[Smcwg-public] Approved Minutes of SMCWG February 3, 2021

Jeff Ward jward at bdo.com
Wed Feb 17 20:51:27 UTC 2021


Stephen, I joined after roll call.  Just FYI

Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH
National Managing Partner Third Party Attestation (SOC/WebTrust/Cybersecurity)
314-889-1220 (Direct)    347-1220 (Internal)
314-387-0189 (Mobile)
jward at bdo.com<mailto:jward at bdo.com>

BDO
101 S Hanley Rd, Suite 800
St. Louis, MO 63105
UNITED STATES
314-889-1100
www.bdo.com<http://www.bdo.com>

BDO File Exchange (secure file sharing)<https://fileexchange.bdo.com>

Please consider the environment before printing this e-mail

[covid-19]<https://www.bdo.com/resource-centers/understanding-the-business-impacts-of-covid-19>
From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Stephen Davidson via Smcwg-public
Sent: Wednesday, February 17, 2021 2:04 PM
To: SMIME Certificate Working Group <smcwg-public at cabforum.org>
Subject: [Smcwg-public] Approved Minutes of SMCWG February 3, 2021


Attention: This email was sent from someone outside of BDO USA. Always use caution when opening attachments or clicking links from unknown senders or when receiving unexpected emails.

Minutes of SMCWG
February 3, 2021

These are the Approved Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.
Attendees
Ahmad Syafiq Md Zaini (MSC Trustgate.com), Ali Gholami (Telia Company), Andreas Henschel (D-TRUST), Ben Wilson (Mozilla), Bruce Morton (Entrust DataCard), Corey Bonnell  (DigiCert), David Kluge (Google), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Don Sheehy (WebTrust), Enrico Entschew  (D-TRUST), Hazhar Ismail (MSC Trustgate.com), Hongquan Yin  (Microsoft), India Donald (Federal PKI), Janet Hines  (SecureTrust), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen  (BuyPass), Matthias Wiedenhorst  (ACAB'c), Mevre Tunca (Zertificon), Morad Abou Nasser (TeleTrust), Neil Dunbar  (TrustCor), Niko Carpenter (SecureTrust), Patrycja Tulinska (PSW), Pedro Fuentes (OISTE), Rich Smith (Sectigo), Russ Housley (Vigil Security), Sebastian Schulz (GlobalSign), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems), Thomas Connelly (Federal PKI), Thomas Zermeno (SSL.com), Tim Crawford (WebTrust), Tsung-Min Kuo  (Chunghwa Telecom), Wendy Brown (Federal PKI), Yair Eisenstein (Comsign)
1. Roll Call
The Roll Call was taken.
2. Read Antitrust Statement
The Antitrust/Compliance Statement was read.
3. Review Agenda
4. Approval of minutes from last teleconference
The minutes of the January 20 teleconference were approved.
5. New Member Declaration
RundQuadrat OG was determined as eligible and approved as a Certificate Consumer member of the SMCWG.
6. Discussion of certificate profile
A review was commenced of proposed/draft certificate profiles derived from the policies previously discussed:


  *   Mailbox-validation: The simplest S/MIME, including only email address. The same email control verification methods apply across all S/MIME types.


  *   Individual-validation: Includes personal details (for natural person) with validation performed based upon BR 3.2.3.


  *   Organizational-validation: Includes Organization details (legal entity) with validation based on BR 3.2.2.1-3.2.2.3 (or perhaps EV equivalent). Example uses include invoice or statement mailers, etc.


  *   Sponsored-validation: An Organization "sponsors" certificates including personal details or mailbox names (validated by a delegated Enterprise RA) in conjunction with Organisation details (validated by the CA).


Each policy will have a Multipurpose/Legacy and Strict variant:


  *   Multipurpose/Legacy: The Multipurpose profiles create a formal profile and practices for dominant legacy S/MIME types, including multipurpose certficates, and include more flexibility in Subject information and extensions.


  *   Strict:  The Strict profiles provide a more streamlined certificate profile dedicated to S/MIME use.  This is in line with the growing use of specialised Root hierarchies by certificate type (eku).

https://docs.google.com/spreadsheets/d/1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU/edit#gid=1891546205<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fspreadsheets%2Fd%2F1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU%2Fedit%23gid%3D1891546205&data=04%7C01%7Cjward%40bdo.com%7C593c27b29a1343cb27bb08d8d37f1ecf%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C637491890234493933%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=NrPlkIJf5NLTwsBnfKD2xOaW%2FHweQdb48Y4NAvHPtG4%3D&reserved=0>

It was proposed to allow the Subject email and commonName field in all certificate types (discouraged but permitted) in all profiles due to unknown use in Certificate Consumer UI and allowed use in other standards such as ETSI.

A long discussion occurred regarding the flexible definition of commonName in many standards.  Morad Abou Nasser indicated that the TeleTrust policies may have useful rules for commonName.

A lengthy discussion occurred regarding validity.  It was agreed that the Strict policy should have a maximum 27 month validity in order to provide better policy agility, refresh of validation, and consistency with the move of other CABF standards towards shorter validity. Wendy Brown noted there was an argument in favor of longer validity when keys were held on tokens, and that fast rotation of keys may work against end users who have to manage them to read their email archive.  She proposed that differing allowed validity spans for signing vs encryption may help if split keys are used.

Bruce Morton proposed that the Multipurpose should allow a longer (ie 39 month) validity, while Dimitris Zacharopoulos proposed the same validity should apply across all types.  It was suggested this be tabled for feedback on public list or at the CABF Virtual F2F.  Dimitris and Sebastian Schulz agreed to help draft that proposal.

Stephen Davidson reminded that at this stage our concern is defining the core certificate profiles and to defer detailed discussion of field formats and validation until later.  It was agreed in our next meeting to discuss what would be presented to the Virtual F2F and what areas of feedback would be sought at that meeting.

6. Any Other Business

None
7. Next call
The next call will take place on February 17, 2021 at 11:00am Eastern Time.
Adjourned





The health and safety of our people and communities is our top priority, as we all do our part to help stop the spread of COVID-19. All BDO USA offices will be closed until further notice. While we will be working from home, our already-flexible work environment enables us to make this transition seamlessly and we have the technology in place to continue to provide the same excellent level of service our clients are accustomed to. We are here if you need us, just as before, and if we can be helpful as you navigate the uncertainty, we stand ready.

BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms.

BDO is the brand name for the BDO network and for each of the BDO Member Firms.

IMPORTANT NOTICES

The contents of this email and any attachments to it may contain privileged and confidential information from BDO USA, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO USA, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies hereof. If you have received this e-mail in error, please notify BDO USA, LLP by e-mail immediately.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20210217/5e1683a2/attachment-0001.html>


More information about the Smcwg-public mailing list