<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 13/9/2022 7:01 μ.μ., Stephen
Davidson wrote:<br>
</div>
<blockquote type="cite"
cite="mid:BL1PR14MB51431AD59BBCA6238C5445B3E5479@BL1PR14MB5143.namprd14.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:0in;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Dimitris:<o:p></o:p></p>
<p class="MsoNormal">Thank you for the feedback. Both these
points were addressed in our earlier discussions regarding the
draft.<o:p></o:p></p>
<p class="MsoNormal">On the issue of OCSP support, you may
recall that there were varying proposals for varying the
requirements for both CRL and OCSP but the fact remains that
different root distribution programs have pre-existing
requirements for both of them. Thus, the decision was made to
retain the existing text. I have suggested that revocation
services would be a useful focus subject for a future CABF F2F
as this topic seems to come up in different WG, and any
changes must have the support of all the root programs.<o:p></o:p></p>
<p class="MsoNormal">Similarly, on the issue of C in the Subject
DN, this was previously discussed several times and the
decision was made to stick the current text where the CA MAY
use the attribute but is not required to.<o:p></o:p></p>
<p class="MsoNormal">Best regards, Stephen</p>
</div>
</blockquote>
<br>
I did a quick search in previous minutes and I couldn't find
consensus for both those topics. If you can point me to these
previous discussions and minutes that demonstrate consensus among
the group, it would be very helpful. <br>
<br>
For the OCSP topic, you mention that "different root distribution
programs have pre-existing requirements". Which program, other than
Microsoft, requires OCSP for S/MIME Certificates?<br>
<br>
As things stand, HARICA will be forced to vote "No" to this ballot.<br>
<br>
<br>
Dimitris.<br>
<blockquote type="cite"
cite="mid:BL1PR14MB51431AD59BBCA6238C5445B3E5479@BL1PR14MB5143.namprd14.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"
style="margin-bottom:0in;line-height:normal"><b>From:</b>
Smcwg-public <a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public-bounces@cabforum.org"><smcwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA) via
Smcwg-public<br>
<b>Sent:</b> Tuesday, September 13, 2022 7:25 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Smcwg-public] Ballot SMC01: Final
Guideline for “S/MIME Baseline Requirements”<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><br>
After a more detailed review by the HARICA team, we noticed
some areas of concern that we hope will be considered for
update by the authors and endorsers of this ballot.<o:p></o:p></p>
<ul type="disc">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo1">
7.1.2.3 c<o:p></o:p></li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level2 lfo1">
authorityInformationAccess (<b>SHALL </b>be present)
-> authorityInformationAccess (<b>SHOULD
</b>be present) [Rationale: OCSP is not currently
required for S/MIME Certificates by all Certificate
Consumers. Only Microsoft Root Program requires it and
perhaps this is due to a copy-over from the TLS BRs
without performing a technical analysis specifically on
S/MIME or clientAuth or codeSigning Certificates. The
CSCWG already removed the requirement for OCSP in
Subscriber Certificates in the CSBRs].<o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level2 lfo1">
The authorityInformationAccess extension <b>SHALL </b>contain
at least one accessMethod value of type id-ad-ocsp that
specifies the URI of the Issuing CA’s OCSP responder.
-> The authorityInformationAccess extension
<b>MAY </b>contain at least one accessMethod value of
type id-ad-ocsp that specifies the URI of the Issuing
CA’s OCSP responder. [Rationale: same as above]<o:p></o:p></li>
</ul>
</ul>
<ul type="disc">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo1">
7.1.4.2.4 Subject DN attributes for organization-validated
profile and 7.1.4.2.5 Subject DN attributes for
sponsor-validated profile<br>
subject:countryName <b>MAY </b>->
subject:countryName <b>SHALL </b>[Rationale:
Organization Names must contain a Country Name to indicate
where this Organization is located. This applies to the
organization-validated and the sponsor-validated profile.
It is also referenced in Appendix A - Registration
Schemes]<o:p></o:p></li>
</ul>
<p class="MsoNormal" style="margin-bottom:0in"><br>
Thank you,<br>
Dimitris.<br>
<br>
<br>
On 8/9/2022 10:03 π.μ., Stephen Davidson via Smcwg-public
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p style="margin:0in;background:white"><strong><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none
windowtext 1.0pt;padding:0in">Ballot SMC01: Final
Guideline for “S/MIME Baseline Requirements”
</span></strong><o:p></o:p></p>
<p style="margin:0in;background:white"><strong><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none
windowtext 1.0pt;padding:0in"> </span></strong><o:p></o:p></p>
<p style="margin:0in;background:white"><strong><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none
windowtext 1.0pt;padding:0in">Purpose of Ballot:</span></strong><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;line-height:105%;font-family:"Arial",sans-serif;color:#333333">The
S/MIME Certificate Working Group was chartered to discuss,
adopt, and maintain policies, frameworks, and standards
for the issuance and management of Publicly-Trusted S/MIME
Certificates. This ballot adopts a new “S/MIME Baseline
Requirements” that includes requirements for verification
of control over email addresses, identity validation for
natural persons and legal entities, key management and
certificate lifecycle, certificate profiles for S/MIME
Certificates and Issuing CA Certificates, as well as CA
operational and audit practices.</span><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"> </span><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">An
S/MIME Certificate for the purposes of this document can
be identified by the existence of an Extended Key Usage
(EKU) for id-kp-emailProtection (OID: 1.3.6.1.5.5.7.3.4)
and the inclusion of a rfc822Name or an otherName of type
id-on-SmtpUTF8Mailbox in the subjectAltName extension in
the Certificate.</span><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"> </span><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;background:white">The
following motion has been proposed by Stephen Davidson of
DigiCert and endorsed by Martijn Katerbarg of Sectigo and
Ben Wilson of Mozilla.</span><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"> </span><o:p></o:p></p>
<p style="margin:0in;background:white"><strong><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none
windowtext 1.0pt;padding:0in">Charter Voting References</span></strong><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"> </span><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="color:black"><a
href="https://github.com/cabforum/servercert/blob/e6ad111f4477010cbff409cd939c5ac1c7c85ccc/docs/SMCWG-charter.md#51-voting-structure"
moz-do-not-send="true"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif">Section
5.1 (“Voting Structure”)</span></a></span><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">
of the SMCWG Charter says:</span><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"> </span><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">In
order for a ballot to be adopted by the SMCWG, two-thirds
or more of the votes cast by the Certificate Issuers must
be in favor of the ballot and more than 50% of the votes
cast by the Certificate Consumers must be in favor of the
ballot. At least one member of each class must vote in
favor of a ballot for it to be adopted. Quorum is the
average number of Member organizations (cumulative,
regardless of Class) that have participated in the
previous three (3) SMCWG Meetings or Teleconferences (not
counting subcommittee meetings thereof).</span><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"> </span><o:p></o:p></p>
<p style="margin:0in;background:white"><strong><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none
windowtext 1.0pt;padding:0in">— MOTION BEGINS —</span></strong><b><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none
windowtext 1.0pt;padding:0in"><br>
</span></b><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><br>
This ballot adopts the “Baseline Requirements for the
Issuance and Management of Publicly-Trusted S/MIME
Certificates” (“S/MIME Baseline Requirements”) as Version
1.0.0.</span><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"> </span><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">The
proposed S/MIME Baseline Requirements may be found at
<a
href="https://github.com/cabforum/smime/compare/7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://github.com/cabforum/smime/compare/7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52</a>
or the attached document.</span><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">The
SMCWG Chair or Vice-Chair is permitted to update the
Relevant Dates and Version Number of the S/MIME Baseline
Requirements to reflect final dates.</span><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"> </span><o:p></o:p></p>
<p style="margin:0in;background:white"><strong><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none
windowtext 1.0pt;padding:0in">— MOTION ENDS —</span></strong><b><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333;border:none
windowtext 1.0pt;padding:0in"><br>
</span></b><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"><br>
This ballot proposes a Final Guideline. The procedure for
approval of this ballot is as follows:</span><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"> </span><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">Discussion
(7+ days)</span><span style="color:black"><br>
</span><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">Start
Time: 8 September 2022 17:00 UTC</span><span
style="color:black"><br>
</span><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">End
Time: 15 September 2022 17:00 UTC</span><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"> </span><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">Vote
for approval (7 days)</span><span style="color:black"><br>
</span><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">Start
Time: 15 September 2022 17:00 UTC</span><span
style="color:black"><br>
</span><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">End
Time: 22 September 2022 17:00 UTC</span><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333"> </span><o:p></o:p></p>
<p style="margin:0in;background:white"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#333333">IPR
Review (60 days)</span><o:p></o:p></p>
<p class="MsoNormal"
style="margin-bottom:0in;line-height:normal"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Smcwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Smcwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://lists.cabforum.org/mailman/listinfo/smcwg-public" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"
style="margin-bottom:0in;line-height:normal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>