<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:0in;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.markedcontent
{mso-style-name:markedcontent;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">I don’t like the “take precedence” approach, because security properties don’t compose very well. The requirements should be clear and unambiguous without having to consider once document as having “precedence”.<o:p></o:p></p>
<p class="MsoNormal">What we instead want to do, I think, is to clarify the scope of each document in a way so they are non-overlapping. The most obvious way would be do decided which 3647 sections belong to which document.<o:p></o:p></p>
<p class="MsoNormal">There are some spots where that is poorly done today, and it’s causing problems in NetSec. The logging and retention requirements are the most obvious example. They’re annoyingly split between the various BRs and NetSec, making them very
challenging to update.<o:p></o:p></p>
<p class="MsoNormal">The other reason I have a problem with NetSec having precedence is I think of it as more fundamental, with the various BRs being layered on top of it. Usually, the layered document has precedence to override the parent. But there’s some
value to being able to say “you can’t override this”. I’ll fail to resist the urge to mention polymorphism, inheritance, and nooverride keywords
<span style="font-family:"Segoe UI Emoji",sans-serif">😊</span> Programmers have been struggling with this since they oriented themselves in the direction of objects.<o:p></o:p></p>
<p class="MsoNormal">We’ve had similar discussions and problems with the Charters / Bylaws interaction, where the charters should be able to modify some things and not others. It’s tricky and hard to get right.<o:p></o:p></p>
<p class="MsoNormal">-Tim<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:0in;line-height:normal"><b>From:</b> Smcwg-public <smcwg-public-bounces@cabforum.org>
<b>On Behalf Of </b>Corey Bonnell via Smcwg-public<br>
<b>Sent:</b> Tuesday, September 13, 2022 9:41 AM<br>
<b>To:</b> Bruce Morton <bruce.morton@entrust.com>; SMIME Certificate Working Group <smcwg-public@cabforum.org>; Hongquan Yin <Hongquan.Yin@microsoft.com>; Stephen Davidson <Stephen.Davidson@digicert.com><br>
<b>Subject:</b> Re: [Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I agree with Bruce.<o:p></o:p></p>
<p class="MsoNormal">The WebTrust SSL Baseline Criteria [1] explicitly reference the NCSSRs as applicable to the operations of CAs regardless of certificate type. In particular, the “Engagement Scoping” section says:<o:p></o:p></p>
<p class="MsoNormal">“<span class="markedcontent"><span style="font-size:9.5pt;line-height:105%;font-family:"Arial",sans-serif">The Network Security Requirements apply to all CAs within a publicly trusted PKI</span></span><br>
<span class="markedcontent"><span style="font-size:9.5pt;line-height:105%;font-family:"Arial",sans-serif">hierarchy, even if those certificates are designed for other uses (i.e., code signing, client</span></span><br>
<span class="markedcontent"><span style="font-size:9.5pt;line-height:105%;font-family:"Arial",sans-serif">authentication, secure email, document signing etc.)”<o:p></o:p></span></span></p>
<p class="MsoNormal"><span class="markedcontent"><span style="font-size:9.5pt;line-height:105%;font-family:"Arial",sans-serif"><o:p> </o:p></span></span></p>
<p class="MsoNormal">Given this guidance, I would be rather surprised if there are conflicts. Perhaps one of the WebTrust TF folks here on the list can provide their perspective.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Corey<o:p></o:p></p>
<p class="MsoNormal">[1] <a href="https://www.cpacanada.ca/-/media/site/operational/ep-education-pld/docs/mds21216wtbr-26-rev-august-2022final.pdf?la=en&hash=D96D591D9422E73871B83488D275B9FB78DD1FD7">
https://www.cpacanada.ca/-/media/site/operational/ep-education-pld/docs/mds21216wtbr-26-rev-august-2022final.pdf?la=en&hash=D96D591D9422E73871B83488D275B9FB78DD1FD7</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:0in;line-height:normal"><b>From:</b> Smcwg-public <<a href="mailto:smcwg-public-bounces@cabforum.org">smcwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Bruce Morton via Smcwg-public<br>
<b>Sent:</b> Tuesday, September 13, 2022 9:28 AM<br>
<b>To:</b> Hongquan Yin <<a href="mailto:Hongquan.Yin@microsoft.com">Hongquan.Yin@microsoft.com</a>>; SMIME Certificate Working Group <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>>; Stephen Davidson <<a href="mailto:Stephen.Davidson@digicert.com">Stephen.Davidson@digicert.com</a>><br>
<b>Subject:</b> Re: [Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Since the NCSSRs apply to TLS, Code Signing and soon to be S/MIME certificates, I would suggest the NCSSRs should take precedence over the certificate documents. I don’t think it would make sense for a CA to be expected to deploy network
security differently based on the certificate being issued.<o:p></o:p></p>
<p class="MsoNormal">I really think this is a non-issue and the certificate working group should correct any conflicts through ballot.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Bruce.<o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:0in;line-height:normal"><b>From:</b> Smcwg-public <<a href="mailto:smcwg-public-bounces@cabforum.org">smcwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Hongquan Yin via Smcwg-public<br>
<b>Sent:</b> Tuesday, September 13, 2022 7:41 AM<br>
<b>To:</b> Stephen Davidson <<a href="mailto:Stephen.Davidson@digicert.com">Stephen.Davidson@digicert.com</a>>; SMIME Certificate Working Group <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>><br>
<b>Subject:</b> [EXTERNAL] Re: [Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;line-height:normal">WARNING: This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.<o:p></o:p></p>
<div class="MsoNormal" align="center" style="margin-bottom:0in;text-align:center;line-height:normal">
<hr size="1" width="100%" align="center">
</div>
<p class="MsoNormal">After sharing the guideline to more people in Microsoft, we have some feedback regarding below line:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">“6.7 Network security controls <o:p>
</o:p></p>
<p class="MsoNormal" style="margin-left:.5in">The CA/Browser Forum’s Network and Certificate System Security Requirements are incorporated by reference as if fully set forth herein.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">While the goal of the NCSSR’s is to be certificate agnostic, the history is mostly related to TLS. There’s a risk that a requirement has already been implemented or could be implemented that would conflict with S/MIME requirements. We would
recommend adding a statement that if there are any conflicts, that the S/MIME Baseline Requirements take precedence.<o:p></o:p></p>
<p class="MsoNormal">Possibly add a sentence such as: “In the event of a conflict between the S/MIME BRs and the NCSSRs, the S/MIME BRs will take precedence.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:0in;line-height:normal"><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif">Thank you for considering the change.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:0in;line-height:normal"><b><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif">Ho</span></b><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif">ngquan
<b>Yi</b>n</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:0in;line-height:normal"><b>From:</b> Smcwg-public <<a href="mailto:smcwg-public-bounces@cabforum.org">smcwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Stephen Davidson via Smcwg-public<br>
<b>Sent:</b> Thursday, September 8, 2022 3:03 PM<br>
<b>To:</b> <a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] [Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0in;background:white"><strong><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none windowtext 1.0pt;padding:0in">Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”
</span></strong><strong><span style="font-family:"Arial",sans-serif;color:#333333;border:none windowtext 1.0pt;padding:0in"><o:p></o:p></span></strong></p>
<p style="margin:0in;background:white"><strong><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none windowtext 1.0pt;padding:0in"><o:p> </o:p></span></strong></p>
<p style="margin:0in;background:white"><strong><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none windowtext 1.0pt;padding:0in">Purpose of Ballot:</span></strong><o:p></o:p></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;line-height:105%;font-family:"Arial",sans-serif;color:#333333">The S/MIME Certificate Working Group was chartered to discuss, adopt, and maintain policies, frameworks, and standards for the issuance and management
of Publicly-Trusted S/MIME Certificates. This ballot adopts a new “S/MIME Baseline Requirements” that includes requirements for verification of control over email addresses, identity validation for natural persons and legal entities, key management and certificate
lifecycle, certificate profiles for S/MIME Certificates and Issuing CA Certificates, as well as CA operational and audit practices.<o:p></o:p></span></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">An S/MIME Certificate for the purposes of this document can be identified by the existence of an Extended Key Usage (EKU) for id-kp-emailProtection
(OID: 1.3.6.1.5.5.7.3.4) and the inclusion of a rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox in the subjectAltName extension in the Certificate.<o:p></o:p></span></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;background:white">The following motion has been proposed by Stephen Davidson of DigiCert and endorsed by Martijn Katerbarg of Sectigo and Ben
Wilson of Mozilla.</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><strong><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none windowtext 1.0pt;padding:0in">Charter Voting References</span></strong><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><span style="color:black"><a href="https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fgithub.com*2Fcabforum*2Fservercert*2Fblob*2Fe6ad111f4477010cbff409cd939c5ac1c7c85ccc*2Fdocs*2FSMCWG-charter.md*2351-voting-structure&data=05*7C01*7Chongquan.yin*40microsoft.com*7C70f13519b92c4417b4f508da91682f2b*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637982174108537999*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*7C*7C*7C&sdata=HhWwlEUw7uF2tm*2Fzit*2BBZmgz7*2Bp0jct*2BHpHkEe5BDuQ*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!FJ-Y8qCqXTj2!bWnvHPfCC3lJ-KbHci51bKRgKlhjdnc9268DFF06vf4uwVnm02oCOBMe-etaI9xO36KbTeDwFmakK0z976n3T_UkEPs0$"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Section
5.1 (“Voting Structure”)</span></a></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"> of the SMCWG Charter says:<o:p></o:p></span></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">In order for a ballot to be adopted by the SMCWG, two-thirds or more of the votes cast by the Certificate Issuers must be in favor of the ballot
and more than 50% of the votes cast by the Certificate Consumers must be in favor of the ballot. At least one member of each class must vote in favor of a ballot for it to be adopted. Quorum is the average number of Member organizations (cumulative, regardless
of Class) that have participated in the previous three (3) SMCWG Meetings or Teleconferences (not counting subcommittee meetings thereof).<o:p></o:p></span></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><strong><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none windowtext 1.0pt;padding:0in">— MOTION BEGINS —</span></strong><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none windowtext 1.0pt;padding:0in"><br>
</span></b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><br>
This ballot adopts the “Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates” (“S/MIME Baseline Requirements”) as Version 1.0.0.<o:p></o:p></span></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">The proposed S/MIME Baseline Requirements may be found at
<a href="https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fgithub.com*2Fcabforum*2Fsmime*2Fcompare*2F7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52&data=05*7C01*7Chongquan.yin*40microsoft.com*7C70f13519b92c4417b4f508da91682f2b*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637982174108694198*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*7C*7C*7C&sdata=LeGxSesCeeTKziMM1pTk985zVUXqAwvzuEWlVJJ6OyQ*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSU!!FJ-Y8qCqXTj2!bWnvHPfCC3lJ-KbHci51bKRgKlhjdnc9268DFF06vf4uwVnm02oCOBMe-etaI9xO36KbTeDwFmakK0z976n3T_BUsJam$">
https://github.com/cabforum/smime/compare/7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52</a> or the attached document.<o:p></o:p></span></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">The SMCWG Chair or Vice-Chair is permitted to update the Relevant Dates and Version Number of the S/MIME Baseline Requirements to reflect final
dates.<o:p></o:p></span></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><strong><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none windowtext 1.0pt;padding:0in">— MOTION ENDS —</span></strong><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none windowtext 1.0pt;padding:0in"><br>
</span></b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><br>
This ballot proposes a Final Guideline. The procedure for approval of this ballot is as follows:<o:p></o:p></span></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">Discussion (7+ days)</span><span style="color:black"><br>
</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">Start Time: 8 September 2022 17:00 UTC</span><span style="color:black"><br>
</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">End Time: 15 September 2022 17:00 UTC<o:p></o:p></span></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">Vote for approval (7 days)</span><span style="color:black"><br>
</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">Start Time: 15 September 2022 17:00 UTC</span><span style="color:black"><br>
</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">End Time: 22 September 2022 17:00 UTC<o:p></o:p></span></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">IPR Review (60 days)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:0in;line-height:normal"><i>Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent
to you in error, you must not copy, distribute or disclose of the information it contains.
<u>Please notify Entrust immediately</u> and delete the message from your system.</i>
<o:p></o:p></p>
</div>
</div>
</body>
</html>