<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.apple-tab-span
{mso-style-name:apple-tab-span;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Thanks Russ!<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>For the policy identifier, I can see this being true for the Strict profile. Might be harder for the Multipurpose and Legacy – which may require an additional OID.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>For the other name, will fix.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Best regards, Stephen<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Russ Housley <housley@vigilsec.com> <br><b>Sent:</b> Thursday, October 7, 2021 5:13 PM<br><b>To:</b> Stephen Davidson <Stephen.Davidson@digicert.com>; SMIME Certificate Working Group <smcwg-public@cabforum.org><br><b>Subject:</b> Re: [Smcwg-public] Stable Draft of S/MIME Certificate Profiles<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>I have two comments.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>1) The Leaf Profile Tab includes:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>policyIdentifier - Required<span class=apple-tab-span> </span>- A policyIdentifier MUST be provided that<o:p></o:p></p></div><div><p class=MsoNormal> identifies the policy under which the<o:p></o:p></p></div><div><p class=MsoNormal> certificate was issued, and MUST NOT be<o:p></o:p></p></div><div><p class=MsoNormal> anyPolicy. MUST include the relevant<o:p></o:p></p></div><div><p class=MsoNormal> S/MIME BR reserved OID.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I think this should say that it MUST include one and only one S/MIME BR reserved OID.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>2) The Mailbox-validation Tab includes:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>subjectAltName - All email addresses in Subject must be in SAN.<o:p></o:p></p></div><div><p class=MsoNormal> MUST contain at least one item of type rfc822Name or<o:p></o:p></p></div><div><p class=MsoNormal> otherName of type id-on-SmtpUTF8Mailbox. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> MUST NOT contain items of type: dNSName, iPAddress,<o:p></o:p></p></div><div><p class=MsoNormal> otherName, uniformResourceIdentifier.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> otherNames of type id-on-SmtpUTF8Mailbox MAY be included<o:p></o:p></p></div><div><p class=MsoNormal> and MUST be validated<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Obviously, the intent is to allow otherName of type id-on-SmtpUTF8Mailbox, but the middle paragraph does not say that. It needs to forbid otherName forms other than id-on-SmtpUTF8Mailbox.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Russ<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On Sep 30, 2021, at 4:55 PM, Stephen Davidson via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>Hello:<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>The S/MIME Certificate Working Group has now completed work on a stable draft of the certificate profiles that will be included in the future S/MIME Baseline Requirements.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>The WG requests that members share this with their product and technical teams seeking feedback as the pace will pick up to turn these worksheets into a draft standard:<o:p></o:p></p></div><div><p class=MsoNormal><a href="https://docs.google.com/spreadsheets/d/1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU/edit#gid=0"><span style='color:#0563C1'>https://docs.google.com/spreadsheets/d/1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU/edit#gid=0</span></a><o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>The S/MIME BR will apply to “trusted” leaf certs with emailProtection EKU and at least one email address in Subject / SAN.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>By way of explanation of the worksheet:<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>• SMIME Types – explains the OID structure and cert profile types<o:p></o:p></p></div><div><p class=MsoNormal>• Leaf Profile – explains the certificate fields common to the various cert profile types<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>There are then 4 major cert profiles showing the major differences in Subject, eKU, keyUsage, and extensions:<o:p></o:p></p></div><div><p class=MsoNormal>• Mailbox - The simplest S/MIME, including only email address. The same email control verification methods apply across all S/MIME types.<o:p></o:p></p></div><div><p class=MsoNormal>• Organizational - Includes Organization details (legal entity). Example uses include invoice or statement mailers, etc.<o:p></o:p></p></div><div><p class=MsoNormal>• Sponsored Individual - Includes personal details (for natural person, which may be validated by Enterprise RA) in association with Organisation details (validated by the CA).<o:p></o:p></p></div><div><p class=MsoNormal>• Personal Individual - Includes personal details (for natural person).<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>Each of the cert profile types will have three available levels:<o:p></o:p></p></div><div><p class=MsoNormal>• Legacy - Allows all public S/MIME to an auditable framework but includes flexibility in allowed field usages and verification. The intent is that this profile will eventually be sunsetted.<o:p></o:p></p></div><div><p class=MsoNormal>• Multipurpose - Aligned with the Strict profile, but with more flexibility in the eKU (primarily to allow overlap with existing use cases such as document signing).<o:p></o:p></p></div><div><p class=MsoNormal>• Strict - The final goal profile. Strict definition and dedicated eKU.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>Discussion is welcomed on list, but we will also dedicate time in our meeting on October 27 for feedback. Tentatively, we will also start considering CA profiles at that time.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>With kind regards,<o:p></o:p></p></div><div><p class=MsoNormal>Stephen Davidson<o:p></o:p></p></div><div><p class=MsoNormal>Chair, S/MIME Certificate Working Group<o:p></o:p></p></div></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></body></html>