<div dir="ltr">Russ <div>Re you suggesting only 1 SMIME BR policy in a given certificate or also prohibiting the inclusion of a policy oid specific to the issuing CA defined in their own CP in addition to the specific SMIME BR policy OID?</div><div><br></div><div>Thanks,<br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><p><span style="font-family:"Segoe Script",sans-serif">Wendy</span></p>
<p><span style="font-size:12.8px">Wendy Brown<br></span><span style="font-size:12.8px">Supporting GSA FPKI<br></span><span style="font-size:12.8px">Protiviti Government
Services</span></p>
<p> 703-965-2990 (cell)</p>
<p><a href="mailto:wendy.brown@gsa.gov" style="font-size:12.8px" target="_blank">wendy.brown@gsa.gov</a><br><a href="mailto:wendy.brown@protiviti.com" style="font-family:Calibri,sans-serif" target="_blank">wendy.brown@protiviti.com</a></p></div></div></div></div></div></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Oct 7, 2021 at 5:00 PM Russ Housley via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;"><div>I have two comments.</div><div><br></div><div>1) The Leaf Profile Tab includes:</div><div><br></div><div>policyIdentifier - Required<span style="white-space:pre-wrap"> </span>- A policyIdentifier MUST be provided that</div><div> identifies the policy under which the</div><div> certificate was issued, and MUST NOT be</div><div> anyPolicy. MUST include the relevant</div><div> S/MIME BR reserved OID.</div><div><br></div><div>I think this should say that it MUST include one and only one S/MIME BR reserved OID.</div><div><br></div><div><br></div><div>2) The Mailbox-validation Tab includes:</div><div><br></div><div>subjectAltName - All email addresses in Subject must be in SAN.</div><div> MUST contain at least one item of type rfc822Name or</div><div> otherName of type id-on-SmtpUTF8Mailbox. </div><div><br></div><div> MUST NOT contain items of type: dNSName, iPAddress,</div><div> otherName, uniformResourceIdentifier.</div><div><br></div><div> otherNames of type id-on-SmtpUTF8Mailbox MAY be included</div><div> and MUST be validated</div><div><br></div><div>Obviously, the intent is to allow otherName of type id-on-SmtpUTF8Mailbox, but the middle paragraph does not say that. It needs to forbid otherName forms other than id-on-SmtpUTF8Mailbox.</div><div><br></div><div>Russ</div><div><br></div><div><br><blockquote type="cite"><div>On Sep 30, 2021, at 4:55 PM, Stephen Davidson via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org" target="_blank">smcwg-public@cabforum.org</a>> wrote:</div><br><div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">Hello:<u></u><u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">The S/MIME Certificate Working Group has now completed work on a stable draft of the certificate profiles that will be included in the future S/MIME Baseline Requirements.<u></u><u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">The WG requests that members share this with their product and technical teams seeking feedback as the pace will pick up to turn these worksheets into a draft standard:<u></u><u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><a href="https://docs.google.com/spreadsheets/d/1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU/edit#gid=0" style="color:rgb(5,99,193);text-decoration:underline" target="_blank">https://docs.google.com/spreadsheets/d/1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU/edit#gid=0</a><u></u><u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">The S/MIME BR will apply to “trusted” leaf certs with emailProtection EKU and at least one email address in Subject / SAN.<u></u><u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">By way of explanation of the worksheet:<u></u><u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">• SMIME Types – explains the OID structure and cert profile types<u></u><u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">• Leaf Profile – explains the certificate fields common to the various cert profile types<u></u><u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">There are then 4 major cert profiles showing the major differences in Subject, eKU, keyUsage, and extensions:<u></u><u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">• Mailbox - The simplest S/MIME, including only email address. The same email control verification methods apply across all S/MIME types.<u></u><u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">• Organizational - Includes Organization details (legal entity). Example uses include invoice or statement mailers, etc.<u></u><u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">• Sponsored Individual - Includes personal details (for natural person, which may be validated by Enterprise RA) in association with Organisation details (validated by the CA).<u></u><u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">• Personal Individual - Includes personal details (for natural person).<u></u><u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">Each of the cert profile types will have three available levels:<u></u><u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">• Legacy - Allows all public S/MIME to an auditable framework but includes flexibility in allowed field usages and verification. The intent is that this profile will eventually be sunsetted.<u></u><u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">• Multipurpose - Aligned with the Strict profile, but with more flexibility in the eKU (primarily to allow overlap with existing use cases such as document signing).<u></u><u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">• Strict - The final goal profile. Strict definition and dedicated eKU.<u></u><u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">Discussion is welcomed on list, but we will also dedicate time in our meeting on October 27 for feedback. Tentatively, we will also start considering CA profiles at that time.<u></u><u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">With kind regards,<u></u><u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">Stephen Davidson<u></u><u></u></div><div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">Chair, S/MIME Certificate Working Group<u></u><u></u></div></div></div></blockquote></div><br></div>_______________________________________________<br>
Smcwg-public mailing list<br>
<a href="mailto:Smcwg-public@cabforum.org" target="_blank">Smcwg-public@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/smcwg-public" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><br>
</blockquote></div>