From Stephen.Davidson at digicert.com Wed Dec 2 16:37:25 2020 From: Stephen.Davidson at digicert.com (Stephen Davidson) Date: Wed, 2 Dec 2020 16:37:25 +0000 Subject: [Smcwg-public] Test message Message-ID: Hello - please ignore. We are testing the mailer! -------------- next part -------------- An HTML attachment was scrubbed... URL: From Stephen.Davidson at digicert.com Mon Dec 7 17:45:23 2020 From: Stephen.Davidson at digicert.com (Stephen Davidson) Date: Mon, 7 Dec 2020 17:45:23 +0000 Subject: [Smcwg-public] Draft SMCWG agenda - Wednesday, December 9 Message-ID: SMCWG Agenda Draft SMCWG agenda - Wednesday, December 9, 2020 at 11:00 am Eastern Time Here is a draft CA agenda for the teleconference described in the subject of this message. Please review and propose changes if necessary. 1. Roll Call 2. Read Antitrust / Compliance Statement 3. Review Agenda 4. Approval of minutes from last teleconference 5. Membership - KPMG Korea as Interested Party 6. Discussion S/MIME Certificate Profile: continuation of discussion re: - SAN entries (rfc822name, directoryname, othername) - OIDs and Subject Attributes - Extensions - keyUsage 7. Any other business 8. Next call: January 6, 2021 at 11:00 am Eastern Time Note: Meeting of December 23, 2020 has been cancelled Adjourn -------------- next part -------------- An HTML attachment was scrubbed... URL: From Stephen.Davidson at digicert.com Mon Dec 21 18:30:48 2020 From: Stephen.Davidson at digicert.com (Stephen Davidson) Date: Mon, 21 Dec 2020 18:30:48 +0000 Subject: [Smcwg-public] No SMCWG meeting on December 23 Message-ID: Hello all: As agreed in our last meeting, there will be no SMCWG meeting this week (Wednesday December 23). We'll reconvene in the new year on January 6, 2021 at 1100 US Eastern time. Wishing you good health, Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: From donsheehypki at gmail.com Tue Dec 22 16:00:08 2020 From: donsheehypki at gmail.com (Don Sheehy) Date: Tue, 22 Dec 2020 11:00:08 -0500 Subject: [Smcwg-public] No SMCWG meeting on December 23 In-Reply-To: <010001768691971c-af53a719-86ee-4a00-a5c7-1a2dac66a4c0-000000@email.amazonses.com> References: <010001768691971c-af53a719-86ee-4a00-a5c7-1a2dac66a4c0-000000@email.amazonses.com> Message-ID: Merry Christmas and Happy New Year to all 2021 has to get better - hopefully we will all meet in person in 2021 Don On Mon, Dec 21, 2020 at 1:30 PM Stephen Davidson via Smcwg-public < smcwg-public at cabforum.org> wrote: > Hello all: > > > > As agreed in our last meeting, there will be no SMCWG meeting this week > (Wednesday December 23). > > > > We'll reconvene in the new year on January 6, 2021 at 1100 US Eastern time. > > > > Wishing you good health, Stephen > _______________________________________________ > Smcwg-public mailing list > Smcwg-public at cabforum.org > https://lists.cabforum.org/mailman/listinfo/smcwg-public > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bwilson at mozilla.com Tue Dec 29 16:04:22 2020 From: bwilson at mozilla.com (Ben Wilson) Date: Tue, 29 Dec 2020 09:04:22 -0700 Subject: [Smcwg-public] Require proof-of-possession for SMIME certificate issuance Message-ID: The SMIME requirements document, which this WG is developing, should address the degree of verification needed to bind the email address to the key pair. The applicant and the CA should be required to use a secure process to establish that the entity controlling the email address also controls the public-private key pair. This is mentioned on the Mozilla GitHub policy issues board - https://github.com/mozilla/pkipolicy/issues/215 -------------- next part -------------- An HTML attachment was scrubbed... URL: From bwilson at mozilla.com Tue Dec 29 16:15:11 2020 From: bwilson at mozilla.com (Ben Wilson) Date: Tue, 29 Dec 2020 09:15:11 -0700 Subject: [Smcwg-public] Require CAA Checking for Email Certificates Message-ID: For visibility and as a cross-reference, here is another SMIME-related discussion on the Mozilla policy Github board - https://github.com/mozilla/pkipolicy/issues/135. Some interesting implementation challenges have been raised. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Stephen.Davidson at digicert.com Tue Dec 29 16:36:51 2020 From: Stephen.Davidson at digicert.com (Stephen Davidson) Date: Tue, 29 Dec 2020 16:36:51 +0000 Subject: [Smcwg-public] Require proof-of-possession for SMIME certificate issuance In-Reply-To: <01000176af3e8143-41239ce9-e09c-468d-bd28-515d670d2409-000000@email.amazonses.com> References: <01000176af3e8143-41239ce9-e09c-468d-bd28-515d670d2409-000000@email.amazonses.com> Message-ID: Thank you Ben. Noted for further SMCWG discussion: - check proof of possession of private key - CAA checking Happy new year and best regards, Stephen From: Smcwg-public On Behalf Of Ben Wilson via Smcwg-public Sent: Tuesday, December 29, 2020 12:05 PM To: SMIME Certificate Working Group Subject: [Smcwg-public] Require proof-of-possession for SMIME certificate issuance The SMIME requirements document, which this WG is developing, should address the degree of verification needed to bind the email address to the key pair. The applicant and the CA should be required to use a secure process to establish that the entity controlling the email address also controls the public-private key pair. This is mentioned on the Mozilla GitHub policy issues board - https://github.com/mozilla/pkipolicy/issues/215 -------------- next part -------------- An HTML attachment was scrubbed... URL: From bwilson at mozilla.com Tue Dec 29 17:52:39 2020 From: bwilson at mozilla.com (Ben Wilson) Date: Tue, 29 Dec 2020 10:52:39 -0700 Subject: [Smcwg-public] Require proof-of-possession for SMIME certificate issuance In-Reply-To: References: <01000176af3e8143-41239ce9-e09c-468d-bd28-515d670d2409-000000@email.amazonses.com> Message-ID: FWIW - I've created an "smime" label in GitHub so that anyone can find pending Mozilla Policy issues related to SMIME certificates - https://github.com/mozilla/pkipolicy/labels/smime On Tue, Dec 29, 2020 at 9:36 AM Stephen Davidson < Stephen.Davidson at digicert.com> wrote: > Thank you Ben. Noted for further SMCWG discussion: > > - check proof of possession of private key > > - CAA checking > > Happy new year and best regards, Stephen > > > > *From:* Smcwg-public *On Behalf Of *Ben > Wilson via Smcwg-public > *Sent:* Tuesday, December 29, 2020 12:05 PM > *To:* SMIME Certificate Working Group > *Subject:* [Smcwg-public] Require proof-of-possession for SMIME > certificate issuance > > > > The SMIME requirements document, which this WG is developing, should > address the degree of verification needed to bind the email address to the > key pair. The applicant and the CA should be required to use a secure > process to establish that the entity controlling the email address also > controls the public-private key pair. This is mentioned on the Mozilla > GitHub policy issues board - > https://github.com/mozilla/pkipolicy/issues/215 > -------------- next part -------------- An HTML attachment was scrubbed... URL: