[Smcwg-public] some thoughts on s/mime requirement sets

Russ Housley housley at vigilsec.com
Thu Aug 20 11:21:03 MST 2020


Andreas:

And there are also certificates associated with private keys that are help in cloud-based user agents.  These are similar to the once in (c), but they have a different risk profile.

Russ


> On Aug 20, 2020, at 8:20 AM, Henschel, Andreas via Smcwg-public <smcwg-public at cabforum.org> wrote:
> 
> Dear smcwg members,
> 
> please let me share some thoughts on our yesterdays call of the smcwg.
> 
> S/mime certificates are kind of different to all other certificates handled
> by cabforum so far, because of the very different usecases and user
> environments.
> 
> Just to bring some cases and related topics up:
> 
> a. certificates on (highly) secure token
> 	-> it is not a good idea to encrypt anything with keys, which could
> not have any backups, but encryption is one of the key features of s/mime
> certificates
> 
> b. group or domain certificates
> 	-> key management done by an email gateway
> 	-> just copy and distribute the encrypted key to any user of the
> group address
> 
> c. certificates on mobile devices
> 	-> nearly no key management possible done by the user
> 	-> quite impossible to use hardware token on mobiles
> 
> d. certificates stored in an OS keystore
> 
> e. different purposes or different combinations of purposes
> 	-> signing mails to guarantee integrity
> 	-> signing mails to claim authenticity
> 	-> encrypting mails to guarantee confidentiality
> 	-> signing mails for content commitment or wilful acts
> 
> 
> I think, we could find a lot more usecases and user environments of s/mime
> certificates easily.
> But from my point of view, it could be quite impossible to find all
> usecases, where thoses certificates are allready used.
> 
> So it could be more helpful for the first step of collecting the
> requirements, to start with the absolute minimum level, such for example to
> set the maximum validity period in general to 39 months or even a bit
> longer. As far as I know, many CAs offer certificates with a validity period
> of three years, but i've seen even five years.
> For example, if we start just with the purpose of "signing mails to
> guarantee integrity" the validity periode of the certificate does not even
> really matter.
> 
> With this mind set, we should step through all points of applicable
> requirements for the first draft.
> 
> After having a basic and accepted (and usable) minimum level, we can and
> should tighten security requirements where applicable.
> 
> 
> Kind regards,
> Andreas
> 
> 
> 
> Andreas Henschel
> 
> Principal product certification ETSI / eIDAS
> DTr PCS CM
> ------------------------------------------------------------------
> D-Trust GmbH | A Bundesdruckerei company
> Kommandantenstr. 15
> 10969 Berlin , Germany
> 
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20200820/ff47544c/attachment.sig>


More information about the Smcwg-public mailing list