[cabfpub] For Discussion: S/MIME Working Group Charter

Dimitris Zacharopoulos jimmy at it.auth.gr
Wed May 23 22:04:45 MST 2018

Moudrick, I don't think we are describing just use scenarios. This is 
about subject validation and as you are very well familiar, eIDAS is 
also setting requirements for how you validate natural persons and legal 
entities. Then, you can use this validated information for different 
trust services (authenticate, sign, encrypt, etc).

We already have identity validation requirements for the server 
certificate Working Group, described in DV/OV/EV Policies for 
certificates with id-kp-serverAuth EKU. Why shouldn't we include 
identity validation requirements for this new Working Group for 
certificates with id-kp-clientAuth and id-kp-emailProtection EKU? The 
overlap in subject validation requirements between these two cases is 
pretty obvious.

Even though I'd like the clientAuth to be included in the WG's initial 
charter, I understand Ryan's argument for gradually building a standard 
with minimum expectations at the beginning (thus limiting the scope for 
S/MIME only) and expand the scope later.

So, until then, the clientAuth Certificates will remain kind-of 
"unregulated" by lacking a policy standard. I suppose we will have to 
live with that :)


On 24/5/2018 2:34 πμ, Moudrick M. Dadashov wrote:
> All three (clentAuth and S/MIME) use scenarios are essentially different.
> Validation requirements for issuing signing/encryption certificates 
> are mostly similar, clientAuth (as we understand it under eIDAS*) is 
> different.
> Thanks,
> M.D.
> * Article 3
> (5) ‘/*authentication*’ means an electronic process that enables the 
> electronic identification of a natural or legal person, or the origin 
> and integrity of data in electronic form to be confirmed/.
> (1) ‘/*electronic identification*’ means the process of using person 
> identification data in electronic form uniquely representing either a 
> natural or legal person, or a natural person representing a legal person/.
> (2) ‘/*electronic identification means*’ means a material and/or 
> immaterial unit containing person identification data and which is 
> used for authentication for an online service/.
> On 5/24/2018 12:16 AM, Brown, Wendy (10421) via Public wrote:
>> I second the opinion that  clientAuth and S/Mime are likely to have a 
>> great overlap in validation requirements at least when issuing to 
>> persons and PKIs may want to issue both types of certs from the same 
>> CA if they are for the same validated individual..
>> *From:*Public [mailto:public-bounces at cabforum.org] *On Behalf Of 
>> *Ryan Sleevi via Public
>> *Sent:* Friday, May 18, 2018 9:18 AM
>> *To:* Dimitris Zacharopoulos <jimmy at it.auth.gr>; CA/Browser Forum 
>> Public Discussion List <public at cabforum.org>
>> *Subject:* Re: [cabfpub] For Discussion: S/MIME Working Group Charter
>> On Fri, May 18, 2018 at 12:57 AM, Dimitris Zacharopoulos via Public 
>> <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>>     On 18/5/2018 2:51 πμ, Ryan Sleevi via Public wrote:
>>         I don't think it's a cross-EKU situation, though, but I'm
>>         glad we're in agreement.
>>         An email server certificate is an id-kp-serverAuth EKU.
>>         That's already covered by another WG
>>     I sincerely hope that id-kp-clientAuth EKU will also be covered
>>     by this WG since there will be common validation requirements for
>>     Subject information, as with S/MIME. It seems too much overhead
>>     to spawn an entirely different WG to deal just with clientAuth.
>>     If people agree, how about using the name "Client and S/MIME
>>     Certificate WG" which seems aligned with the "Server Certificate WG"?
>> As I've mentioned several times, it would be good to actually focus 
>> on a constrained, defined problem, before you proverbially try to 
>> boil the ocean.
>> It is not obvious that there will be common validation requirements, 
>> because the id-kp-clientAuth situation has a vast dimension of 
>> possible uses and spectrum. It's not actually reflective of the 
>> deployed reality that the validation requirements are the same. It 
>> also is based on an entirely separate notion of identity.
>> So no, I don't agree, because they really are substantially different 
>> in deployed reality - and an S/MIME WG is, in itself, a sizable 
>> undertaking just to get S/MIME BRs, due to the broad spectrum of 
>> client capabilities and CA past-practices - and the lifetime of 
>> extant certificates that presents unique challenges to defining a 
>> sensible and realistic profile.
>> A good charter - one that leads to productive engagement from a broad 
>> set of participants while actually delivering meaningful improvements 
>> - is one that keeps itself narrowly focused on the task at hand, 
>> produces results, and then looks to recharter based on the things you 
>> knew were out there, but agreed not to discuss until you actually 
>> completed the work. That allows you to keep momentum, focus, and 
>> participation. Just look at the challenges each of our (legacy) WG 
>> has faced with a broad remit, in that the set of topics has made it 
>> difficult both to engage participation of the broader Forum and to 
>> actually make forward progress, because it's constantly having to 
>> deal with 'all these things' or trying to do 'all these things'.
>> When we see narrowly focused ballots and efforts that try to solve a 
>> specific set of problems, then we make progress. The validation WG's 
>> effort at is a prime example of that - a prolonged effort 
>> that directly benefited from being focused on that problem, and 
>> ruling some things (like out of scope of the discussion in 
>> order to make progress on the narrow set.
>> The same too is in the charter. Let's not try to encompass pet 
>> marketing projects (EV for S/MIME), "things we might need but we 
>> don't know why" (network security), or "things that are kinda 
>> related, but only in some domains" (id-kp-clientAuth). Let's focus on 
>> the problem at hand - S/MIME authentication - keeping the WG scoped 
>> narrowly and on task, and deliver something that can help users have 
>> faith in the Web PKI to deliver tangible benefits in that space, 
>> rather than the reality we have today.
>> NOTICE: Protiviti is a global consulting and internal audit firm 
>> composed of experts specializing in risk and advisory services. 
>> Protiviti is not licensed or registered as a public accounting firm 
>> and does not issue opinions on financial statements or offer 
>> attestation services. This electronic mail message is intended 
>> exclusively for the individual or entity to which it is addressed. 
>> This message, together with any attachment, may contain confidential 
>> and privileged information. Any views, opinions or conclusions 
>> expressed in this message are those of the individual sender and do 
>> not necessarily reflect the views of Protiviti Inc. or its 
>> affiliates. Any unauthorized review, use, printing, copying, 
>> retention, disclosure or distribution is strictly prohibited. If you 
>> have received this message in error, please immediately advise the 
>> sender by reply email message to the sender and delete all copies of 
>> this message. Thank you.
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180524/7f0d5761/attachment.html>

More information about the Public mailing list