<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Hi Stephen,<br>
<br>
<div class="moz-cite-prefix">On 24/8/2022 10:00 μ.μ., Stephen
Davidson via Smcwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:01000182d13a4008-4589a69b-63ae-4222-ae7a-46a17192c80f-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Ben:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks for the comment. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I believe that support for suspension is
not appropriate for the publicly-trusted S/MIME for the
following reasons:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1">For S/MIME
recipients this could be confusing, for example in the case
that a signature on an email could be valid or not on
different days, with no explanation. The CABF stance for
publicly-trusted certificates has been that once a
certificate is "bad" on a CRL it can't be "unbad".</li>
</ul>
</div>
</blockquote>
<br>
I understand the confusion between different CABF WGs but the SCWG
places requirements for TLS Certificates used for server
authentication and the SMCWG is about Certificates used for signing
S/MIME messages. A signing Certificate that was used to sign a
message may be checked/verified more than once at different times. <br>
<br>
A signing certificate may become suspended during an investigation
by the CA after some third-party report. That means that the signer
should refrain from signing until this investigation is concluded.
If the signer continues to sign messages during this "suspension"
period, the signatures should not be verified as valid.<br>
<br>
If the conclusion of the investigation is that the certificate needs
to be permanently revoked, then the signatures created using that
key and certificate will be permanently invalid from the time the
certificate became suspended. If the result is the opposite, then
the certificate is reinstated (entry is removed from the CRL) and
all signatures will be valid, even during the time of "suspension".<br>
<br>
The suspension period is usually reasonably small to minimize this
window of "I check something now and it is invalid, but X days later
it is valid".<br>
<br>
<blockquote type="cite"
cite="mid:01000182d13a4008-4589a69b-63ae-4222-ae7a-46a17192c80f-000000@email.amazonses.com">
<div class="WordSection1">
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1"><o:p></o:p><br>
</li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1">For
Certificate Issuers, this could also create undesired
inconsistency in revocation handling across publicly-trusted
certificate types, particularly in light of the changes
implemented recently to create CRL consistency under the
Mozilla policy for TLS.</li>
</ul>
</div>
</blockquote>
<br>
I'm not sure why you are bringing in the server TLS policy. This is
the S/MIME WG and we should focus on rules that reasonably apply to
S/MIME Certificates. If a CA wants to issue different types of
certificates (TLS, Code Signing, S/MIME), they need to follow
different rules and policies. CAs can certainly follow different
policies for different certificate types as we've seen in the past,
or use the strictest rules among various policies and apply for all
types. For example, there are currently no global rules for
performing identity validation for S/MIME Certificates and there are
plenty CAs are not using the documented identity validation policies
described in the the TLS or CodeSigning BRs to validate identity in
S/MIME Certificates.<br>
<br>
The revocation handling discussion and decision by Mozilla was
focused on TLS Certificates, not S/MIME. The S/MIME use cases were
not considered in the discussion.<br>
<br>
<blockquote type="cite"
cite="mid:01000182d13a4008-4589a69b-63ae-4222-ae7a-46a17192c80f-000000@email.amazonses.com">
<div class="WordSection1">
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1"><o:p></o:p><br>
</li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1">For
Certificate Consumers, we have no known “default” for how
revocation checking is performed in client software, or how
the certificateHold revocation code is treated.<o:p></o:p></li>
</ul>
</div>
</blockquote>
<br>
Isn't this already described in RFC 5280? If an implementation
decides not to follow the RFC and considers a signing certificate as
"valid" despite being listed in a CRL with revocationReason
"certificateHold", then IMHO it's a problematic implementation.<br>
<br>
<blockquote type="cite"
cite="mid:01000182d13a4008-4589a69b-63ae-4222-ae7a-46a17192c80f-000000@email.amazonses.com">
<div class="WordSection1">
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I recall the WG did review this draft
section about a year ago, but as there was no comment (often
the case with ‘pick ups’ from other CABF standards) the topic
is not specifically acknowledged in the minutes.</p>
</div>
</blockquote>
<br>
It's quite possible that other topics have not been reviewed in
depth because, realistically, there are too many topics to cover :-)
I'm glad that Ben brought this up and gave the opportunity for other
members to take a closer look.<br>
<br>
FWIW, certificate suspension is a challenging topic but not an
option we should disallow from the very beginning. The WG has agreed
to be more inclusive and cover use cases that are currently in
existence. Certificate suspension is one of those cases.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:01000182d13a4008-4589a69b-63ae-4222-ae7a-46a17192c80f-000000@email.amazonses.com">
<div class="WordSection1">
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best, Stephen<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Smcwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public-bounces@cabforum.org"><smcwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Ben Wilson via Smcwg-public<br>
<b>Sent:</b> Wednesday, August 17, 2022 2:44 PM<br>
<b>To:</b> SMIME Certificate Working Group
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public@cabforum.org"><smcwg-public@cabforum.org></a><br>
<b>Subject:</b> [Smcwg-public] Certificate Suspension<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Question - did we previously discuss
and decide on "Certificate Suspension"?
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The draft I'm looking at says, "###
4.9.13 Circumstances for suspension<br>
The Repository SHALL NOT include entries that indicate
that a Certificate is suspended."<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Don't some legacy implementations allow
suspension?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Ben<o:p></o:p></p>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>