<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1850096938;
mso-list-template-ids:1365033224;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Telia has also customers that Pedro is referring to. I support Pedro’s idea that we would divide RA responsibility in this case so that ERA gives a right to use company’s prevalidated O, ST, C values and CA validates that each user can
read their (gmail) mailbox by sending random code to that. If we are restricted to mailbox-validated profile it won’t fit for all current use cases.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Br Pekka<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>From:</b> Smcwg-public <smcwg-public-bounces@cabforum.org>
<b>On Behalf Of </b>Pedro FUENTES via Smcwg-public<br>
<b>Sent:</b> torstai 16. helmikuuta 2023 16.45<br>
<b>To:</b> Stephen Davidson <Stephen.Davidson@digicert.com><br>
<b>Cc:</b> SMIME Certificate Working Group <smcwg-public@cabforum.org><br>
<b>Subject:</b> Re: [Smcwg-public] [EXTERNAL]- Clarifications on Section 1.3.2.1<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So I have to go back to my previous question, asking for the motivation to stipulate such limitation.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Demonstrating control on each mailbox is actually stronger than having a general validation for the whole domain, so I don’t see what’s the issue to still allow it.<o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On 16 Feb 2023, at 15:39, Stephen Davidson <<a href="mailto:Stephen.Davidson@digicert.com">Stephen.Davidson@digicert.com</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">In such case, the recommendation would be for the company to use the Mailbox-validated profile.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Regards, Stephen<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<div>
<p class="MsoNormal"><b>From:</b><span class="apple-converted-space"> </span>Pedro FUENTES <<a href="mailto:pfuentes@WISEKEY.COM">pfuentes@WISEKEY.COM</a>><span class="apple-converted-space"> </span><br>
<b>Sent:</b><span class="apple-converted-space"> </span>Thursday, February 16, 2023 10:20 AM<br>
<b>To:</b><span class="apple-converted-space"> </span>Stephen Davidson <<a href="mailto:Stephen.Davidson@digicert.com">Stephen.Davidson@digicert.com</a>><br>
<b>Cc:</b><span class="apple-converted-space"> </span>SMIME Certificate Working Group <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>><br>
<b>Subject:</b><span class="apple-converted-space"> </span>Re: [EXTERNAL]-[Smcwg-public] Clarifications on Section 1.3.2.1<o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Sorry, but I think you don’t see my point here...<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Imagine the following situation… There’s a company, “XYZ, Co.” With 50 employees, but they use gmail accounts.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Why can’t we give them rights to operate an ERA that entitles them to issue certificates containing the pre-validated O, ST, C fields in the subject name, and still use gmail accounts, if we allow 3.2.2.2, control on each individual mailbox
is verified by the CA?<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">P<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">On 16 Feb 2023, at 15:14, Stephen Davidson <<a href="mailto:Stephen.Davidson@digicert.com">Stephen.Davidson@digicert.com</a>> wrote:<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">Hi Pedro:<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Half joking, I assert that assumptions carry little weight in compliance.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">The ERA is delegated RA power to “issue certs for its internal users” containing identity information. The boundaries for its internal users are email domains it either controls or is authorized to use. Thus the reference to 3.2.2.1 and
3.2.2.3 which make that link between the ERA and the domain.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">3.2.2.2 only verifies mailbox control – not the entire domain – so may be used for Mailbox-validated certificates which contain no identity information in the Subject.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Best, Stephen<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<div>
<div>
<p class="MsoNormal"><b>From:</b><span class="apple-converted-space"> </span>Pedro FUENTES <<a href="mailto:pfuentes@WISEKEY.COM">pfuentes@WISEKEY.COM</a>><span class="apple-converted-space"> </span><br>
<b>Sent:</b><span class="apple-converted-space"> </span>Thursday, February 16, 2023 10:03 AM<br>
<b>To:</b><span class="apple-converted-space"> </span>Stephen Davidson <<a href="mailto:Stephen.Davidson@digicert.com">Stephen.Davidson@digicert.com</a>><br>
<b>Cc:</b><span class="apple-converted-space"> </span>SMIME Certificate Working Group <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>><br>
<b>Subject:</b><span class="apple-converted-space"> </span>Re: [EXTERNAL]-[Smcwg-public] Clarifications on Section 1.3.2.1<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Hi Steven<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal">Although I understand the practical reason for assuming that the domain would be linked to the referenced org, I don’t understand the motivation for making this a compliance requirement. <o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal">Could you please explain the choice for the “must” here?<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal">BR/P<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><br>
<br>
<br>
<br>
<o:p></o:p></p>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal">On 16 Feb 2023, at 14:55, Stephen Davidson <<a href="mailto:Stephen.Davidson@digicert.com">Stephen.Davidson@digicert.com</a>> wrote:<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Hi Pedro:<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal">The purpose of Section 1.3.2.1 is to describe the delegation from the CA to an Enterprise RA (ERA) for “internal” certs issued to domains controlled by the ERA.<o:p></o:p></p>
</div>
</div>
</div>
<ul type="disc">
<li class="MsoListParagraph" style="mso-list:l0 level1 lfo1">As the `Organization-validated` or `Sponsor-validated` profiles contain identity information, the entire email domain must be linked to the referenced org using 3.2.2.1 or 3.2.2.3. <o:p></o:p></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1">As the `Mailbox-validated` profile contains no identity info, 3.2.2.2 may alternatively be used to affirm the certificate holder has control over the mailbox.<o:p></o:p></li></ul>
<div>
<div>
<div>
<p class="MsoNormal">Sure, the CA can additionally deploy 3.2.2.2 for `Organization-validated` or `Sponsor-validated` profiles if it wishes, but only in addition to 3.2.2.1 or 3.2.2.3.<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal">We added a reference to “external” certs in Section 1.3.2.1 as well to make it clear that ERAs issuing to emails not on their domains should be using the `Mailbox-validated` profile.<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal">Regards, Stephen<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<div>
<div>
<div>
<p class="MsoNormal"><b>From:</b><span class="apple-converted-space"> </span>Pedro FUENTES <<a href="mailto:pfuentes@WISEKEY.COM">pfuentes@WISEKEY.COM</a>><span class="apple-converted-space"> </span><br>
<b>Sent:</b><span class="apple-converted-space"> </span>Thursday, February 16, 2023 5:37 AM<br>
<b>To:</b><span class="apple-converted-space"> </span>Stephen Davidson <<a href="mailto:Stephen.Davidson@digicert.com">Stephen.Davidson@digicert.com</a>><br>
<b>Cc:</b><span class="apple-converted-space"> </span>SMIME Certificate Working Group <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>><br>
<b>Subject:</b><span class="apple-converted-space"> </span>Re: [EXTERNAL]-[Smcwg-public] Clarifications on Section 1.3.2.1<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal">Hi Stephen,<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Actually this is not what I was pointing, as I was mentioning that I failed to see why the ERA can’t use 3.2.2.2 also to validate the email address for `Organization-validated` or `Sponsor-validated` profiles. It’s clear that this would
be uncommon, but the current wording would disallow that.<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">I’d say that what the intent here is to ensure that 3.2.2.1 and 3.2.2.3 are only used for domains that are "under control" of the ERA, but I have the feeling that the way this is worded is overcomplicating it.<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">If we think in an ERA in the context of TLS, nothing stops the ERA to issue DV certificates for ANY whole domain once the control has been appropriately demonstrated (e.g. DNS Change or other acceptable methods), and in the TLS BR there’s
no such complexity, because the validation of domains and validation of identity are clearly separated. And the TLS BR is not considering such concept of “control” (as this is a tricky point as Martijn just pointed out while I was writing this).<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">I’d have to think about this, but I wonder if we could find a way to reformulate all this, because at the end the idea is that if the organization name or any other identity attribute appears in the certificate, it needs to be appropriately
validated according to the BR, and making these differences we see in the S/MIME BR on the validations to be done depending on the certificate profile and linking it to the domain validation, I’d say is making all quite more complex… and BTW, these are one
of the reasons we couldn’t vote “Yes” in the ballot, because I still see too many things we can’t properly grasp.<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">So, in very blunt words that would need tons of polishing…<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">- The CA may delegate to the RA issuance to any email address in a particular domain if the RA can prove control via 3.2.2.1 or 3.2.2.3<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">- If the RA can’t prove control on the whole domain through the above methods, then 3.2.2.2 method is required to validate each individual email address<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">And the above would be independent on the certificate profile or domain ownership, because the identity attributes must anyway be validated, but I’m taking here about the domain/email validation only.<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">My 2 cents...<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">BR/P<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
</div>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<div>
<p class="MsoNormal">On 16 Feb 2023, at 00:23, Stephen Davidson <<a href="mailto:Stephen.Davidson@digicert.com">Stephen.Davidson@digicert.com</a>> wrote:<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Hi Pedro:<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">I see. So what you are describing is something like this?<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Thanks for the feedback.<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Best, Stephen<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">The CA MAY delegate to an Enterprise Registration Authority (RA) to verify Certificate Requests from the Enterprise RA's own organization. The CA SHALL NOT accept Certificate Requests authorized by an Enterprise RA unless the following
requirements are satisfied:<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="color:black;background:yellow">1. If the Certificate Request is for a `Mailbox-validated` profile, the CA SHALL confirm that the Enterprise RA has authorization or control of the requested email domain(s) in accordance with
[Section 3.2.2.1](#3221-validating-authority-over-mailbox-via-domain), [Section 3.2.2.2](#3222-validating-control-over-mailbox-via-email) or [Section 3.2.2.3](#3223-validating-applicant-as-operator-of-associated-mail-servers). </span><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="color:black;background:yellow"> </span><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="color:black;background:yellow">2. If the Certificate Request is for an `Organization-validated` or `Sponsor-validated` profile, the CA SHALL confirm that the Enterprise RA has authorization or control of the requested email
domain(s) in accordance with [Section 3.2.2.1](#3221-validating-authority-over-mailbox-via-domain) or [Section 3.2.2.3](#3223-validating-applicant-as-operator-of-associated-mail-servers).</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="color:black;background:yellow"> </span><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="color:black;background:yellow">3.</span><span class="apple-converted-space"> </span>The CA SHALL confirm that the `subject:organizationName` name is either that of the delegated enterprise, or an Affiliate of the delegated
enterprise, or that the delegated enterprise is an agent of the named Subject. For example, the CA SHALL NOT issue a Certificate containing the Subject name "XYZ Co." on the authority of Enterprise RA "ABC Co.", unless the two companies are Affiliated as defined
in [Section 3.2](#32-initial-identity-validation) or "ABC Co." is the agent of "XYZ Co". This requirement applies regardless of whether the accompanying requested email domain falls within the subdomains of ABC Co.'s Registered Domain Name.<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">The CA SHALL impose these limitations as a contractual requirement on the Enterprise RA and monitor compliance by the Enterprise RA in accordance with [Section 8.8](#88-review-of-delegated-parties).<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">An Enterprise RA MAY also submit Certificate Requests using the `Mailbox-validated` profile for users whose email domain(s) are not under the delegated organization’s authorization or control. In this case, the CA SHALL confirm that the
mailbox holder has control of the requested Mailbox Address(es) in accordance with [Section 3.2.2.2](#3222-validating-control-over-mailbox-via-email).<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b>From:</b><span class="apple-converted-space"> </span>Pedro FUENTES <<a href="mailto:pfuentes@WISEKEY.COM">pfuentes@WISEKEY.COM</a>><span class="apple-converted-space"> </span><br>
<b>Sent:</b><span class="apple-converted-space"> </span>Wednesday, February 15, 2023 5:49 PM<br>
<b>To:</b><span class="apple-converted-space"> </span>Stephen Davidson <<a href="mailto:Stephen.Davidson@digicert.com">Stephen.Davidson@digicert.com</a>>; SMIME Certificate Working Group <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>><br>
<b>Subject:</b><span class="apple-converted-space"> </span>Re: [EXTERNAL]-[Smcwg-public] Clarifications on Section 1.3.2.1<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Hello,<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">I missed today’s call, but as I commented by chat in the last call the main issue was that old “No 2” was a general statement for RAs issuing `Mailbox-validated` profile, without discriminating “internal” or “external” users, so the intent,
as reflected in the wording of V1.0.0 was totally different to what is stated now. <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Said that, the new wording is much closer to what we’d have liked to see there in the first version, but I fail to understand why the ERA can’t use 3.2.2.2 also for domains they control, if they wish to do so. <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">BR/P<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><br>
<br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
</div>
</div>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">On 15 Feb 2023, at 22:16, Stephen Davidson via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>> wrote:<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Hello:<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><br>
As discussed on the call today, here are some edits to clarify the text in Section 1.3.2.1 regarding Enterprise RA.<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_srdavidson_smime_commit_49bacdf09b3bb3b27a78ece305ec08987cbd026f&d=DwMFAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=WYfdoRzScaol1-kBJZN-eB_a3JYZXE66C6fSI19dnM4&s=NHMBpU9z__vB4mxuRsqTnGQi4UXorb-GvjEdJh7HL0I&e="><span style="color:#0563C1">https://github.com/srdavidson/smime/commit/49bacdf09b3bb3b27a78ece305ec08987cbd026f</span></a><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">To wit:<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class="MsoListParagraph" style="mso-margin-top-alt:5.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:38.25pt;text-indent:-18.0pt">
<span style="font-size:10.0pt;font-family:Symbol">·</span><span style="font-size:7.0pt;font-family:"Times New Roman",serif"> <span class="apple-converted-space"> </span></span>The ERA may issue `Mailbox-validated`, `Organization-validated` or `Sponsor-validated`
profiles to email domains they control (i.e., “internal”) using Section 3.2.2.1 (TLS BR methods) or Section 3.2.2.3 (DNS method)<o:p></o:p></p>
<p class="MsoListParagraph" style="mso-margin-top-alt:5.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:38.25pt;text-indent:-18.0pt">
<span style="font-size:10.0pt;font-family:Symbol">·</span><span style="font-size:7.0pt;font-family:"Times New Roman",serif"> <span class="apple-converted-space"> </span></span>The ERA may request `Mailbox-validated` profiles for email domains they do
NOT control (i.e., “external”) with the CA using Section 3.2.2.2 (mailbox control)<o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">I do not believe this text changes the intent of the existing v1.0.0 but rather presents a clearer description.<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Feedback is welcomed; otherwise this will be included in an eventual cleanup ballot.<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Regards, Stephen<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">_______________________________________________<br>
Smcwg-public mailing list<br>
</span><a href="mailto:Smcwg-public@cabforum.org"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#0563C1">Smcwg-public@cabforum.org</span></a><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><br>
</span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=WYfdoRzScaol1-kBJZN-eB_a3JYZXE66C6fSI19dnM4&s=ovVhqoYDOBq5cU7-2M83J1hqeqx2y783SNtJ5c7QBU8&e="><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#0563C1">https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=WYfdoRzScaol1-kBJZN-eB_a3JYZXE66C6fSI19dnM4&s=ovVhqoYDOBq5cU7-2M83J1hqeqx2y783SNtJ5c7QBU8&e=</span></a><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:8.5pt;color:#F62400"><br>
WISeKey SA</span></b><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:8.5pt">Pedro Fuentes<br>
</span></b><span style="font-size:8.5pt">CSO - Trust Services Manager</span><span style="font-size:9.0pt"><br>
</span><span style="font-size:7.5pt">Office: + 41 (0) 22 594 30 00<br>
Mobile: + 41 (0) </span><span style="font-size:10.0pt">791 274 790</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:7.5pt">Address: Avenue Louis-Casaï 58 | </span><span style="font-size:10.0pt">1216 Cointrin | Switzerland</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:9.0pt">Stay connected with <a href="http://www.wisekey.com/"><span style="color:#F62400">WISeKey</span></a><br>
</span></b><span style="font-size:7.5pt;color:darkgray"><br>
<br>
<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:7.5pt;color:#78A600">THIS IS A TRUSTED MAIL</span></b><span style="font-size:7.5pt;color:#78A600">: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature
to avoid security risks</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:7.0pt;color:darkgray"><br>
<br>
<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:7.0pt;color:darkgray">CONFIDENTIALITY: </span></b><span style="font-size:7.0pt;color:darkgray">This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or
entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt"> </span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:7.0pt;color:darkgray">DISCLAIMER: </span></b><span style="font-size:7.0pt;color:darkgray">WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or
omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for
viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:8.5pt;color:#F62400"><br>
WISeKey SA</span></b><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:8.5pt">Pedro Fuentes<br>
</span></b><span style="font-size:8.5pt">CSO - Trust Services Manager</span><span style="font-size:9.0pt"><br>
</span><span style="font-size:7.5pt">Office: + 41 (0) 22 594 30 00<br>
Mobile: + 41 (0) </span><span style="font-size:10.0pt">791 274 790</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:7.5pt">Address: Avenue Louis-Casaï 58 | </span><span style="font-size:10.0pt">1216 Cointrin | Switzerland</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:9.0pt">Stay connected with <a href="http://www.wisekey.com/"><span style="color:#F62400">WISeKey</span></a><br>
</span></b><span style="font-size:7.5pt;color:darkgray"><br>
<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:7.5pt;color:#78A600">THIS IS A TRUSTED MAIL</span></b><span style="font-size:7.5pt;color:#78A600">: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature
to avoid security risks</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:7.0pt;color:darkgray"><br>
<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:7.0pt;color:darkgray">CONFIDENTIALITY: </span></b><span style="font-size:7.0pt;color:darkgray">This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or
entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt"> </span><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:7.0pt;color:darkgray">DISCLAIMER: </span></b><span style="font-size:7.0pt;color:darkgray">WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or
omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for
viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:8.5pt;color:#F62400"><br>
WISeKey SA</span></b><o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:8.5pt">Pedro Fuentes<br>
</span></b><span style="font-size:8.5pt">CSO - Trust Services Manager</span><span style="font-size:9.0pt"><br>
</span><span style="font-size:7.5pt">Office: + 41 (0) 22 594 30 00<br>
Mobile: + 41 (0) </span><span style="font-size:10.0pt">791 274 790</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:7.5pt">Address: Avenue Louis-Casaï 58 | </span><span style="font-size:10.0pt">1216 Cointrin | Switzerland</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:9.0pt">Stay connected with <a href="http://www.wisekey.com/"><span style="color:#F62400">WISeKey</span></a><br>
</span></b><span style="font-size:7.5pt;color:darkgray"><br>
<br>
<br>
<br>
</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:7.5pt;color:#78A600">THIS IS A TRUSTED MAIL</span></b><span style="font-size:7.5pt;color:#78A600">: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature
to avoid security risks</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:7.0pt;color:darkgray"><br>
<br>
<br>
<br>
</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:7.0pt;color:darkgray">CONFIDENTIALITY: </span></b><span style="font-size:7.0pt;color:darkgray">This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or
entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:7.0pt;color:darkgray">DISCLAIMER: </span></b><span style="font-size:7.0pt;color:darkgray">WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or
omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for
viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:8.5pt;color:#F62400"><br>
WISeKey SA</span></b><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:8.5pt">Pedro Fuentes<br>
</span></b><span style="font-size:8.5pt">CSO - Trust Services Manager</span><span style="font-size:9.0pt"><br>
</span><span style="font-size:7.5pt">Office: + 41 (0) 22 594 30 00<br>
Mobile: + 41 (0) </span><span style="font-size:10.0pt">791 274 790</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:7.5pt">Address: Avenue Louis-Casaï 58 | </span><span style="font-size:10.0pt">1216 Cointrin | Switzerland</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:9.0pt">Stay connected with <a href="http://www.wisekey.com/"><span style="color:#F62400">WISeKey</span></a><br>
</span></b><span style="font-size:7.5pt;color:darkgray"><br>
<br>
<br>
</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:7.5pt;color:#78A600">THIS IS A TRUSTED MAIL</span></b><span style="font-size:7.5pt;color:#78A600">: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature
to avoid security risks</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:7.0pt;color:darkgray"><br>
<br>
<br>
</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:7.0pt;color:darkgray">CONFIDENTIALITY: </span></b><span style="font-size:7.0pt;color:darkgray">This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or
entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt"> </span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:7.0pt;color:darkgray">DISCLAIMER: </span></b><span style="font-size:7.0pt;color:darkgray">WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or
omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for
viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:8.5pt;color:#F62400"><br>
WISeKey SA</span></b><o:p></o:p></p>
<div>
<p class="MsoNormal"><b><span style="font-size:8.5pt;color:black">Pedro Fuentes<br>
</span></b><span style="font-size:8.5pt;color:black">CSO - Trust Services Manager</span><span style="font-size:9.0pt;color:black"><br>
</span><span style="font-size:7.5pt;color:black">Office: + 41 (0) 22 594 30 00<br>
Mobile: + 41 (0) </span><span style="font-size:10.0pt;color:black">791 274 790</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:7.5pt;color:black">Address: </span><span style="font-size:7.5pt">Avenue Louis-Casaï 58 | </span><span style="font-size:10.0pt">1216 Cointrin | Switzerland</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-size:9.0pt;color:black">Stay connected with <a href="http://www.wisekey.com"><span style="color:#F62400">WISeKey</span></a><br>
</span></b><span style="font-size:7.5pt;color:darkgray"><br>
<br>
</span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:7.5pt;color:#78A600">THIS IS A TRUSTED MAIL</span></b><span style="font-size:7.5pt;color:#78A600">: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature
to avoid security risks</span><span style="font-size:9.0pt;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:7.0pt;color:darkgray"><br>
<br>
</span><span style="font-size:9.0pt;color:black"><o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:7.0pt;color:darkgray">CONFIDENTIALITY: </span></b><span style="font-size:7.0pt;color:darkgray">This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or
entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender</span><span style="font-size:9.0pt;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-size:7.0pt;color:darkgray">DISCLAIMER: </span></b><span style="font-size:7.0pt;color:darkgray">WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or
omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for
viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.</span><span style="font-size:9.0pt;color:black"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<div style="font-size:9pt; font-family: 'Calibri',sans-serif;"><br>
<i>This email may contain information which is privileged or protected against unauthorized disclosure or communication. If you are not the intended recipient, please notify the sender and delete this message and any attachments from your system without producing,
distributing or retaining copies thereof or disclosing its contents to any other person.
<br>
<br>
Telia Company processes emails and other files that may contain personal data in accordance with Telia Company’s
<a href="https://www.teliacompany.com/en/about-the-company/privacy/">Privacy Policy</a>.</i>
<br>
<br>
<br>
</div>
</body>
</html>