<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font face="Calibri">It's an improvement, for sure, but I would
emphasize the "Subject DN" in bold.<br>
</font></p>
<p><font face="Calibri">What do the others think?</font></p>
<p><font face="Calibri">Adriano</font></p>
<p><br>
</p>
<div class="moz-cite-prefix">Il 05/08/2022 16:12, Stephen Davidson
ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:BL1PR14MB5143C37073513E35EB8A8270E59E9@BL1PR14MB5143.namprd14.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">I had intended that the sentence “Identity
attributes are evidenced by the signing Certificate, not by
the content of the signed document” would deal with such
situations. I can amplify that intent.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">“Identity attributes are evidenced by the
Subject DN of the personal Certificate used to create the
digital signature, not by the content of the signed document.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">That resolve your concern?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Smcwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public-bounces@cabforum.org"><smcwg-public-bounces@cabforum.org></a> <b>On Behalf Of
</b>Adriano Santoni via Smcwg-public<br>
<b>Sent:</b> Friday, August 5, 2022 5:02 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Smcwg-public] [External Sender]
Updates to 3.2.4.1/4 relying on signature for personal
vetting<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hello,<o:p></o:p></p>
<p>Regarding section 3.2.4.1 Attribute collection of individual
identity, item 4:<br>
<br>
On the subject of reference frameworks for digital signatures,
I believe there is a problem that should be solved. <o:p></o:p></p>
<p>The AATL framework also includes digital signatures that are
not associated with a "personal certificate" (as required by
§3.2.4.1) and therefore, in my opinion, should not be
accepted. I am referring in particular to the DocuSign remote
signature service in which the signatures are (commonly)
always made with the same key and relative certificate whose
Subject is the DocuSign company itself (and not the person
signing the document). I have not spent a lot of time
investigating the matter, but my understanding is that the
link of the DocuSign signature with the signer is just based
on a previous email exchange. An "ID Verification" step is a
Premium Feature that the average DocuSign user is not obliged
to buy.<o:p></o:p></p>
<p>To plug this security hole, I recommend clarifying in the BR
that DocuSign signatures are only accepted (if ever) only when
made with a /personal certificate/ (i.e., not one issued to
DocuSign, but rather to Johh Smith, Arianna Garcia, François
Bertrand, Hiroshi Nakamura, ecc.)<o:p></o:p></p>
<p>Regards<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p><o:p> </o:p></p>
<p><o:p> </o:p></p>
<div>
<p class="MsoNormal">Il 05/08/2022 00:06, Stephen Davidson via
Smcwg-public ha scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div align="center">
<table class="MsoNormalTable" style="width:30.0%"
width="30%" cellpadding="0" border="1">
<tbody>
<tr>
<td style="background:yellow;padding:1.5pt 1.5pt 1.5pt
1.5pt" valign="top">
<p class="MsoNormal"><span style="color:red">NOTICE:</span><span
style="color:black"> Pay attention - external
email - Sender is <a
href="mailto:010001826ae5b527-8ca45c40-e692-4c53-84fa-5296ec0f43f1-000000@amazonses.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">010001826ae5b527-8ca45c40-e692-4c53-84fa-5296ec0f43f1-000000@amazonses.com</a>
</span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal" style="text-align:center" align="center"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hello:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Certificate Issuer members of the SMCWG
had noted a desire to expand the list of regimes of digital
certificates that may be relied upon in personal
validation. It was also suggested by a Certificate Consumer
that criteria for evaluating these regimes be described.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Based on our discussions, I have proposed
some text in the draft as follows:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><a
href="https://github.com/cabforum/smime/commit/33ce560204eaed4162cb70c919bf9f86ffac90cc"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/smime/commit/33ce560204eaed4162cb70c919bf9f86ffac90cc</a><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks to Ashish Dhiman and to Eva Van
Steenberge for the help!<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Regards, Stephen<o:p></o:p></p>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Smcwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Smcwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://lists.cabforum.org/mailman/listinfo/smcwg-public" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></pre>
</blockquote>
</div>
</blockquote>
</body>
</html>