<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Wendy:<div class=""><br class=""></div><div class="">I think there will be more than one policy OID, except in the mailbox-validation case. However, I cannot see a case where more than one S/MIME BR reserved OID is in the list.</div><div class=""><br class=""></div><div class="">Russ<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Oct 7, 2021, at 5:46 PM, Wendy Brown - QT3LB-C <<a href="mailto:wendy.brown@gsa.gov" class="">wendy.brown@gsa.gov</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Russ <div class="">Re you suggesting only 1 SMIME BR policy in a given certificate or also prohibiting the inclusion of a policy oid specific to the issuing CA defined in their own CP in addition to the specific SMIME BR policy OID?</div><div class=""><br class=""></div><div class="">Thanks,<br clear="all" class=""><div class=""><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><p class=""><span style="font-family:"Segoe Script",sans-serif" class="">Wendy</span></p><p class=""><span style="font-size:12.8px" class="">Wendy Brown<br class=""></span><span style="font-size:12.8px" class="">Supporting GSA FPKI<br class=""></span><span style="font-size:12.8px" class="">Protiviti Government
Services</span></p><p class=""> 703-965-2990 (cell)</p><p class=""><a href="mailto:wendy.brown@gsa.gov" style="font-size:12.8px" target="_blank" class="">wendy.brown@gsa.gov</a><br class=""><a href="mailto:wendy.brown@protiviti.com" style="font-family:Calibri,sans-serif" target="_blank" class="">wendy.brown@protiviti.com</a></p></div></div></div></div></div></div></div></div></div></div></div><br class=""></div></div><br class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Oct 7, 2021 at 5:00 PM Russ Housley via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org" class="">smcwg-public@cabforum.org</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;" class=""><div class="">I have two comments.</div><div class=""><br class=""></div><div class="">1) The Leaf Profile Tab includes:</div><div class=""><br class=""></div><div class="">policyIdentifier - Required<span style="white-space:pre-wrap" class=""> </span>- A policyIdentifier MUST be provided that</div><div class=""> identifies the policy under which the</div><div class=""> certificate was issued, and MUST NOT be</div><div class=""> anyPolicy. MUST include the relevant</div><div class=""> S/MIME BR reserved OID.</div><div class=""><br class=""></div><div class="">I think this should say that it MUST include one and only one S/MIME BR reserved OID.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">2) The Mailbox-validation Tab includes:</div><div class=""><br class=""></div><div class="">subjectAltName - All email addresses in Subject must be in SAN.</div><div class=""> MUST contain at least one item of type rfc822Name or</div><div class=""> otherName of type id-on-SmtpUTF8Mailbox. </div><div class=""><br class=""></div><div class=""> MUST NOT contain items of type: dNSName, iPAddress,</div><div class=""> otherName, uniformResourceIdentifier.</div><div class=""><br class=""></div><div class=""> otherNames of type id-on-SmtpUTF8Mailbox MAY be included</div><div class=""> and MUST be validated</div><div class=""><br class=""></div><div class="">Obviously, the intent is to allow otherName of type id-on-SmtpUTF8Mailbox, but the middle paragraph does not say that. It needs to forbid otherName forms other than id-on-SmtpUTF8Mailbox.</div><div class=""><br class=""></div><div class="">Russ</div><div class=""><br class=""></div><div class=""><br class=""><blockquote type="cite" class=""><div class="">On Sep 30, 2021, at 4:55 PM, Stephen Davidson via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org" target="_blank" class="">smcwg-public@cabforum.org</a>> wrote:</div><br class=""><div class=""><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none" class=""><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">Hello:<u class=""></u><u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">The S/MIME Certificate Working Group has now completed work on a stable draft of the certificate profiles that will be included in the future S/MIME Baseline Requirements.<u class=""></u><u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">The WG requests that members share this with their product and technical teams seeking feedback as the pace will pick up to turn these worksheets into a draft standard:<u class=""></u><u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class=""><a href="https://docs.google.com/spreadsheets/d/1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU/edit#gid=0" style="color:rgb(5,99,193);text-decoration:underline" target="_blank" class="">https://docs.google.com/spreadsheets/d/1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU/edit#gid=0</a><u class=""></u><u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">The S/MIME BR will apply to “trusted” leaf certs with emailProtection EKU and at least one email address in Subject / SAN.<u class=""></u><u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">By way of explanation of the worksheet:<u class=""></u><u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">• SMIME Types – explains the OID structure and cert profile types<u class=""></u><u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">• Leaf Profile – explains the certificate fields common to the various cert profile types<u class=""></u><u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">There are then 4 major cert profiles showing the major differences in Subject, eKU, keyUsage, and extensions:<u class=""></u><u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">• Mailbox - The simplest S/MIME, including only email address. The same email control verification methods apply across all S/MIME types.<u class=""></u><u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">• Organizational - Includes Organization details (legal entity). Example uses include invoice or statement mailers, etc.<u class=""></u><u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">• Sponsored Individual - Includes personal details (for natural person, which may be validated by Enterprise RA) in association with Organisation details (validated by the CA).<u class=""></u><u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">• Personal Individual - Includes personal details (for natural person).<u class=""></u><u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">Each of the cert profile types will have three available levels:<u class=""></u><u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">• Legacy - Allows all public S/MIME to an auditable framework but includes flexibility in allowed field usages and verification. The intent is that this profile will eventually be sunsetted.<u class=""></u><u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">• Multipurpose - Aligned with the Strict profile, but with more flexibility in the eKU (primarily to allow overlap with existing use cases such as document signing).<u class=""></u><u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">• Strict - The final goal profile. Strict definition and dedicated eKU.<u class=""></u><u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">Discussion is welcomed on list, but we will also dedicate time in our meeting on October 27 for feedback. Tentatively, we will also start considering CA profiles at that time.<u class=""></u><u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">With kind regards,<u class=""></u><u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">Stephen Davidson<u class=""></u><u class=""></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">Chair, S/MIME Certificate Working Group<u class=""></u><u class=""></u></div></div></div></blockquote></div><br class=""></div>_______________________________________________<br class="">
Smcwg-public mailing list<br class="">
<a href="mailto:Smcwg-public@cabforum.org" target="_blank" class="">Smcwg-public@cabforum.org</a><br class="">
<a href="https://lists.cabforum.org/mailman/listinfo/smcwg-public" rel="noreferrer" target="_blank" class="">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><br class="">
</blockquote></div>
</div></blockquote></div><br class=""></div></body></html>