<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body dir="auto">
<div dir="ltr">Aha! Understood! </div>
<div dir="ltr">Thanks for pointing that out; willfix.</div>
<div dir="ltr">best, Stephen</div>
<div dir="ltr"><br>
<blockquote type="cite">On Oct 7, 2021, at 7:20 PM, Russ Housley <housley@vigilsec.com> wrote:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">Stephen:
<div class=""><br class="">
</div>
<div class="">I agree that there can be more than one policy OID, but I cannot see a case where there is more than one S/MIME BR reserved OID in the list.</div>
<div class=""><br class="">
</div>
<div class="">Russ<br class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">On Oct 7, 2021, at 4:57 PM, Stephen Davidson <<a href="mailto:Stephen.Davidson@digicert.com" class="">Stephen.Davidson@digicert.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="WordSection1" style="page: WordSection1; caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
Thanks Russ!<o:p class=""></o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
For the policy identifier, I can see this being true for the Strict profile. Might be harder for the Multipurpose and Legacy – which may require an additional OID.<o:p class=""></o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
For the other name, will fix.<o:p class=""></o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
Best regards, Stephen<o:p class=""></o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
<div class="">
<div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(225, 225, 225); padding: 3pt 0in 0in;" class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<b class="">From:</b><span class="Apple-converted-space"> </span>Russ Housley <<a href="mailto:housley@vigilsec.com" style="color: blue; text-decoration: underline;" class="">housley@vigilsec.com</a>><span class="Apple-converted-space"> </span><br class="">
<b class="">Sent:</b><span class="Apple-converted-space"> </span>Thursday, October 7, 2021 5:13 PM<br class="">
<b class="">To:</b><span class="Apple-converted-space"> </span>Stephen Davidson <<a href="mailto:Stephen.Davidson@digicert.com" style="color: blue; text-decoration: underline;" class="">Stephen.Davidson@digicert.com</a>>; SMIME Certificate Working Group <<a href="mailto:smcwg-public@cabforum.org" style="color: blue; text-decoration: underline;" class="">smcwg-public@cabforum.org</a>><br class="">
<b class="">Subject:</b><span class="Apple-converted-space"> </span>Re: [Smcwg-public] Stable Draft of S/MIME Certificate Profiles<o:p class=""></o:p></div>
</div>
</div>
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
I have two comments.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
1) The Leaf Profile Tab includes:<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
policyIdentifier - Required<span class="apple-tab-span"> <span class="Apple-converted-space"> </span></span>- A policyIdentifier MUST be provided that<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
identifies the policy under which the<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
certificate was issued, and MUST NOT be<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
anyPolicy. MUST include the relevant<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
S/MIME BR reserved OID.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
I think this should say that it MUST include one and only one S/MIME BR reserved OID.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
2) The Mailbox-validation Tab includes:<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
subjectAltName - All email addresses in Subject must be in SAN.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
MUST contain at least one item of type rfc822Name or<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
otherName of type id-on-SmtpUTF8Mailbox. <o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
MUST NOT contain items of type: dNSName, iPAddress,<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
otherName, uniformResourceIdentifier.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
otherNames of type id-on-SmtpUTF8Mailbox MAY be included<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
and MUST be validated<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
Obviously, the intent is to allow otherName of type id-on-SmtpUTF8Mailbox, but the middle paragraph does not say that. It needs to forbid otherName forms other than id-on-SmtpUTF8Mailbox.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
Russ<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<br class="">
<br class="">
<o:p class=""></o:p></div>
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class="">
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
On Sep 30, 2021, at 4:55 PM, Stephen Davidson via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org" style="color: blue; text-decoration: underline;" class="">smcwg-public@cabforum.org</a>> wrote:<o:p class=""></o:p></div>
</div>
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
<div class="">
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
Hello:<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
The S/MIME Certificate Working Group has now completed work on a stable draft of the certificate profiles that will be included in the future S/MIME Baseline Requirements.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
The WG requests that members share this with their product and technical teams seeking feedback as the pace will pick up to turn these worksheets into a draft standard:<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<a href="https://docs.google.com/spreadsheets/d/1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU/edit#gid=0" style="color: blue; text-decoration: underline;" class=""><span style="color: rgb(5, 99, 193);" class="">https://docs.google.com/spreadsheets/d/1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU/edit#gid=0</span></a><o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
The S/MIME BR will apply to “trusted” leaf certs with emailProtection EKU and at least one email address in Subject / SAN.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
By way of explanation of the worksheet:<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
• SMIME Types – explains the OID structure and cert profile types<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
• Leaf Profile – explains the certificate fields common to the various cert profile types<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
There are then 4 major cert profiles showing the major differences in Subject, eKU, keyUsage, and extensions:<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
• Mailbox - The simplest S/MIME, including only email address. The same email control verification methods apply across all S/MIME types.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
• Organizational - Includes Organization details (legal entity). Example uses include invoice or statement mailers, etc.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
• Sponsored Individual - Includes personal details (for natural person, which may be validated by Enterprise RA) in association with Organisation details (validated by the CA).<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
• Personal Individual - Includes personal details (for natural person).<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
Each of the cert profile types will have three available levels:<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
• Legacy - Allows all public S/MIME to an auditable framework but includes flexibility in allowed field usages and verification. The intent is that this profile will eventually be sunsetted.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
• Multipurpose - Aligned with the Strict profile, but with more flexibility in the eKU (primarily to allow overlap with existing use cases such as document signing).<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
• Strict - The final goal profile. Strict definition and dedicated eKU.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
Discussion is welcomed on list, but we will also dedicate time in our meeting on October 27 for feedback. Tentatively, we will also start considering CA profiles at that time.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
With kind regards,<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
Stephen Davidson<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
Chair, S/MIME Certificate Working Group</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</body>
</html>