<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"></div><div dir="ltr">I fail to understand why we mention document signing on a BR specification that is not dealing with such EKU. </div><div dir="ltr">BR/Pedro</div><div dir="ltr"><br><blockquote type="cite">Le 5 août 2022 à 16:13, Stephen Davidson via Smcwg-public <smcwg-public@cabforum.org> a écrit :<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="Generator" content="Microsoft Word 15 (filtered medium)"><style>@font-face { font-family: "Cambria Math"; }
@font-face { font-family: Calibri; }
@font-face { font-family: Consolas; }
p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif; }
a:link, span.MsoHyperlink { color: rgb(5, 99, 193); text-decoration: underline; }
pre { margin: 0in; font-size: 10pt; font-family: "Courier New"; }
span.HTMLPreformattedChar { font-family: Consolas; }
span.EmailStyle22 { font-family: Calibri, sans-serif; color: windowtext; }
.MsoChpDefault { font-size: 10pt; }
@page WordSection1 { size: 8.5in 11in; margin: 1in; }
div.WordSection1 { page: WordSection1; }</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--><div class="WordSection1"><p class="MsoNormal">I had intended that the sentence “Identity attributes are evidenced by the signing Certificate, not by the content of the signed document” would deal with such situations. I can amplify that intent.<o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p><p class="MsoNormal">“Identity attributes are evidenced by the Subject DN of the personal Certificate used to create the digital signature, not by the content of the signed document.”<o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p><p class="MsoNormal">That resolve your concern?<o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p><p class="MsoNormal"><o:p> </o:p></p><div><div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b>From:</b> Smcwg-public <smcwg-public-bounces@cabforum.org> <b>On Behalf Of </b>Adriano Santoni via Smcwg-public<br><b>Sent:</b> Friday, August 5, 2022 5:02 AM<br><b>To:</b> smcwg-public@cabforum.org<br><b>Subject:</b> Re: [Smcwg-public] [External Sender] Updates to 3.2.4.1/4 relying on signature for personal vetting<o:p></o:p></p></div></div><p class="MsoNormal"><o:p> </o:p></p><p>Hello,<o:p></o:p></p><p>Regarding section 3.2.4.1 Attribute collection of individual identity, item 4:<br><br>On the subject of reference frameworks for digital signatures, I believe there is a problem that should be solved. <o:p></o:p></p><p>The AATL framework also includes digital signatures that are not associated with a "personal certificate" (as required by §3.2.4.1) and therefore, in my opinion, should not be accepted. I am referring in particular to the DocuSign remote signature service in which the signatures are (commonly) always made with the same key and relative certificate whose Subject is the DocuSign company itself (and not the person signing the document). I have not spent a lot of time investigating the matter, but my understanding is that the link of the DocuSign signature with the signer is just based on a previous email exchange. An "ID Verification" step is a Premium Feature that the average DocuSign user is not obliged to buy.<o:p></o:p></p><p>To plug this security hole, I recommend clarifying in the BR that DocuSign signatures are only accepted (if ever) only when made with a /personal certificate/ (i.e., not one issued to DocuSign, but rather to Johh Smith, Arianna Garcia, François Bertrand, Hiroshi Nakamura, ecc.)<o:p></o:p></p><p>Regards<o:p></o:p></p><p>Adriano<o:p></o:p></p><p><o:p> </o:p></p><p><o:p> </o:p></p><div><p class="MsoNormal">Il 05/08/2022 00:06, Stephen Davidson via Smcwg-public ha scritto:<o:p></o:p></p></div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div align="center"><table class="MsoNormalTable" border="1" cellpadding="0" width="30%" style="width:30.0%"><tbody><tr><td valign="top" style="background:yellow;padding:1.5pt 1.5pt 1.5pt 1.5pt"><p class="MsoNormal"><span style="color:red">NOTICE:</span><span style="color:black"> Pay attention - external email - Sender is <a href="mailto:010001826ae5b527-8ca45c40-e692-4c53-84fa-5296ec0f43f1-000000@amazonses.com">010001826ae5b527-8ca45c40-e692-4c53-84fa-5296ec0f43f1-000000@amazonses.com</a> </span><o:p></o:p></p></td></tr></tbody></table></div><p class="MsoNormal" align="center" style="text-align:center"><o:p> </o:p></p><p class="MsoNormal"><o:p> </o:p></p><p class="MsoNormal">Hello:<o:p></o:p></p><p class="MsoNormal"> <o:p></o:p></p><p class="MsoNormal">Certificate Issuer members of the SMCWG had noted a desire to expand the list of regimes of digital certificates that may be relied upon in personal validation. It was also suggested by a Certificate Consumer that criteria for evaluating these regimes be described.<o:p></o:p></p><p class="MsoNormal"> <o:p></o:p></p><p class="MsoNormal">Based on our discussions, I have proposed some text in the draft as follows:<o:p></o:p></p><p class="MsoNormal"> <o:p></o:p></p><p class="MsoNormal"><a href="https://github.com/cabforum/smime/commit/33ce560204eaed4162cb70c919bf9f86ffac90cc">https://github.com/cabforum/smime/commit/33ce560204eaed4162cb70c919bf9f86ffac90cc</a><o:p></o:p></p><p class="MsoNormal"> <o:p></o:p></p><p class="MsoNormal">Thanks to Ashish Dhiman and to Eva Van Steenberge for the help!<o:p></o:p></p><p class="MsoNormal"> <o:p></o:p></p><p class="MsoNormal">Regards, Stephen<o:p></o:p></p><p class="MsoNormal"><br><br><o:p></o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>Smcwg-public mailing list<o:p></o:p></pre><pre><a href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a><o:p></o:p></pre><pre><a href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></pre></blockquote></div><span>_______________________________________________</span><br><span>Smcwg-public mailing list</span><br><span>Smcwg-public@cabforum.org</span><br><span>https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=qlmivUJ3oIIfAId8uLbpKycOnVbOAi93yMlNccINSR0&s=y3KFwzRiwwLK3UIGJ_mrW_DZ34fqpiiiTy47fkwQ9lc&e=</span><br></div></blockquote></body></html>