[cabfpub] For Discussion: S/MIME Working Group Charter

philliph at comodo.com philliph at comodo.com
Fri May 18 12:48:17 UTC 2018


But the critical word was not in the discussion.

Dimitri’s observation that the groups are really divided by id-kp- is the critical point in my mind because it also shows where the boundary lies between CABForum and IETF.


S/MIME needs some serious fixing. It is currently a niche product that has a userbase in the low millions, most of whom use it on an occasional basis at best. Meanwhile the Internet has a billion users and email attacks have changed the course of recent history.




> On May 17, 2018, at 10:18 PM, Ryan Sleevi <sleevi at google.com> wrote:
> 
> 
> 
> On Thu, May 17, 2018 at 9:53 PM, Phillip <philliph at comodo.com <mailto:philliph at comodo.com>> wrote:
> We seem to have a terminology issue here. What is a server? This is obvious in HTTP but far from obvious in the context of email because there is an inbound and an outbound ‘server’ and it acts as a client and a server at different times.
> 
> 
> I'm afraid that discussion misses an important word in the discussion - server *certificate*. That word helps us clarify that we're speaking about certificates and their capabilities, not about the different flows in different protocols. If I use an id-kp-serverAuth certificate with a SAN of "www.google.com <http://www.google.com/>", this does not somehow mean I exempt from the BRs or the existing scope of the server certificate working group.
> 
> So I think we can avoid such discussions about the terminology of servers, and instead focus on the certificates and the existing charted working group, which handles such certificates, regardless of the service context or the role within the protocol.
>  
> 
>  
> 
> I agree that certificates used to authenticate Mail Transport Agents are properly part of what the Server WG is specifying. But they may be used by a host acting as a TLS ‘server’ or ‘client’.
> 
>  
> 
>  
> 
> Another little oddity is that we are assuming that the entity a CA validates and issues certificates to in the S/MIME world is properly the end user rather than the organization. That might not be the right approach. If what the CA is effectively validating is ‘example.com <http://example.com/>’, and not ‘alice@’, maybe it is better to perform validation on the organization.
> 
> 
> I think that's something that could be discussed by the S/MIME WG - with a refined charter scoped to S/MIME BRs. That discussion does not seem to conflict with such a charter scoped simply to the BRs, as what you're discussing is validation methods, which would be rather premature to discuss in the absence of such a chartered group.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180518/edba39fd/attachment-0003.html>


More information about the Public mailing list