<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font face="Calibri">Stephen,<br>
</font></p>
<p><font face="Calibri">I regret not having participated in the
discussion on this issue at the time, and I apologize again for
raising this issue only now. <br>
</font></p>
<p><font face="Calibri">However, I remain of the opinion that the
"real time" requirement is an exaggeration for S/MIME
certificates (while it is undoubtedly appropriate for eIDAS
qualified signature certificates). <br>
</font></p>
<p><font face="Calibri">Neither Mozilla nor Microsoft require ETSI
audits on S/MIME certificates to be based on an NCP type policy:
both browser vendors accept the LCP policy, as can be seen from
their respective root store program websites. If I am mistaken,
please Ben and Karina correct me.<br>
</font></p>
<p><font face="Calibri">However, if the other CAs reading us here
(and especially those that issue IV S/MIME certificates) believe
that §</font><font face="Calibri"><span class="fontstyle0">3.2.4.2
</span>is fine AS IS, it is important to realize that it clashes
with some (many?) of their current procedures. From the moment
these BRs are enacted and referred to by at least one root store
policy, those CA's procedures immediately become non-compliant.
If everyone realizes this and is okay with it, then it's fine to
me too; otherwise let's talk about it.</font></p>
<p>I want to point out that I am not questioning the value of "real
time" from a security point of view, but I don't understand why an
IV S/MIME cert should be more secure than an IV SSL cert (for
which no "real time" is required for the scan of a photo id). Both
are issued to natural persons and should be equally secure, at
least. Indeed, an IV SSL cert should in my opinion be more secure
than an IV S/MIME cert, given that its possible insecurity impacts
on many more subjects.<br>
</p>
<p>I am saying this only as a matter of logic, not because it is "a
priori" necessary that the SSL BR and the S/MIME BR are aligned.<br>
</p>
<p>On top of that, I think we all agree that the S/MIME BR should
reflect current procedures, at least for the "legacy" generation;
how about requiring "real time" for the "strict" generation?</p>
<p>Adriano</p>
<p><br>
</p>
<div class="moz-cite-prefix">Il 25/10/2022 15:38, Stephen Davidson
ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:CH0PR14MB5139B6ADD2E3AB372EEA78A0E5319@CH0PR14MB5139.namprd14.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:0in;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
line-height:normal;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
line-height:normal;
font-size:10.0pt;
font-family:"Courier New";}span.fontstyle0
{mso-style-name:fontstyle0;}span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<title></title>
<div align="center">
<table width="30%" cellspacing="2" cellpadding="2" border="1">
<tbody>
<tr>
<td valign="top" bgcolor="#ffff00"> <span style="color:
red;">NOTICE:</span> Pay attention - external email -
Sender is <a class="moz-txt-link-abbreviated" href="mailto:Stephen.Davidson@digicert.com">Stephen.Davidson@digicert.com</a> </td>
</tr>
</tbody>
</table>
<br>
</div>
<br>
<div class="WordSection1">
<p class="MsoNormal">Hello Adriano:<o:p></o:p></p>
<p class="MsoNormal">This text has been in the draft S/MIME BR
for
close to 10 months and has been reviewed at some
length.<o:p></o:p></p>
<p class="MsoNormal">Certificate Consumers stated that
information
included in the Subject DN needs to be reliably validated, and
that
a link needs to be made between the Subject and the cert,
whether
the Subject is a legal entity or a real natural
person.<o:p></o:p></p>
<p class="MsoNormal">The requirement in question was derived
from
ETSI TS 119 461, which defines baseline procedures aimed at
delivering at the NCP (Normalized Certificate Policy)
level.<o:p></o:p></p>
<p class="MsoNormal">The issue with some legacy practices is
that
separate images of the ID and a user could be harvested and
presented without the Subject’s knowledge. By requiring their
linked collection, the standard seeks to improve security in
the
remote vetting methods.<o:p></o:p></p>
<p class="MsoNormal">Best, Stephen<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"
style="margin-bottom:0in;line-height:normal">
<b>From:</b> Smcwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:smcwg-public-bounces@cabforum.org"><smcwg-public-bounces@cabforum.org></a>
<b>On Behalf Of</b> Adriano Santoni via Smcwg-public<br>
<b>Sent:</b> Monday, October 24, 2022 5:34 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Smcwg-public] [External Sender]
Ballot
SMC01v3: Final Guideline for “S/MIME Baseline
Requirements”<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>All,<o:p></o:p></p>
<p>I apologize for raising doubts at the very "last
minute", but since the SMC BR are about to be put to the vote,
I wanted to give them a complete re-reading and I noticed a
passage
that leaves me a little perplexed.<o:p></o:p></p>
<p class="MsoNormal">Maybe this aspect was discussed at length,
but
then I missed that discussion - sorry about that (in
case).<o:p></o:p></p>
<p>Under "<span class="fontstyle0">3.2.4.2 Validation of
individual identity</span>" we have the following
sentence:<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span class="fontstyle0">The CA or RA MAY
use
manual (in person) or remote procedures. A remote process
SHALL
ensure that the Applicant has the document in hand and
presents the
document <i>in real‐time</i> in front of a camera.</span>
<o:p></o:p></p>
</blockquote>
<p>Where did we borrow "in real-time" from? Not from the
TLS BR nor from EVGL, it seems. <o:p></o:p></p>
<p>What's the rationale for that? It seems too demanding, to me,
for S/MIME certificates.<o:p></o:p></p>
<p>Several CAs that I am aware of are doing individual identity
verification (for S/MIME certificates) based on a Photo ID and
a
selfie (showing both the Applicant and his/her Photo ID), and
this
latter is not required to be taken in "real
time".<o:p></o:p></p>
<p>I am therefore a bit surprised that all the people here agree
on
this "in real time" which implies the non-compliance of
current procedures and the need to move to more complex and
more
expensive procedures. Seems a bit excessive for S/MIME
certificates.<o:p></o:p></p>
<p class="MsoNormal">Adriano <o:p></o:p></p>
<p><o:p> </o:p></p>
<p><o:p> </o:p></p>
<div>
<p class="MsoNormal">Il 14/10/2022 20:12, Stephen Davidson via
Smcwg-public ha scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div align="center">
<table class="MsoNormalTable" style="width:30.0%"
width="30%" cellpadding="0" border="1">
<tbody>
<tr>
<td style="background:yellow;padding:1.0pt 1.0pt 1.0pt
1.0pt" valign="top">
<p class="MsoNormal"
style="margin-bottom:0in;line-height:normal">
<span style="color:red">NOTICE:</span> <span
style="color:black">Pay attention - external
email - Sender is <a
href="mailto:01000183d7b27b10-4ccf8875-64fd-49e8-817e-0df9fe3a5117-000000@amazonses.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">
01000183d7b27b10-4ccf8875-64fd-49e8-817e-0df9fe3a5117-000000@amazonses.com</a></span>
<o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"
style="margin-bottom:0in;text-align:center;line-height:normal"
align="center">
<o:p> </o:p></p>
<p class="MsoNormal"
style="margin-bottom:0in;line-height:normal">
<o:p> </o:p></p>
<p class="MsoPlainText"><b>Ballot SMC01v3: Final Guideline for
“S/MIME Baseline Requirements”</b> <o:p></o:p></p>
<p class="MsoPlainText"><b> </b><o:p></o:p></p>
<p class="MsoPlainText"><i>Note: the voting period for this
ballot
will commence following the SMCWG session at the upcoming
CA/B
Forum face-to-face Meeting 57.</i><o:p></o:p></p>
<p class="MsoPlainText"><b> </b><o:p></o:p></p>
<p class="MsoPlainText"><b>Purpose of Ballot:</b><o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">The S/MIME Certificate Working Group
was
chartered to discuss, adopt, and maintain policies,
frameworks, and
standards for the issuance and management of
Publicly-Trusted
S/MIME Certificates. This ballot adopts a new “S/MIME
Baseline Requirements” that includes requirements for
verification
of control over email addresses, identity validation for
natural
persons and legal entities, key management and certificate
lifecycle, certificate profiles for S/MIME Certificates and
Issuing
CA Certificates, as well as CA operational and audit
practices.<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">An S/MIME Certificate for the purposes
of
this document can be identified by the existence of an
Extended Key
Usage (EKU) for id-kp-emailProtection (OID:
1.3.6.1.5.5.7.3.4) and
the inclusion of a rfc822Name or an otherName of type
id-on-SmtpUTF8Mailbox in the subjectAltName extension in the
Certificate.<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">The following motion has been proposed
by
Stephen Davidson of DigiCert and endorsed by Martijn
Katerbarg of
Sectigo and Ben Wilson of Mozilla.<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">In accordance with the By-Laws, the
discussion period has been extended with the distribution of
this
new version of the ballot, incorporating content that arose
during
the discussion period including regarding the use of
suspension and
updating ETSI references in section 8.2.<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText"><b>Charter Voting
References</b><o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">Section 5.1 (“Voting Structure”) of
the
SMCWG Charter says:<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">In order for a ballot to be adopted by
the
SMCWG, two-thirds or more of the votes cast by the
Certificate
Issuers must be in favor of the ballot and more than 50% of
the
votes cast by the Certificate Consumers must be in favor of
the
ballot. At least one member of each class must vote in favor
of a
ballot for it to be adopted. Quorum is the average number of
Member
organizations (cumulative, regardless of Class) that have
participated in the previous three (3) SMCWG Meetings or
Teleconferences (not counting subcommittee meetings
thereof).<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText"><b>— MOTION BEGINS —</b><o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">This ballot adopts the “Baseline
Requirements for the Issuance and Management of
Publicly-Trusted
S/MIME Certificates” (“S/MIME Baseline Requirements”) as
Version
1.0.0.<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">The proposed S/MIME Baseline
Requirements
may be found at <a
href="https://github.com/cabforum/smime/pull/178/files"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/smime/pull/178/files</a>
or the attached document. A redline of changes since the
SMC01 Ballot discussion started may be found at <a
href="https://github.com/cabforum/smime/compare/28c0b904fe54f1c5f6c71d18c4786a3e02c76f52...b1ff7867dc85392e4c57b1993ed571e61e34dee2"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://github.com/cabforum/smime/compare/28c0b904fe54f1c5f6c71d18c4786a3e02c76f52...b1ff7867dc85392e4c57b1993ed571e61e34dee2</a>
<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">The SMCWG Chair or Vice-Chair is
permitted
to update the Relevant Dates and Version Number of the
S/MIME
Baseline Requirements to reflect final dates.<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText"><b>— MOTION ENDS —</b><o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">This ballot proposes a Final
Guideline. The
procedure for approval of this ballot is as follows:<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">Discussion (7+ days)<o:p></o:p></p>
<p class="MsoPlainText">Start Time: 14 October 2022 14:00 ET
(US
Eastern)<o:p></o:p></p>
<p class="MsoPlainText">End Time: not before 21 October 2022
14:00
ET (US Eastern)<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">Vote for approval (7 days)<o:p></o:p></p>
<p class="MsoPlainText">Start Time: To be confirmed<o:p></o:p></p>
<p class="MsoPlainText">End Time: To be confirmed<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">IPR Review (60 days)<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"
style="margin-bottom:0in;line-height:normal">
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Smcwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Smcwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://lists.cabforum.org/mailman/listinfo/smcwg-public" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><o:p></o:p></pre>
</blockquote>
</div>
</blockquote>
</body>
</html>