<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0cm;
margin-right:0cm;
margin-bottom:8.0pt;
margin-left:0cm;
line-height:115%;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
line-height:normal;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:8.0pt;
margin-left:36.0pt;
line-height:115%;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle27
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1432706150;
mso-list-template-ids:88667650;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:2035107102;
mso-list-template-ids:-981147818;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style></head><body lang=en-SE link="#467886" vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;mso-fareast-language:EN-US'>Hi Adriano,<br><br>My immediate concern would be the scenario where say in 2024 someone gets an S/MIME IV certificate issued based on current validation practices. Then in 2 years time, they renew based on their existing S/MIME certificate. Then in another two years, again, and yet again. Soon, we’ll be 10 years since the original validation took place, and ever since then the CA has relied upon an existing S/MIME certificate (or CA’s, if the Subscriber is switching to a different vendor) without any additional verification. <br><br>Additionally, currently there’s no requirement to indicate in an SV certificate if an Enterprise RA was used or not. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;mso-fareast-language:EN-US'>The second item could be solved by adding an indicator for that into the certificate (See <a href="https://github.com/cabforum/smime/issues/12">https://github.com/cabforum/smime/issues/12</a>), but I’m not sure how we’d solve the second one, and I’d be very hesitant on supporting something like that, without a proper time limit in place at which point re-validation would need to occur. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;mso-fareast-language:EN-US'>Regards,<br><br>Martijn<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;line-height:115%;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div id=mail-editor-reference-message-container><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='color:black'>From: </span></b><span style='color:black'>Smcwg-public <smcwg-public-bounces@cabforum.org> on behalf of Adriano Santoni via Smcwg-public <smcwg-public@cabforum.org><br><b>Date: </b>Monday, 13 May 2024 at 15:32<br><b>To: </b>SMIME Certificate Working Group <smcwg-public@cabforum.org><br><b>Subject: </b>[Smcwg-public] Allowing a signature made with an S/MIME IV or SV certificate as an additional individual identity validation method<o:p></o:p></span></p></div><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span style='font-size:10.0pt;font-family:"Calibri",sans-serif;color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<o:p></o:p></span></p></div><p class=MsoNormal style='line-height:normal'><o:p> </o:p></p><div><p><span style='font-family:"Calibri",sans-serif'>Hi all,</span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>I already made the following proposal previously, both in writing here on the mailing list and also verbally during the last call (at the very last minutes as it was not on the agenda, sorry), but I don't see it mentioned in the call minutes of May 8 below, so I'll try to propose it again. <br><br>Among the methods for the "Validation of individual identity" (SMBR 3.2.4.2), as part of the validation process of a request for an S/MIME IV certificate (or an SV certificate, where there is no Enterprise RA involved), I think it would make sense to admit - in addition to a digital signature based on an eIDAS compliant qualified certificate - also a digital signature based on another S/MIME IV or SV (BR-compliant) certificate of the applicant. This seems quite logical to me considering the rigor inherent in the validation requirements already established by the S/MIME BR to date. </span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>At least in the case of <i>renewal</i>, I think it would be completely logical and safe to accept a request signed by the applicant with his/her current S/MIME IV or SV certificate (the one soon to expire) without the need to perform a further "verification of individual identity" with other methods. </span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>If this idea for some reason doesn't seem practical or useful or safe enough, I'd like someone to explain their objections or concerns.</span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>Thank you all for your attention.</span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>Adriano</span><o:p></o:p></p><p><o:p> </o:p></p><div><p class=MsoNormal>Il 11/05/2024 22:02, Stephen Davidson via Smcwg-management ha scritto:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div align=center><table class=MsoNormalTable border=1 cellpadding=0 width="30%" style='width:30.0%'><tr><td valign=top style='background:yellow;padding:1.5pt 1.5pt 1.5pt 1.5pt'><p class=MsoNormal style='margin-bottom:0cm;line-height:normal'><span style='color:red'>NOTICE:</span><span style='color:black'> Pay attention - external email - Sender is <a href="mailto:0100018f693fd56b-e31b4721-c8ba-4ae7-a5bb-de9b42be70ce-000000@amazonses.com">0100018f693fd56b-e31b4721-c8ba-4ae7-a5bb-de9b42be70ce-000000@amazonses.com</a> </span><o:p></o:p></p></td></tr></table></div><p class=MsoNormal align=center style='margin-bottom:0cm;text-align:center;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0cm;line-height:normal'><o:p> </o:p></p><div><p class=MsoNormal style='margin-bottom:0cm'>## Minutes of SMCWG<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'>May 8, 2024<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'>These are the Draft Minutes of the meeting described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'>## Attendees<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'>Abhishek Bhat - (eMudhra), Adriano Santoni - (Actalis S.p.A.), Aggie Wang - (TrustAsia), Andrea Holland - (VikingCloud), Ashish Dhiman - (GlobalSign), Ben Wilson - (Mozilla), Bruce Morton - (Entrust), Clint Wilson - (Apple), Corey Bonnell - (DigiCert), Dimitris Zacharopoulos - (HARICA), Inaba Atsushi - (GlobalSign), Inigo Barreira - (Sectigo), Janet Hines - (VikingCloud), Judith Spencer - (CertiPath), Keshava Nagaraju - (eMudhra), Marco Schambach - (IdenTrust), Martijn Katerbarg - (Sectigo), Morad Abou Nasser - (TeleTrust), Mrugesh Chandarana - (IdenTrust), Nome Huang - (TrustAsia), Rebecca Kelly - (SSL.com), Renne Rodriguez - (Apple), Rollin Yu - (TrustAsia), Scott Rea - (eMudhra), Stefan Selbitschka - (rundQuadrat), Stephen Davidson - (DigiCert), Tadahiko Ito - (SECOM Trust Systems), Tathan Thacker - (IdenTrust), Tsung-Min Kuo - (Chunghwa Telecom), Wendy Brown - (US Federal PKI Management Authority)<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'>## 1. Roll Call<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'>The Roll Call was taken.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'>## 2. Read Antitrust Statement<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'>The statement was read concerning the antitrust policy, code of conduct, and intellectual property rights agreement.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'>## 3. Review Agenda<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'>Minutes were prepared by Stephen Davidson.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'>## 4. Approval of minutes from last teleconference<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'>The minutes for the teleconference of April 24 were approved.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'>## 5. Discussion<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'> <o:p></o:p></p><p class=MsoNormal>Stephen Davidson noted that Ballot SMC06 was in IPR until May 11. See <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fpipermail%2Fsmcwg-public%2F2024-April%2F000957.html&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7C708f7bd916fb456126ba08dc73512026%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638512039511762331%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=BHKcC9wi8xSZNIvCbF96gxjYbCI1d3s1SwRCdNpXMQw%3D&reserved=0">https://lists.cabforum.org/pipermail/smcwg-public/2024-April/000957.html</a>.<o:p></o:p></p><p class=MsoNormal>The WG discussed and approved the change of KeyFactor from an Interested Party to an Associate Member, Ellie Schieder as an Interested Party, and Posteo e.K as a Certificate Consumer.<o:p></o:p></p><p class=MsoNormal>The WG reviewed and discussed a ballot proposed by Martijn Katerbarg which would bring the S/MIME BR up to date with a recent ballot at the TLS BR for logging. See more at <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fsmime%2Fissues%2F241&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7C708f7bd916fb456126ba08dc73512026%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638512039511777400%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=zsu0bwRhIDoxPPlahVUlbI%2B%2FU7VdcyIjSfYHixo1JAk%3D&reserved=0">https://github.com/cabforum/smime/issues/241</a> <o:p></o:p></p><p class=MsoNormal>The WG had an extensive discussion regarding the migration to Multipurpose/Strict profiles. Stephen noted that so far only two points had been raised by Certificate Issuers:<o:p></o:p></p><ul style='margin-top:0cm' type=disc><li class=MsoListParagraph style='margin-left:0cm;mso-list:l1 level1 lfo1'>Having adequate time (such as one year) to allow ERAs using integration time to adapt.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l1 level1 lfo1'>Concerns relating to the impact of shorter validity on deployments using tokens/smartcards.<o:p></o:p></li></ul><p class=MsoNormal style='margin-bottom:0cm'>Judith Spencer and Wendy Brown commented that the shorter validity had real impact on large (including public sector) deployments that use tokens/smartcards, including:<o:p></o:p></p><ul style='margin-top:0cm' type=disc><li class=MsoListParagraph style='margin-bottom:0cm;margin-left:0cm;mso-list:l0 level1 lfo2'>limited storage on tokens/smartcards;<o:p></o:p></li><li class=MsoListParagraph style='margin-bottom:0cm;margin-left:0cm;mso-list:l0 level1 lfo2'>the increased burden of key exchange; and<o:p></o:p></li><li class=MsoListParagraph style='margin-bottom:0cm;margin-left:0cm;mso-list:l0 level1 lfo2'>and the costs of support for rekeying.<o:p></o:p></li></ul><p class=MsoNormal style='margin-bottom:0cm'>The question was raised whether it would be feasible to increase the validity for the Multipurpose profile to 1185 days in general, or in cases where tokens/smartcards are used. Clint Wilson spoke about the security and crypto agility benefits of shorter validity periods. It was agreed this topic would be continued in Bergamo.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'>## 6. Any Other Business<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'>None.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'>## 7. Next call<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'>Next call: the teleconference scheduled for May 22 has been cancelled. Next meeting is Bergamo F2F.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'>## Adjourned<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0cm'> <o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;line-height:115%'> </span><o:p></o:p></p></div><p class=MsoNormal style='margin-bottom:0cm;line-height:normal'><br><br><o:p></o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>Smcwg-management mailing list<o:p></o:p></pre><pre><a href="mailto:Smcwg-management@cabforum.org">Smcwg-management@cabforum.org</a><o:p></o:p></pre><pre><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fsmcwg-management&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7C708f7bd916fb456126ba08dc73512026%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638512039511787973%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=jyn4cbSuAbphPNeqicGutRFnz8pdQU98ccl8W0GxW8Q%3D&reserved=0">https://lists.cabforum.org/mailman/listinfo/smcwg-management</a><o:p></o:p></pre></blockquote></div></div></div></div></body></html>