<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 29/4/2024 5:27 μ.μ., Adriano Santoni
via Smcwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100018f2a40979f-72449850-d877-4ad0-97ba-21e6b79e8234-000000@email.amazonses.com">
<p><font face="Calibri">Furthermore, I think it would make sense
to also accept a digital signature made with an S/MIME IV
certificate, because evidently this would be a sufficiently
reliable way of individual identification; in practice, in
order to obtain a new S/MIME IV certificate, e.g. for renewal
purposes, or perhaps for a different email address, I think
the CA should be able to accept a signature made with an
S/MIME IV certificate already in the applicant's possession,
compliant with the SMBRs, not expired and not revoked. To this
end, I would say that a signed S/MIME message could be fine...
what do you (all) think?</font></p>
<p><font face="Calibri">Adriano</font></p>
</blockquote>
<br>
I didn't see anyone commenting on this and I'm not sure if it was
discussed at a Teleconference I missed. Adriano, I think this goes a
bit too far in the sense that it is circular. The CA must attest <b>at
time of issuance</b> that all the information included in the
certificate and authorization has been validated by the CA, can be
relied upon or is allowed to be reused according to the rules.<br>
<br>
The way I read your post allows CA1 to rely on an IV Certificate
issued by CA2 which has several risks because CA1 has no way of
verifying that the certificate of CA2 was issued in a compliant
-with the SMBRs- manner.<br>
<br>
I think it is ok for the same CA to accept a signed (with an
existing S/MIME IV Certificate) request for renewal, coming from an
existing Subscriber, as long as the existing stored evidence can be
re-used according to the rules.<br>
<br>
<br>
Dimitris.<br>
</body>
</html>