<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
I agree with the assessment that the NCSSRs mostly related to TLS.
This means that for certificate types not related to existing CA/B
Forum Guidelines (TLS, Code Signing), some CAs might find it really
surprising having to implement the entirety of the NCSSRs,
especially the air-gapped/offline RootCA requirements for S/MIME
hierarchies.<br>
<br>
It's also very challenging for a CA to implement a roll-over S/MIME
hierarchy (with an air-gapped/offline Root CA) within 3-6 months and
complete Root inclusion requests, get ubiquity and so on.<br>
<br>
Dear Hongquan, is this the major concern or you see other issues
with the adoption of the NCSSRs for S/MIME hierarchies in the SMBRs?<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 13/9/2022 2:40 μ.μ., Hongquan Yin
via Smcwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100018336a6d880-85e82066-04f7-472d-8ace-0300246156d2-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:0in;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}span.EmailStyle23
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal" style="line-height:105%">After sharing the
guideline to more people in Microsoft, we have some feedback
regarding below line:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in;line-height:105%">“6.7
Network security controls
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in;line-height:105%">The
CA/Browser Forum’s Network and Certificate System Security
Requirements are incorporated by reference as if fully set
forth herein.”<o:p></o:p></p>
<p class="MsoNormal" style="line-height:105%"><o:p> </o:p></p>
<p class="MsoNormal" style="line-height:105%">While the goal of
the NCSSR’s is to be certificate agnostic, the history is
mostly related to TLS. There’s a risk that a requirement has
already been implemented or could be implemented that would
conflict with S/MIME requirements. We would recommend adding a
statement that if there are any conflicts, that the S/MIME
Baseline Requirements take precedence.<o:p></o:p></p>
<p class="MsoNormal" style="line-height:105%">Possibly add a
sentence such as: “In the event of a conflict between the
S/MIME BRs and the NCSSRs, the S/MIME BRs will take
precedence.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"
style="margin-bottom:0in;line-height:normal"><span
style="font-size:10.0pt;font-family:"Segoe
UI",sans-serif">Thank you for considering the change.<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;line-height:normal"><b><span
style="font-size:10.0pt;font-family:"Segoe
UI",sans-serif">Ho</span></b><span
style="font-size:10.0pt;font-family:"Segoe
UI",sans-serif">ngquan
<b>Yi</b>n</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"
style="margin-bottom:0in;line-height:normal"><b>From:</b>
Smcwg-public <a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public-bounces@cabforum.org"><smcwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Stephen Davidson via Smcwg-public<br>
<b>Sent:</b> Thursday, September 8, 2022 3:03 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] [Smcwg-public] Ballot SMC01:
Final Guideline for “S/MIME Baseline Requirements”<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0in;background:white"><strong><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none
windowtext 1.0pt;padding:0in">Ballot SMC01: Final
Guideline for “S/MIME Baseline Requirements”
</span></strong><strong><span
style="font-family:"Arial",sans-serif;color:#333333;border:none
windowtext 1.0pt;padding:0in"><o:p></o:p></span></strong></p>
<p style="margin:0in;background:white"><strong><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none
windowtext 1.0pt;padding:0in"><o:p> </o:p></span></strong></p>
<p style="margin:0in;background:white"><strong><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none
windowtext 1.0pt;padding:0in">Purpose of Ballot:</span></strong><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;line-height:105%;font-family:"Arial",sans-serif;color:#333333">The
S/MIME Certificate Working Group was chartered to discuss,
adopt, and maintain policies, frameworks, and standards for
the issuance and management of Publicly-Trusted S/MIME
Certificates. This ballot adopts a new “S/MIME Baseline
Requirements” that includes requirements for verification of
control over email addresses, identity validation for
natural persons and legal entities, key management and
certificate lifecycle, certificate profiles for S/MIME
Certificates and Issuing CA Certificates, as well as CA
operational and audit practices.<o:p></o:p></span></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">An
S/MIME Certificate for the purposes of this document can be
identified by the existence of an Extended Key Usage (EKU)
for id-kp-emailProtection (OID: 1.3.6.1.5.5.7.3.4) and the
inclusion of a rfc822Name or an otherName of type
id-on-SmtpUTF8Mailbox in the subjectAltName extension in the
Certificate.<o:p></o:p></span></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;background:white">The
following motion has been proposed by Stephen Davidson of
DigiCert and endorsed by Martijn Katerbarg of Sectigo and
Ben Wilson of Mozilla.</span><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><strong><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none
windowtext 1.0pt;padding:0in">Charter Voting References</span></strong><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><span style="color:black"><a
href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fblob%2Fe6ad111f4477010cbff409cd939c5ac1c7c85ccc%2Fdocs%2FSMCWG-charter.md%2351-voting-structure&data=05%7C01%7Chongquan.yin%40microsoft.com%7C70f13519b92c4417b4f508da91682f2b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637982174108537999%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HhWwlEUw7uF2tm%2Fzit%2BBZmgz7%2Bp0jct%2BHpHkEe5BDuQ%3D&reserved=0"
moz-do-not-send="true"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif">Section
5.1 (“Voting Structure”)</span></a></span><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">
of the SMCWG Charter says:<o:p></o:p></span></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">In
order for a ballot to be adopted by the SMCWG, two-thirds or
more of the votes cast by the Certificate Issuers must be in
favor of the ballot and more than 50% of the votes cast by
the Certificate Consumers must be in favor of the ballot. At
least one member of each class must vote in favor of a
ballot for it to be adopted. Quorum is the average number of
Member organizations (cumulative, regardless of Class) that
have participated in the previous three (3) SMCWG Meetings
or Teleconferences (not counting subcommittee meetings
thereof).<o:p></o:p></span></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><strong><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none
windowtext 1.0pt;padding:0in">— MOTION BEGINS —</span></strong><b><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none
windowtext 1.0pt;padding:0in"><br>
</span></b><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><br>
This ballot adopts the “Baseline Requirements for the
Issuance and Management of Publicly-Trusted S/MIME
Certificates” (“S/MIME Baseline Requirements”) as Version
1.0.0.<o:p></o:p></span></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">The
proposed S/MIME Baseline Requirements may be found at
<a
href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fsmime%2Fcompare%2F7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52&data=05%7C01%7Chongquan.yin%40microsoft.com%7C70f13519b92c4417b4f508da91682f2b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637982174108694198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LeGxSesCeeTKziMM1pTk985zVUXqAwvzuEWlVJJ6OyQ%3D&reserved=0"
moz-do-not-send="true">
https://github.com/cabforum/smime/compare/7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52</a>
or the attached document.<o:p></o:p></span></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">The
SMCWG Chair or Vice-Chair is permitted to update the
Relevant Dates and Version Number of the S/MIME Baseline
Requirements to reflect final dates.<o:p></o:p></span></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><strong><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none
windowtext 1.0pt;padding:0in">— MOTION ENDS —</span></strong><b><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none
windowtext 1.0pt;padding:0in"><br>
</span></b><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><br>
This ballot proposes a Final Guideline. The procedure for
approval of this ballot is as follows:<o:p></o:p></span></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">Discussion
(7+ days)</span><span style="color:black"><br>
</span><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">Start
Time: 8 September 2022 17:00 UTC</span><span
style="color:black"><br>
</span><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">End
Time: 15 September 2022 17:00 UTC<o:p></o:p></span></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">Vote
for approval (7 days)</span><span style="color:black"><br>
</span><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">Start
Time: 15 September 2022 17:00 UTC</span><span
style="color:black"><br>
</span><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">End
Time: 22 September 2022 17:00 UTC<o:p></o:p></span></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">IPR
Review (60 days)<o:p></o:p></span></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>