a>) .</span><o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal style='text-indent:16.5pt'><span lang=EN-US>From the WebTrust for Certification Authorities - Audit Applicability Matrix<span style='color:#1F497D'> (</span><a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpacanada.ca%2Fen%2Fbusiness-and-accounting-resources%2Faudit-and-assurance%2Foverview-of-webtrust-services%2Fprinciples-and-criteria&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934753587&sdata=L5nxmlULugRu7zT7nR1j7gkNyxUA%2F6AAH9bcAy%2FR5SI%3D&reserved=0">https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria</a> ) or as attached file, this issuing CA2 (S/MIME Certificates) belong to </span>“<span lang=EN-US>Publicly-Trusted Commercial PKI - All other uses</span>”<span lang=EN-US> or </span>“<span lang=EN-US>Publicly-Trusted Government PKI - All other uses</span>”<span lang=EN-US> , so the audit scheme should be RKGC, Key Protection and WebTrust.<o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=xmsonormal style='text-indent:16.5pt;text-autospace:none'><span lang=EN-US>But someone may argue as the Root CA in upper diagram of page 10 of WebTrust for CA 2.2 has website and e-mail trust bits. The issuing CA 2 (S/MIME Certificates should pass WebTurst for CA-SSL BR with Network Security Audit Criteria Principles 4. I see <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpacanada.ca%2F-%2Fmedia%2Fsite%2Foperational%2Fms-member-services%2Fdocs%2Fwebtrust%2Fwtbr-241-final--ssl-baseline-with-network-security-june-30-2019.pdf%3Fla%3Den%26hash%3D15117D0B4FB70FB113C7D1D88802A26FE820FB60&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934763536&sdata=PaOioIzEeszSLf2OPeRav4HjhbIfeVegL%2BoOadBSmmY%3D&reserved=0"><span style='color:windowtext;text-decoration:none'>WebTrust Principles and Criteria for Certification Authorities </span><span lang=EN-US style='color:windowtext;text-decoration:none'><span lang=EN-US>– SSL Baseline with Network Security </span></span><span lang=EN-US style='color:windowtext;text-decoration:none'><span lang=EN-US>– Version 2.4.1</span></span></a> page 3. It said that </span>“<span lang=EN-US>However, the Network Security Requirements (Principle 4) would apply to all CAs </span>–<span lang=EN-US> Root CA, CA 1, CA 2, CA 3, and CA 4.</span>”<span lang=EN-US>. Note that CA-3 is a S/MIME CA. <o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US> <o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US> I wonder to know certificate consumers member and CPA Canada</span>’<span lang=EN-US>s opinion. <o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US> <o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US> Thanks.<o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US> <o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US> Li-Chun Chen <o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US> Chunghwa Telecom <o:p></o:p></span></p><p class=xmsonormal><span lang=EN-US> <o:p></o:p></span></p><div><div><p class=xmsonormal>本信件可能包含中華電信股份有限公司機密資訊<span lang=EN-US>,</span>非指定之收件者<span lang=EN-US>,</span>請勿蒐集、處理或利用本信件內容<span lang=EN-US>,</span>並請銷毀此信件<span lang=EN-US>. </span>如為指定收件者<span lang=EN-US>,</span>應確實保護郵件中本公司之營業機密及個人資料<span lang=EN-US>,</span>不得任意傳佈或揭露<span lang=EN-US>,</span>並應自行確認本郵件之附檔與超連結之安全性<span lang=EN-US>,</span>以共同善盡資訊安全與個資保護責任<span lang=EN-US>. <o:p></o:p></span></p></div><div><p class=xmsonormal><span lang=EN-US>Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.<o:p></o:p></span></p></div></div><div><p class=xmsonormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=xmsonormal><span lang=EN-US> <o:p></o:p></span></p></div><p class=xmsonormal><span lang=EN-US> <o:p></o:p></span></p><div><div><p class=xmsonormal><span style='font-family:"MS Gothic"'>本信件可能包含中華電信股份有限公司機密資訊</span><span lang=EN-US>,</span><span style='font-family:"MS Gothic"'>非指定之收件者</span><span lang=EN-US>,</span><span style='font-family:"MS Gothic"'>請勿蒐集、處理或利用本信件</span><span style='font-family:"Malgun Gothic",sans-serif'>內容</span><span lang=EN-US>,</span><span style='font-family:"MS Gothic"'>並請銷毀此信件</span><span lang=EN-US>. </span><span style='font-family:"MS Gothic"'>如為指定收件者</span><span lang=EN-US>,</span><span style='font-family:"MS Gothic"'>應確實保護郵件中本公司之營業機密及個人資料</span><span lang=EN-US>,</span><span style='font-family:"MS Gothic"'>不得任意傳佈或揭露</span><span lang=EN-US>,</span><span style='font-family:"MS Gothic"'>並應自行確認本郵件之附檔與超連結之安全性</span><span lang=EN-US>,</span><span style='font-family:"MS Gothic"'>以共同善盡資訊安全與個資保護責任</span><span lang=EN-US>. <o:p></o:p></span></p></div><div><p class=xmsonormal><span lang=EN-US>Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.<o:p></o:p></span></p></div></div><div><p class=xmsonormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=xmsonormal><span lang=EN-US> <o:p></o:p></span></p></div></div><p class=xmsonormal style='margin-bottom:12.0pt'><span lang=EN-US><br><br></span><em><b><span lang=EN-US style='font-size:10.0pt;font-family:"Calibri",sans-serif;color:black'>The health and safety of our people and communities is our top priority, as we all do our part to help stop the spread of COVID-19. All BDO USA offices will be closed until further notice. While we will be working from home, our already-flexible work environment enables us to make this transition seamlessly and we have the technology in place to continue to provide the same excellent level of service our clients are accustomed to. We are here if you need us, just as before, and if we can be helpful as you navigate the uncertainty, we stand ready. </span></b></em><b><i><span lang=EN-US style='font-size:10.0pt;color:black'><br><br></span></i></b><em><b><span lang=EN-US style='font-size:10.0pt;font-family:"Calibri",sans-serif;color:black'>BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. </span></b></em><b><i><span lang=EN-US style='font-size:10.0pt;color:black'><br><br></span></i></b><em><b><span lang=EN-US style='font-size:10.0pt;font-family:"Calibri",sans-serif;color:black'>BDO is the brand name for the BDO network and for each of the BDO Member Firms.</span></b></em><b><i><span lang=EN-US style='font-size:10.0pt;color:black'><br><br></span></i></b><em><b><span lang=EN-US style='font-size:10.0pt;font-family:"Calibri",sans-serif;color:black'>IMPORTANT NOTICES</span></b></em><b><i><span lang=EN-US style='font-size:10.0pt;color:black'><br><br></span></i></b><em><b><span lang=EN-US style='font-size:10.0pt;font-family:"Calibri",sans-serif;color:black'>The contents of this email and any attachments to it may contain privileged and confidential information from BDO USA, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO USA, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies hereof. If you have received this e-mail in error, please notify BDO USA, LLP by e-mail immediately.</span></b></em><span lang=EN-US><o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><div><div><p class=MsoNormal>本信件可能包含中華電信股份有限公司機密資訊<span lang=EN-US>,</span>非指定之收件者<span lang=EN-US>,</span>請勿蒐集、處理或利用本信件內容<span lang=EN-US>,</span>並請銷毀此信件<span lang=EN-US>. </span>如為指定收件者<span lang=EN-US>,</span>應確實保護郵件中本公司之營業機密及個人資料<span lang=EN-US>,</span>不得任意傳佈或揭露<span lang=EN-US>,</span>並應自行確認本郵件之附檔與超連結之安全性<span lang=EN-US>,</span>以共同善盡資訊安全與個資保護責任<span lang=EN-US>. <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.<o:p></o:p></span></p></div></div><div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US><br><br></span><em><b><span lang=EN-US style='font-size:10.0pt;font-family:"Calibri",sans-serif;color:black;mso-fareast-language:EN-US'>The health and safety of our people and communities is our top priority, as we all do our part to help stop the spread of COVID-19. All BDO USA offices will be closed until further notice. While we will be working from home, our already-flexible work environment enables us to make this transition seamlessly and we have the technology in place to continue to provide the same excellent level of service our clients are accustomed to. We are here if you need us, just as before, and if we can be helpful as you navigate the uncertainty, we stand ready. </span></b></em><b><i><span lang=EN-US style='font-size:10.0pt;font-family:"Calibri",sans-serif;color:black;mso-fareast-language:EN-US'><br><br><em><span style='font-family:"Calibri",sans-serif'>BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. </span></em><br><br><em><span style='font-family:"Calibri",sans-serif'>BDO is the brand name for the BDO network and for each of the BDO Member Firms.</span></em><br><br><em><span style='font-family:"Calibri",sans-serif'>IMPORTANT NOTICES</span></em><br><br><em><span style='font-family:"Calibri",sans-serif'>The contents of this email and any attachments to it may contain privileged and confidential information from BDO USA, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO USA, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies hereof. If you have received this e-mail in error, please notify BDO USA, LLP by e-mail immediately.</span></em></span></i></b><span lang=EN-US><o:p></o:p></span></p></div></body></html>