[cabfpub] Ballot Forum-11: Creation of S/MIME Certificates Working Group

Adriano Santoni adriano.santoni at staff.aruba.it
Fri Feb 7 07:46:19 UTC 2020


I would still prefer identity information (natural person or legal 
entity, or both: natural person affiliated to a legal entity) to be 
expressly included in the WG scope since the beginning. Of course this 
makes the WG task (that of producing "S/MIME baseline requirements") 
harder and longer, but it would reflect current practice. On the other 
hand, its not clear to me what the implications would be if S/MIME 
baseline requirements were approved and published, should they not cover 
the inclusion of identity information in S/MIME certificates. Would that 
imply, once Root Programs adopted such S/MIME BRs, that those CAs 
issuing S/MIME certs with identity information in them are mis-issuing?

Adriano


Il 06/02/2020 19:31, Wayne Thayer via Public ha scritto:
> Thanks Dimitris.
>
> On Wed, Feb 5, 2020 at 11:09 PM Dimitris Zacharopoulos (HARICA) via 
> Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>
>     Tim, Wayne, Adriano,
>
>     Apple made a contribution and although HARICA disagrees with most
>     of the recommended changes I believe there should be some
>     discussion around that.
>
>
> Agree. It's not in anyone's interests, nor do I believe that the 
> intent was to ignore input unrelated to the identity issue. We should 
> discuss it now to allow members to decide for themselves if the 
> suggestions are important enough to warrant voting against this 
> ballot, or if the ballot is good enough to ratify as-is.
>
>     Unfortunately, although I had started working on a response, I
>     didn't have time to complete it on time. I was hoping to see some
>     comments/responses from the proposer and endorsers before the
>     voting period began.
>
>     For what it's worth, here is a list of my comments (attached). My
>     biggest concern is the Certificate Consumer members that qualify
>     based on "mail transfer agent". I would certainly like some more
>     information about that before HARICA votes. Other than that, the
>     charter looks good to me.
>
>
> The section in question is:
>
> (2) A Certificate Consumer eligible for voting membership in the SMCWG 
> must produce a develop and maintain a mail user agent (web-based or 
> application based), mail transfer agent, or email service provider 
> that processes S/MIME certificates issued by third-party Certificate 
> Issuers who meet criteria set by such Certificate Consumer.
> The inclusion of "mail transfer agents" as eligible participants 
> doesn't appear harmful to me, but I also agree with Clint's comment 
> that "The role of a mail transfer agent in consuming S/MIME 
> certificates is unclear."
> Tim or Ben: this was part of the draft Ben proposed over a year ago. 
> Do you have any information on why this was included?
>
>
>     Best regards,
>     Dimitris.
>
>
>
>     On 2020-02-06 12:45 π.μ., Wayne Thayer via Public wrote:
>>     Based on my recollection of the Guangzhou discussion, and
>>     supported by the minutes, the "path forward agreed to in
>>     Guangzhou" was that we would take this charter to a ballot
>>     without further attempts to resolve the issue of including
>>     identity in the charter's scope. There does not appear to be a
>>     path to consensus on this issue, despite the considerable amount
>>     of time spent discussing it. I'm unhappy with this approach, but
>>     as one of the endorsers, I don't see an alternative other than
>>     "take it to a vote" that gets this much-needed WG formed any time
>>     soon.
>>
>>     - Wayne
>>
>>     On Wed, Feb 5, 2020 at 3:22 PM Ryan Sleevi via Public
>>     <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>>
>>         Hi Tim,
>>
>>         Could you point to where that's reflected in the minutes? Our
>>         understanding here at Google is that Apple's proposed
>>         changes, which we support and would be unable to participate
>>         without incorporating, is that it accurately and correctly
>>         reflects the discussions in London [1], reiterated in
>>         Cupertino [2], and agreed upon in Thessaloniki [3]. It
>>         appears that, following that, the proposers of that ballot
>>         ignored that consensus and conclusion, and yet the discussion
>>         of Guangzhou [4] does not indicate there was consensus to do so.
>>
>>         I'm hoping we've just overlooked something in the minutes,
>>         but Apple's proposed changes seem imminently reasonable, and
>>         a worthwhile path to drafting requirements that consuming
>>         software, such as mail clients (both native and Web), can use
>>         and consume as part of their root programs, as an alternative
>>         to their root-program-specific requirements.
>>
>>         [1]
>>         https://cabforum.org/2018/06/06/minutes-for-ca-browser-forum-f2f-meeting-44-london-6-7-june-2018/#New-SMIME-Working-Group-Charter
>>         [2]
>>         https://cabforum.org/2019/05/03/minutes-for-ca-browser-forum-f2f-meeting-46-cupertino-12-14-march-2019/#Creation-of-additional-Working-Groups---Secure-Mail
>>         "Dean – We have a blank slate here and it seems the
>>         reluctance was to make it a narrow scope and then focus on
>>         either one aspect of SMIME. First task might be how to
>>         validate an email, and then focus on identity validation.
>>         Some comments were to make the chart narrow to focus on one
>>         task while others say to include all proposed tasks to not
>>         have to recharter which has caused issues in the past."
>>         [3]
>>         https://cabforum.org/2019/08/16/minutes-for-ca-browser-forum-f2f-meeting-47-thessaloniki-12-13-june-2019/#Creation-of-Additional-Groups---Secure-Mail
>>         "Eventually, all parties in the conversation came to the
>>         conclusion that it would behoove the Forum to scope the
>>         working group charter to domain validation, first, before
>>         adding other functionality once that portion was locked-down."
>>         [4]
>>         https://cabforum.org/2019/12/12/minutes-for-ca-browser-forum-f2f-meeting-48-guangzhou-5-7-november-2019/#Creation-of-Additional-Groups---Secure-Mail
>>
>>
>>         _______________________________________________
>>         Public mailing list
>>         Public at cabforum.org <mailto:Public at cabforum.org>
>>         https://cabforum.org/mailman/listinfo/public
>>
>>
>>     _______________________________________________
>>     Public mailing list
>>     Public at cabforum.org  <mailto:Public at cabforum.org>
>>     https://cabforum.org/mailman/listinfo/public
>
>     _______________________________________________
>     Public mailing list
>     Public at cabforum.org <mailto:Public at cabforum.org>
>     https://cabforum.org/mailman/listinfo/public
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20200207/55fd728b/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4105 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/public/attachments/20200207/55fd728b/attachment-0003.p7s>


More information about the Public mailing list