<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:18.0pt;
font-family:"Calibri",sans-serif;
color:black;}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:13.5pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Calibri",sans-serif;
color:black;
font-weight:bold;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Calibri",sans-serif;
color:black;
font-weight:bold;}
span.EmailStyle22
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<h2>Minutes of SMCWG<o:p></o:p></h2>
<p class="MsoNormal">May 12, 2021<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">These are the Draft Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.<o:p></o:p></p>
<h3>Attendees <o:p></o:p></h3>
<h3><span style="font-size:11.0pt;font-weight:normal">Ali Gholami (Telia Company), Andrea Holland (SecureTrust), Andreas Henschel (D-TRUST), Atsushi Inaba (GlobalSign), Ben Wilson (Mozilla), Bruce Morton (Entrust), Christy Berghoff (Federal PKI), Clint Wilson
(Apple), Corey Bonnell (DigiCert), Dimitris Zacharopoulos (HARICA), Don Sheehy (WebTrust), Doug Beattie (GlobalSign), Hazhar Ismail (MSC Trustgate.com), Hongquan Yin (Microsoft), Inigo Barreira (Sectigo), Juan Ángel Martin (Camerfirma), Klauss Voss (Zertificon),
Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Matthias Wiedenhorst (ACAB'c), Morad Abou Nasser (TeleTrust), Niko Carpenter (SecureTrust), Patrycja Tulinska (PSW), Pedro Fuentes (OISTE), Rebecca Kelley (Apple), Renne Rodriguez (Apple), Russ
Housley (Vigil Security), Sebastian Schulz (GlobalSign), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems), Tim Crawford (WebTrust), Tsung-Min Kuo (Chunghwa Telecom), Wendy Brown (Federal PKI)<o:p></o:p></span></h3>
<h3>1. Roll Call<o:p></o:p></h3>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The Roll Call was taken.<o:p></o:p></p>
<h3>2. Read Antitrust Statement<o:p></o:p></h3>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The Antitrust/Compliance Statement was read.<o:p></o:p></p>
<h3>3. Review Agenda<o:p></o:p></h3>
<h3>4. Approval of minutes from last teleconference<o:p></o:p></h3>
<p class="MsoNormal">The minutes of the April 28 teleconference were approved. <o:p>
</o:p></p>
<h3><span style="color:windowtext">5</span>. Discussion of certificate profile<o:p></o:p></h3>
<p class="MsoNormal">The discussion moved to the <a href="https://docs.google.com/spreadsheets/d/1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU/edit?usp=sharing">
Mailbox-validation Legacy profile</a>. Discussion moved to the SAN field, relating to internationalized email addresses and otherNames such as UPN resulting in consensus around following requirements:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">All email addresses in Subject must be in SAN. MUST contain at least one item of type rfc822Name or otherName of type id-on-SmtpUTF8Mailbox.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">MUST NOT contain items of type: dNSName, iPAddress, uniformResourceIdentifier.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">otherName values MAY be included. otherNames of type id-on-SmtpUTF8Mailbox MUST be validated in accordance with RFC 8398. otherNames of any other type MUST be validated in accordance with the CA's CPS.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It was agreed there was no need to explicitly allow or prohibit the specific other forms of otherNames. The most common use of the otherNames of any other type is in Enterprise RA situations, and validation practices must be documented
the CA’s CPS. It was agreed that the WG would return to the topic of id-on-SmtpUTF8Mailbox later in context of validation requirements and technical constraints.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The language from RFC 5280 4.2.1.6 regarding criticality applies: “if the only subject identity included in the certificate is an alternative name form (e.g., an electronic mail address), then the subject distinguished name MUST be empty
(an empty sequence), and the subjectAltName extension MUST be present. If the subject field contains an empty sequence, then the issuing CA MUST include a subjectAltName extension that is marked as critical. When including the subjectAltName extension in a
certificate that has a non-empty subject distinguished name, conforming CAs SHOULD mark the subjectAltName extension as non-critical.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">An extended discussion took place relating to keyUsage, with particular emphasis on the requirements for split versus dual use keys. Clint Wilson provided guidance on Apple Mail’s requirements. The outcome of the discussion is as follows;<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">RSA<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">For signing only, bit positions MUST be set for:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> digitalSignature<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Bit positions MAY be set for:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> nonRepudiation/ <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> contentCommitment <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">For key management only, bit positions MUST be set for:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> keyEncipherment<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">For dual use, bit positions MUST be set for:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> keyEncipherment<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> digitalSignature<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Bit positions MAY be set for:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> nonRepudiation/ <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> contentCommitment<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Other bit positions MUST NOT be set.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">ECC<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">For signing only, bit positions MUST be set for:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> digitalSignature<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Bit positions MAY be set for:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> nonRepudiation/ <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> contentCommitment <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">For key management only, bit positions MUST be set for:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> keyAgreement <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> Bit positions MAY be set for:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> encipherOnly <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> decipherOnly <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">For dual use, bit positions MUST be set for:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> keyAgreement <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> digitalSignature<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Bit positions MAY be set for:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> nonRepudiation/ <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> contentCommitment<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> encipherOnly <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> decipherOnly <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Other bit positions MUST NOT be set.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It was questioned whether any CA issues certificates using the “encipherOnly / decipherOnly” bit positions from the Royal-Halloway key escrow scheme?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Discussion began of the EKU field. It was pointed out that many document signing certificates, such as AATL, used the emailProtection EKU often in conjunction with vendor-specific EKU for signing.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tadahiko Ito described an <a href="https://datatracker.ietf.org/doc/draft-ito-documentsigning-eku/">
IETF Internet-draft</a> that has been introduced to create a generic EKU for document signing, which in future would assist in separating the S/MIME and document signing use cases.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It was suggested that in the Legacy profile, the standard may allow an expansive use of EKU given legacy practice with a more selective allowance in the Multipurpose and Strict profiles. Discussion of EKU and Extensions was deferred until
the next meeting.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Stephen Davidson noted that an additional tab called “leaf profile” has been added to the worksheet starting to lay out the other leaf certificate fields that will be in common across the profile types.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<h3 style="mso-margin-top-alt:1.0pt;margin-right:0in;margin-bottom:1.0pt;margin-left:0in">
6. Any Other Business<o:p></o:p></h3>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">None<o:p></o:p></p>
<h3>7. Next call<o:p></o:p></h3>
<h3><span style="font-size:11.0pt;font-weight:normal">Next call: Wednesday, May 26, 2021 at 11:00 am Eastern Time
<o:p></o:p></span></h3>
<h3><span lang="DE">Adjourned</span><o:p></o:p></h3>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
</div>
</body>
</html>