[cabfpub] For Discussion: S/MIME Working Group Charter

Paul Hoffman paul.hoffman at icann.org
Thu May 24 13:27:30 MST 2018

(Unlurking, this time as one of the IETF's S/MIME WG chairs for more than a decade)

> On May 24, 2018, at 7:39 AM, Ryan Sleevi via Public <public at cabforum.org> wrote:
> ... the basic foundation of how you validate an e-mail address is going to be key. Whether that's by validating the domain holder and allowing them to self-attest to the correctness of every email (much like we allow them to do so with subdomains beneath an ADN) or whether that's validating directly to the email address, at the core, we need to make sure that the rfc822Name within an S/MIME certificate is sufficiently validated.

Although I was never a mail client vendor, I worked extensively with them to develop and test S/MIME. What Ryan says here was of great concern to the vendors at the time. There was a fair number who said "we want to use the subset of the web CAs that we believe know how to validate email addresses before they issue certificates" but instead were kinda forced into mostly supporting only internally-generated certificates.

> That's why my concrete encouragement was to start with S/MIME BRs as the sole deliverable. Work through the operational and issuance profile, work through the core validation mechanisms, and table discussions that would otherwise detract from that. Once we've got a common and understood baseline, then it can be explored whether there are more rigorous forms that are both possible and useful.

>From the discussions in the IETF's S/MIME WG of 15ish years ago, I suspect that finishing just that one topic will be intensive and interesting enough for the group to then decide if it wants to bite off more. Regardless, finishing it and having the CABForum be able to say "we have a new solid set of BRs for S/MIME certificate issuance" will bring goodwill in the communities that still rely on S/MIME. Those BRs could easily be adapted to other secure email message technologies that might come out in the future. In other words, it would be great if the CABForum could at least start there.

--Paul Hoffman

More information about the Public mailing list