<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:18.0pt;
font-family:"Calibri",sans-serif;
color:black;}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:13.5pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Calibri",sans-serif;
color:black;
font-weight:bold;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Calibri",sans-serif;
color:black;
font-weight:bold;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<h2>Minutes of SMCWG<o:p></o:p></h2>
<p class="MsoNormal">January 5, 2022<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">These are the <span style="color:windowtext">Approved</span> Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.<o:p></o:p></p>
<h3>Attendees <o:p></o:p></h3>
<h3><span style="font-size:11.0pt;font-weight:normal">Andrea Holland (SecureTrust), Andreas Henschel (D-TRUST), Ben Wilson (Mozilla), Bruce Morton (Entrust), Cade Cairns (Google), Clint Wilson (Apple), Corey Bonnell (Digicert), Daniel Zens (GlobalTrust), Dimitris
Zacharopoulos (HARICA), Hazhar Ismail (MSC Trustgate Sdn Bhd), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Mads Henriksveen (Buypass AS), Martijn Katerbarg (Sectigo), Matthias Wiedenhorst (ACAB Council), Mauricio Fernandez (TeleTrust), Miguel Sanchez
(Google), Mrugesh Chandarana (IdenTrust), Patrycja Tulinska (PSW Group), Pekka Lahtiharju (Telia Company), Rebecca Kelley (Apple), Renne Rodriguez (Apple), Russ Housley (Russ Housley), Sebastian Schulz (GlobalSign), Stefan Selbitschka (runQuadrat), Stephen
Davidson (Digicert), Tadahiko Ito (SECOM Trust Systems), Thomas Connelly (US Federal PKI Management Authority), Tim Crawford (CPA Canada/WebTrust), Tsung-Min Kuo (Chunghwa Telecom), Wendy Brown (US Federal PKI Management Authority)<o:p></o:p></span></h3>
<h3>1. Roll Call<o:p></o:p></h3>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The Roll Call was taken.<o:p></o:p></p>
<h3>2. Read Antitrust Statement<o:p></o:p></h3>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The Antitrust/Compliance Statement was read.<o:p></o:p></p>
<h3>3. Review Agenda<o:p></o:p></h3>
<h3>4. Approval of minutes from last teleconference<o:p></o:p></h3>
<p class="MsoNormal">The minutes of the December 22 teleconference were approved.
<o:p></o:p></p>
<h3>5. Discussion <o:p></o:p></h3>
<p class="MsoNormal">The working group discussed the approach to initial identity authentication for Organizations. Stephen Davidson reminded the group that the charter called for the S/MIME Baseline Requirements to leverage existing work created by other
CABF working groups.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Stephen said that section 3.2 of the SMIME BR would lay out the three major components of Subject data used in certificates: Organization information, Mailbox authorization or control, and Individual identity.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Bruce Morton questioned if we should be allowing OV vs EV levels for the Org vetting. Dimitris Zacharopoulos said that EV was possibly much higher than is used by many CAs for S/MIME today and wondered if there was broad support from Cert
Consumers for that higher level. Corey Bonnell noted that Apple had asked for a unique identifier to be verified for Org subjects.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Clint Wilson reiterated that Apple was looking for a high standard of verification, and that EVG was already approved and is proven so might be easier for us to adopt – but that’s not to say it is the only acceptable option. Ben Wilson
said that some of the additional checks in EVG like operational existence may not be deemed essential as they were vestiges of early concepts in EV that leaned heavily on site visits for the vetting.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The group discussed the use of the EV Guidelines for the Organization vetting, walking thru the actual EVG text on screen at some length. The EVG do not follow RFC 3647, so elements of EVG section 11 will be adopted as appropriate for
the S/MIME BR. There was discussion whether to attempt to update/consolidate the EVG text, or to make only minimum changes to the previously approved text in order to simplify approval of S/MIME BR v1.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There was discussion whether the S/MIME use required the check of the Org legal existence – or if the additional EVG sections on physical existence or operational existence where required. Ben Wilson noted that the physical checks where
normally easily done via the same data sources but allowed expanded checks if a different address from the registration is desired to be used. Dimitris noted that EVG requires these address checks even if the cert includes no address information.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Russ Housely noted that we needed to verify that the Org that is vetted is the Org that has email control over the domain where those methods are used.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The information relating to roles and validation of authority – which is intermingled with the Org vetting in the EVG – will most likely be pulled into a separate subsection per RFC 3647.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Stephen noted that he would start pushing some of the draft text up to the github repository at
<a href="https://github.com/cabforum/smime/blob/preSBR/SBR.md">https://github.com/cabforum/smime/blob/preSBR/SBR.md</a><span style="color:windowtext"> which should make it easier for members to review in context.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<h3 style="mso-margin-top-alt:1.0pt;margin-right:0in;margin-bottom:1.0pt;margin-left:0in">
6. Any Other Business<o:p></o:p></h3>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">None<o:p></o:p></p>
<h3>7. Next call<o:p></o:p></h3>
<h3><span style="font-size:11.0pt;font-weight:normal">Next call: Wednesday, January 19, 2022 at 11 a.m. US Eastern.<o:p></o:p></span></h3>
<h3><span lang="DE">Adjourned</span><o:p></o:p></h3>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
</div>
</body>
</html>