<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:18.0pt;
font-family:"Calibri",sans-serif;
color:black;}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:13.5pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Calibri",sans-serif;
color:black;
font-weight:bold;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Calibri",sans-serif;
color:black;
font-weight:bold;}
span.EmailStyle22
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:windowtext">Hello all:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">This is a correction to the minutes from the SMWC call of March 30, 2022. The first two paragraphs should be updated as follows<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in">The WG discuss the organizationalIdentifer as described in Appendix A. This text was adopted from the EVG. One of the registration schemes is called VAT, after its origin in ETSI EN 319 412-1 section 5.1.4. A
PR to the SBR draft was submitted to create new schemes for tax systems that are not VAT (for example in Japan). Stephen Davidson pointed out that the draft (as does the EVG) expands from the ETSI text to allow any “identifier allocated by the national tax
authorities to a Legal Entity”. Dimitris <b>Zacharopoulos</b> provided background that the ETSI prefix used to be TAX but was divided in ETSI 319 412<i>-1</i> to VAT for legal entities and TIN for natural persons. Following discussion, it was agreed this
was acceptable. Therefore, the PR can be closed.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in">Dimitris pointed out that section 3.2.3.1.1 of the draft requires CAs to disclose
<b><i>Incorporating or Registration Agencies</i></b> but does not require CAs to disclose
<b><i>all Information Sources used, for example the tax authorities</i></b><i>.<o:p></o:p></i></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I will also correct the language on the CABF website.<o:p></o:p></p>
<p class="MsoNormal">Thanks for the correction!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regards, Stephen<o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span style="color:windowtext"> Smcwg-public <smcwg-public-bounces@cabforum.org>
<b>On Behalf Of </b>Stephen Davidson via Smcwg-public<br>
<b>Sent:</b> Thursday, April 21, 2022 6:44 PM<br>
<b>To:</b> SMIME Certificate Working Group <smcwg-public@cabforum.org><br>
<b>Subject:</b> [Smcwg-public] Approved Minutes of SMCWG March 30, 2022<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Minutes of SMCWG<o:p></o:p></h2>
<p class="MsoNormal">March 30, 2022<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">These are the <span style="color:windowtext">Approved</span> Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.<o:p></o:p></p>
<h3>Attendees <o:p></o:p></h3>
<h3><span style="font-size:11.0pt;font-weight:normal">Adrian Mueller (SwissSign), Ashish Dhiman (GlobalSign), Bruce Morton (Entrust), Cade Cairns (Google), Clint Wilson (Apple), Corey Bonnell (Digicert), Daniel Zens (GlobalTrust), Dimitris Zacharopoulos (HARICA),
Don Sheehy (CPA Canada/WebTrust), Eusebio Herrera (AC Camerfirma SA), Fotis Loukos (Google), Hazhar Ismail (MSC Trustgate Sdn Bhd), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Joanna Fox (TrustCor Systems), Li-Chun Chen (Chunghwa Telecom), Martijn
Katerbarg (Sectigo), Mauricio Fernandez (TeleTrust), Mrugesh Chandarana (IdenTrust), Patrycja Tulinska (PSW), Pedro Fuentes (OISTE Foundation), Pekka Lahtiharju (Telia Company), Rebecca Kelley (Apple), Renne Rodriguez (Apple), Stephen Davidson (Digicert),
Tadahiko Ito (SECOM Trust Systems), Thomas Connelly (US Federal PKI Management Authority), Tim Crawford (CPA Canada/WebTrust), Tsung-Min Kuo (Chunghwa Telecom), Wendy Brown (US Federal PKI Management Authority)<o:p></o:p></span></h3>
<h3>1. Roll Call<o:p></o:p></h3>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The Roll Call was taken.<o:p></o:p></p>
<h3>2. Read Antitrust Statement<o:p></o:p></h3>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The Antitrust/Compliance Statement was read.<o:p></o:p></p>
<h3>3. Review Agenda<o:p></o:p></h3>
<h3>4. Approval of minutes from last teleconference<o:p></o:p></h3>
<p class="MsoNormal">The minutes of the March 16 teleconference were approved. The minutes from the F2F will be separately distributed.<o:p></o:p></p>
<h3>5. Discussion <o:p></o:p></h3>
<p class="MsoNormal">The draft the S/MIME Baseline Requirements is available at <a href="https://github.com/cabforum/smime/blob/preSBR/SBR.md">
https://github.com/cabforum/smime/blob/preSBR/SBR.md</a> <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The WG discuss the organizationalIdentifer as described in Appendix A. This text was adopted from the EVG. One of the registration schemes is called VAT, after its origin in ETSI EN 319 412-1 section 5.1.4. A PR to the SBR draft was
submitted to create new schemes for tax systems that are not VAT (for example in Japan). Stephen Davidson pointed out that the draft (as does the EVG) expands from the ETSI text to allow any “identifier allocated by the national tax authorities to a Legal
Entity”. Dimitris provided background that the ETSI prefix used to be TAX but was divided in ETSI 319 412 to VAT for legal entities and TIN for natural persons. Following discussion, it was agreed this was acceptable. Therefore, the PR can be closed.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Dimitris Zacharopoulos pointed out that section 3.2.3.1.1 of the draft requires CAs to disclose registration authorities but does not require CAs to disclose the tax authorities used.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It was raised that the definition in Appendix A required the LEI to be FULLY-CORROBRATED but the that restriction was not covered in the ISO 17442 field in 7.1.2.3. The same stipulation applies in all cases. In addition, Stephen pointed
out that a new ISO 5009 provided additional information on the role LEI, and said he’d follow up to see if additional description was required.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The WG had extensive discussion on the commonName field, providing flexibility for the use of personal name style in that field versus the formality of the givenName and surname fields. Comments for clarity and corrections on the text
were suggested by Wendy Brown and Bruce Morton. Clint Wilson wanted to ensure that the name in the commonName must be linked to the verified ID – giving the example of how to deal with nicknames like Sasha for Alexander in Bulgaria. Corey Bonnell suggested
picking up the language from the Org name which states that common variations should be allowed.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Stephen noted that titles (such as Dr) if included in the commonNane are intended to be verified. Stephen agreed to make edits to the draft based on the discussion; see
<a href="https://github.com/cabforum/smime/blob/preSBR/SBR.md#311-types-of-names">
https://github.com/cabforum/smime/blob/preSBR/SBR.md#311-types-of-names</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The WG moved on to discuss the Pseudonym attribute. The draft currently ties use of the Pseudonym to a government ID – but Germany’s national ID is the only known ID with that attribute. It was suggested that this was not adequately flexible
for many use cases, such as government officials whose role is more important than their name. It was suggested that additional flexibility could be created in the sponsor-validated profile. It was emphasized that Pseudonym certs are not intended to be anonymous.
Dimitris said the most secure way to handle Pseudonym would be for the CA to insert a random value. Eusebio Herrera said that account number or employee numbers were often used. He offered to provide additional input in the form of a PR. This is now drafted
at <a href="https://github.com/cabforum/smime/blob/preSBR/SBR.md#313-anonymity-or-pseudonymity-of-subscribers">
https://github.com/cabforum/smime/blob/preSBR/SBR.md#313-anonymity-or-pseudonymity-of-subscribers</a>
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Stephen emphasized that the document is close to ready for the “preballot review” discussed in previous calls, so members should begin alerting their internal organisation contacts that will need to be involved.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<h3 style="mso-margin-top-alt:1.0pt;margin-right:0in;margin-bottom:1.0pt;margin-left:0in">
6. Any Other Business<o:p></o:p></h3>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">None<o:p></o:p></p>
<h3>7. Next call<o:p></o:p></h3>
<h3><span style="font-size:11.0pt;font-weight:normal">Next call: Wednesday, April 13, 2022 at 11 a.m. US Eastern.<o:p></o:p></span></h3>
<h3><span lang="DE">Adjourned</span><o:p></o:p></h3>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
</div>
</body>
</html>