<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
span.EmailStyle23
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Suspension is not a well-defined practice (particularly compared to the recently-defined uses of the other CRL codes in the Mozilla policy). <o:p></o:p></p><p class=MsoNormal><br>As best I can tell the most common uses of suspension are in enterprise/internal scenarios where the suspension practices are understood … versus “inter-public” where they are not. For example, the use of certificateHold “for the period between the certificate being issued and being picked up” is very different from “the certificate holder went on leave for a few weeks” or “the CA is looking into a problem report about this cert”.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I can see the utility of suspension for certs whose use is “live”, such as authentication, to pause the use of the credential. But for certs whose activity creates an artifact with a life of its own (such as a signed email), it really becomes problematic, particularly if client side handling is not coordinated amongst Certificate Consumers.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Best, Stephen<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Smcwg-public <smcwg-public-bounces@cabforum.org> <b>On Behalf Of </b>Tim Hollebeek via Smcwg-public<br><b>Sent:</b> Thursday, August 25, 2022 3:48 PM<br><b>To:</b> Doug Beattie <doug.beattie@globalsign.com>; SMIME Certificate Working Group <smcwg-public@cabforum.org><br><b>Subject:</b> Re: [Smcwg-public] Certificate Suspension<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Well, the problem is that no existing mail clients do this, and mail clients probably never will. The example you provide shows just how horrible the user experience for suspension really is. The practical effect is that it causes transient validation errors that users cannot possibly understand, which will inevitably cause users to conclude that validation errors happen randomly and can safely be ignored.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>On the other hand, I’m aware that lots of CAs out there currently support suspension, for the reasons Dimitris has mentioned. So, based on the principles we’ve sort of agreed to, it should at least live on in the legacy profile.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>As a general industry trend, I usually see new ecosystems moving away from suspension as allowed, as it is much easier to handle security systems things only ever go from good to bad, and never the reverse. Whether the additional complexity suspension introduces is necessary or good is in my opinion debatable. The biggest factor to me for the S/MIME BRs is whether it is important enough that certificate consumers will commit the resources to make it work reliably and understandably, perhaps by implementing the sorts of improvements Doug suggested.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I generally think it’s better that suspension is something that goes away over time, but I won’t lose sleep over it if others disagree. As Russ correctly notes, this is probably something we will still be discussing in 2050.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>-Tim<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Smcwg-public <<a href="mailto:smcwg-public-bounces@cabforum.org">smcwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Doug Beattie via Smcwg-public<br><b>Sent:</b> Thursday, August 25, 2022 1:44 PM<br><b>To:</b> SMIME Certificate Working Group <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>><br><b>Subject:</b> Re: [Smcwg-public] Certificate Suspension<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoPlainText>Then maybe it could/should work like this?<o:p></o:p></p><p class=MsoPlainText> - Sender sends a signed message <o:p></o:p></p><p class=MsoPlainText> - The Sender's certificate gets suspended<o:p></o:p></p><p class=MsoPlainText> - Recipient tries to verify the signature and is told that the Sender's certificate is <span style='color:red'>SUSPENDED</span><o:p></o:p></p><p class=MsoPlainText> - The Sender's certificate gets unsuspended<o:p></o:p></p><p class=MsoPlainText> - Recipient tries to verify the signature from a save folder and is told that the signature is fine<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>-----Original Message-----<br>From: Smcwg-public <<a href="mailto:smcwg-public-bounces@cabforum.org">smcwg-public-bounces@cabforum.org</a>> On Behalf Of Russ Housley via Smcwg-public<br>Sent: Thursday, August 25, 2022 1:30 PM<br>To: Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr">dzacharo@harica.gr</a>><br>Cc: SMIME Certificate Working Group <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>><br>Subject: Re: [Smcwg-public] Certificate Suspension<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Dimitris:<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>>> I tend to agree with Stephen. I am unaware of any S/MIME client software that would handle a certificate suspension any differently that a revocation.<o:p></o:p></p><p class=MsoPlainText>> <o:p></o:p></p><p class=MsoPlainText>> Which is perfectly fine and expected when a certificate is "suspended" (i.e. not to be trusted at time of verification). If a S/MIME client software wants to provide some kind of different UI message like "this certificate is currently suspended" instead of "the signing certificate is revoked" and explain what that means, IMO that would be an improvement similar to what's happening with the server TLS user agents providing different user experience depending on the revocationReason code.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>This is a topic that has been discussed over and over since the mid 1990s. It never gets consensus in either direction. I predict that will be the case here too.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>I worry about the following series of events leads to confused user:<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> - Sender sends a signed message <o:p></o:p></p><p class=MsoPlainText> - The Sender's certificate gets suspended<o:p></o:p></p><p class=MsoPlainText> - Recipient tries to verify the signature and is told that the Sender's certificate is revoked<o:p></o:p></p><p class=MsoPlainText> - The Sender's certificate gets unsuspended<o:p></o:p></p><p class=MsoPlainText> - Recipient tries to verify the signature from a save folder and is told that the signature is fine<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>A normal human will not understand what happened.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Russ<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>_______________________________________________<o:p></o:p></p><p class=MsoPlainText>Smcwg-public mailing list<o:p></o:p></p><p class=MsoPlainText><a href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a><o:p></o:p></p><p class=MsoPlainText><a href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></p></div></div></body></html>