<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:18.0pt;
font-family:"Calibri",sans-serif;
color:black;}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:13.5pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Calibri",sans-serif;
color:black;
mso-ligatures:none;
font-weight:bold;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Calibri",sans-serif;
color:black;
mso-ligatures:none;
font-weight:bold;}
span.EmailStyle22
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<h2><a name="_Hlk116919592">Minutes of SMCWG<o:p></o:p></a></h2>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592">December 20, 2023<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592">These are the </span>
<span style="mso-bookmark:_Hlk116919592"><span style="color:windowtext">Approved</span> Minutes of the meeting described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.<o:p></o:p></span></p>
<h3><span style="mso-bookmark:_Hlk116919592">Attendees <o:p></o:p></span></h3>
<h3><span style="mso-bookmark:_Hlk116919592"><span style="font-size:11.0pt;font-weight:normal">Ashish Dhiman - (GlobalSign), Ben Wilson - (Mozilla), Bruce Morton - (Entrust), Cade Cairns - (Google), Corey Bonnell - (DigiCert), Dimitris Zacharopoulos - (HARICA),
Don Sheehy - (CPA Canada/WebTrust), Enrico Entschew - (D-TRUST), Eva Vansteenberge - (GlobalSign), Inaba Atsushi - (GlobalSign), Inigo Barreira - (Sectigo), Judith Spencer - (CertiPath), Marco Schambach - (IdenTrust), Martijn Katerbarg - (Sectigo), Paul van
Brouwershaven - (Entrust), Pekka Lahtiharju - (Telia Company), Rebecca Kelley - (Apple), Renne Rodriguez - (Apple), Scott Rea - (eMudhra), Stefan Selbitschka - (rundQuadrat), Stephen Davidson - (DigiCert), Tadahiko Ito - (SECOM Trust Systems), Thomas Zermeno
- (SSL.com), Tim Crawford - (CPA Canada/WebTrust), Tsung-Min Kuo - (Chunghwa Telecom)<o:p></o:p></span></span></h3>
<h3><span style="mso-bookmark:_Hlk116919592">1. Roll Call<o:p></o:p></span></h3>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_Hlk116919592">The Roll Call was taken.<o:p></o:p></span></p>
<h3><span style="mso-bookmark:_Hlk116919592">2. Read Antitrust Statement<o:p></o:p></span></h3>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_Hlk116919592">The statement was read concerning the antitrust policy, code of conduct, and intellectual property rights agreement.<o:p></o:p></span></p>
<h3><span style="mso-bookmark:_Hlk116919592">3. Review Agenda<o:p></o:p></span></h3>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592">Minutes were prepared by Stephen Davidson.</span><span style="mso-bookmark:_Hlk116919592"><span style="color:windowtext">
</span><o:p></o:p></span></p>
<h3><span style="mso-bookmark:_Hlk116919592">4. Approval of minutes from last teleconference<o:p></o:p></span></h3>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592">The minutes for the teleconference of December 6 were approved.<o:p></o:p></span></p>
<h3><span style="mso-bookmark:_Hlk116919592">5. Discussion <o:p></o:p></span></h3>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592">Stephen Davidson confirmed that Ballot SMC04 was published as S/MIME BR 1.0.2 on December 8. See
</span><a href="https://url.avanan.click/v2/___https:/cabforum.org/smime-br/___.YXAzOmRpZ2ljZXJ0OmE6bzo5NWEyNGQ5NWI1ZmZhNDliZjE1ZmI2NjAxNjI5ZDE5Nzo2OmU3YzA6YWY4MThlYjY2NWE5M2QwMzEyMTg4NTYwYzk0MTU0ZTJlYzM2ZDQwYjc0Y2Q3MzgwNjM5NjA1MTg3MjQ5MjVhMzpoOkY" title="Protected by Avanan: https://cabforum.org/smime-br/"><span style="mso-bookmark:_Hlk116919592">https://cabforum.org/smime-br/</span><span style="mso-bookmark:_Hlk116919592"></span></a><span style="mso-bookmark:_Hlk116919592">
for more details.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592">Stephen said there had been extensive consultation and feedback on regarding the addition of CAA for S/MIME to the S/MIME BR, and the intent was to go to ballot at the start of January 2024, proposed
by Corey Bonnell (DigiCert) and endorsed by Dimitris Zacharopoulos (HARICA) and Ben Wilson (Mozilla).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592">Stephen described the ballot text (seen in updated form) at
</span><a href="https://url.avanan.click/v2/___https:/github.com/cabforum/smime/compare/5fb2a7ee94d1c5684d5f32af11572e8c10cd2f8c...1fbbdc8f908e6eba779b4ea0de1cbfd20e156c3a___.YXAzOmRpZ2ljZXJ0OmE6bzpmZWFkN2U0MGQwN2YxMTJmNjVkNDFhMjQzMGNiNWI5MDo2OjJhMzk6ZThlZmRlYTUwNDZkN2ZhNjUxOWQyOGNjZDgwMTY2MDVkYTA2NGE1YWIyYzgzNmQyYjE4YTFmZGI4YTdkYzljNTpoOkY" title="Protected by Avanan: https://github.com/cabforum/smime/compare/5fb2a7ee94d1c5684d5f32af11572e8c10cd2f8c...1fbbdc8f908e6eba779b4ea0de1cbfd20e156c3a"><span style="mso-bookmark:_Hlk116919592">https://github.com/cabforum/smime/compare/5fb2a7ee94d1c5684d5f32af11572e8c10cd2f8c...1fbbdc8f908e6eba779b4ea0de1cbfd20e156c3a</span><span style="mso-bookmark:_Hlk116919592"></span></a><span style="mso-bookmark:_Hlk116919592"><span style="color:windowtext"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592">Dimitris requested that the references to RFC 8659 be removed as they were incorporated as a normative reference within RFC 9495. Stephen preferred to maintain the text in 4.2.2.1 that ruled out
the TLS property tags for S/MIME but it was agreed that RFC 4945 covered this in sufficient detail. Stephen also agreed to drop the RFC 8659 references.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592">Bruce Morton queried the language in 4.2.2.1 that required a contract provision for the CA to skip CAA for technically constrained subCAs as it seemed that might require communication with leaf cert
holders. Stephen agreed to clarify the language that the contract was with the subCA not the leaf holders. It was suggested that this change also be made in the TLS BR.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592">Stephen noted that CAA was one of the areas where coordination was required between the different CABF BR such that requirements are consistent and specified for the same CPS subsections. Paul van
Brouwershaven noted the consolidation analysis underway at </span><a href="https://url.avanan.click/v2/___https:/vanbroup.github.io/documents/%233224-caa-records___.YXAzOmRpZ2ljZXJ0OmE6bzpkOGI1N2M2YjVhNjNiOWEyNDEzZjg2MDk5NmNiMTZkZjo2OjU2ZWU6ZDJjNzNiYWUzMTk5ZTlkNzkzN2I2ZDk4MzE3ZWQyNTgwNzZjODM1MmRiMjQ1NzllZmQxMGQwODAwNTYwNjM1MzpoOkY" title="Protected by Avanan: https://vanbroup.github.io/documents/#3224-caa-records"><span style="mso-bookmark:_Hlk116919592">https://vanbroup.github.io/documents/#3224-caa-records</span><span style="mso-bookmark:_Hlk116919592"></span></a><span style="mso-bookmark:_Hlk116919592"><span style="color:windowtext">.</span><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592">Dimitris asked whether additional language needed to be added to the S/MIME BR concerning how the DNS verification of CAA should occur, noting the recent bug at
</span><a href="https://url.avanan.click/v2/___https:/bugzilla.mozilla.org/show_bug.cgi?id=1839305___.YXAzOmRpZ2ljZXJ0OmE6bzpkOGI1N2M2YjVhNjNiOWEyNDEzZjg2MDk5NmNiMTZkZjo2OmEyZTg6YjQ1NWIxZDQ4ZTI2NTFlYTllNWIwZTM2OTgzNjJmYTA3YThlYjZlZDUxZGQyYmNlMDdkNmVjNzQ5YTQ5OWQ1MTpoOkY" title="Protected by Avanan: https://bugzilla.mozilla.org/show_bug.cgi?id=1839305"><span style="mso-bookmark:_Hlk116919592">https://bugzilla.mozilla.org/show_bug.cgi?id=1839305</span><span style="mso-bookmark:_Hlk116919592"></span></a><span style="mso-bookmark:_Hlk116919592">.
Stephen noted that there was already detail on this in RFC 8659.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="mso-bookmark:_Hlk116919592">In cases where DNSSEC is not deployed for a corresponding FQDN, an Issuer SHOULD attempt to mitigate this risk by employing appropriate DNS security controls. For example,
all portions of the DNS lookup process SHOULD be performed against the authoritative nameserver. Data cached by third parties MUST NOT be relied on as the sole source of DNS CAA information but MAY be used to support additional anti</span><span style="mso-bookmark:_Hlk116919592"><span style="font-family:"Cambria Math",serif">‑</span>spoofing
or anti-suppression controls.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592">Corey was not aware of anything in the standards that prevented delegation of such a service, but thought it would be difficult to get an audit in such circumstances. Stephen asked if members had
proposals for language to deal with this and questioned whether the topic belonged in the S/MIME BR or rather a higher level requirement like NetSec. Dimitris said that earlier discussions in the ServerCert WG had related to Whois.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592">Stephen noted that in January the WG would work to finalise another clarifications ballot found at
</span><a href="https://url.avanan.click/v2/___https:/github.com/srdavidson/smime/blob/Ballot-SMC06/SBR.md___.YXAzOmRpZ2ljZXJ0OmE6bzo5NWEyNGQ5NWI1ZmZhNDliZjE1ZmI2NjAxNjI5ZDE5Nzo2OmM1ODA6MDkyMGNkYjVhYWIxYmUxMTEwYTZlODliYmVmZDhiNTYzODQ4NzQwNTE3ZTVkNDk1NjY1YmRlNGVjNTVhZGVlNjpoOkY" title="Protected by Avanan: https://github.com/srdavidson/smime/blob/Ballot-SMC06/SBR.md"><span style="mso-bookmark:_Hlk116919592">https://github.com/srdavidson/smime/blob/Ballot-SMC06/SBR.md</span><span style="mso-bookmark:_Hlk116919592"></span></a><span style="mso-bookmark:_Hlk116919592">
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592">Stephen thanked members of the WG for their participation and support in 2023, having undertaken the significant task of creating the first standard for an existing and diverse certificate use.
He said it was a good sign of the standard’s clarity that it appeared to have been adopted around the world with few major incidents.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592"><o:p> </o:p></span></p>
<h3 style="mso-margin-top-alt:1.0pt;margin-right:0in;margin-bottom:1.0pt;margin-left:0in">
<span style="mso-bookmark:_Hlk116919592">6. Any Other Business<o:p></o:p></span></h3>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592">None<o:p></o:p></span></p>
<h3><span style="mso-bookmark:_Hlk116919592">7. Next call<o:p></o:p></span></h3>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk116919592">Next call: Wednesday, January 3, 2024 at 11:00 am Eastern Time<o:p></o:p></span></p>
<h3><span style="mso-bookmark:_Hlk116919592"><span lang="DE">Adjourned</span></span><span style="mso-bookmark:_Hlk116919592"></span><o:p></o:p></h3>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
</div>
</body>
</html>