[Smcwg-public] Approved Minutes of SMCWG February 3, 2021

Stephen Davidson Stephen.Davidson at digicert.com
Wed Feb 17 20:53:14 UTC 2021 

Thanks Jeff.  I will confirm and note that on the web version of these
minutes.

 

 

From: Jeff Ward <jward at bdo.com> 
Sent: Wednesday, February 17, 2021 4:51 PM
To: Stephen Davidson <Stephen.Davidson at digicert.com>; SMIME Certificate
Working Group <smcwg-public at cabforum.org>
Subject: RE: Approved Minutes of SMCWG February 3, 2021

 

Stephen, I joined after roll call.  Just FYI

 

Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH
National Managing Partner Third Party Attestation
(SOC/WebTrust/Cybersecurity)
314-889-1220 (Direct)    347-1220 (Internal)
314-387-0189 (Mobile)
 <mailto:jward at bdo.com> jward at bdo.com

BDO
101 S Hanley Rd, Suite 800
St. Louis, MO 63105 
UNITED STATES
314-889-1100
 <http://www.bdo.com> www.bdo.com

 <https://fileexchange.bdo.com> BDO File Exchange (secure file sharing)

Please consider the environment before printing this e-mail

 
<https://www.bdo.com/resource-centers/understanding-the-business-impacts-of-
covid-19> 

From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Stephen
Davidson via Smcwg-public
Sent: Wednesday, February 17, 2021 2:04 PM
To: SMIME Certificate Working Group <smcwg-public at cabforum.org>
Subject: [Smcwg-public] Approved Minutes of SMCWG February 3, 2021

 

Attention: This email was sent from someone outside of BDO USA. Always use
caution when opening attachments or clicking links from unknown senders or
when receiving unexpected emails.


Minutes of SMCWG


February 3, 2021

 

These are the Approved Minutes of the Teleconference described in the
subject of this message. Corrections and clarifications where needed are
encouraged by reply.


Attendees 


Ahmad Syafiq Md Zaini (MSC Trustgate.com), Ali Gholami (Telia Company),
Andreas Henschel (D-TRUST), Ben Wilson (Mozilla), Bruce Morton (Entrust
DataCard), Corey Bonnell  (DigiCert), David Kluge (Google), Dean Coclin
(DigiCert), Dimitris Zacharopoulos (HARICA), Don Sheehy (WebTrust), Enrico
Entschew  (D-TRUST), Hazhar Ismail (MSC Trustgate.com), Hongquan Yin
(Microsoft), India Donald (Federal PKI), Janet Hines  (SecureTrust), Li-Chun
Chen (Chunghwa Telecom), Mads Henriksveen  (BuyPass), Matthias Wiedenhorst
(ACAB'c), Mevre Tunca (Zertificon), Morad Abou Nasser (TeleTrust), Neil
Dunbar  (TrustCor), Niko Carpenter (SecureTrust), Patrycja Tulinska (PSW),
Pedro Fuentes (OISTE), Rich Smith (Sectigo), Russ Housley (Vigil Security),
Sebastian Schulz (GlobalSign), Stephen Davidson (DigiCert), Tadahiko Ito
(SECOM Trust Systems), Thomas Connelly (Federal PKI), Thomas Zermeno
(SSL.com), Tim Crawford (WebTrust), Tsung-Min Kuo  (Chunghwa Telecom), Wendy
Brown (Federal PKI), Yair Eisenstein (Comsign)


1. Roll Call


The Roll Call was taken.


2. Read Antitrust Statement


The Antitrust/Compliance Statement was read.


3. Review Agenda


4. Approval of minutes from last teleconference


The minutes of the January 20 teleconference were approved.  


5. New Member Declaration


RundQuadrat OG was determined as eligible and approved as a Certificate
Consumer member of the SMCWG.


6. Discussion of certificate profile


A review was commenced of proposed/draft certificate profiles derived from
the policies previously discussed:

 

*	Mailbox-validation: The simplest S/MIME, including only email
address. The same email control verification methods apply across all S/MIME
types.

 

*	Individual-validation: Includes personal details (for natural
person) with validation performed based upon BR 3.2.3.

 

*	Organizational-validation: Includes Organization details (legal
entity) with validation based on BR 3.2.2.1-3.2.2.3 (or perhaps EV
equivalent). Example uses include invoice or statement mailers, etc.

 

*	Sponsored-validation: An Organization "sponsors" certificates
including personal details or mailbox names (validated by a delegated
Enterprise RA) in conjunction with Organisation details (validated by the
CA).

 

Each policy will have a Multipurpose/Legacy and Strict variant:

 

*	Multipurpose/Legacy: The Multipurpose profiles create a formal
profile and practices for dominant legacy S/MIME types, including
multipurpose certficates, and include more flexibility in Subject
information and extensions.

 

*	Strict:  The Strict profiles provide a more streamlined certificate
profile dedicated to S/MIME use.  This is in line with the growing use of
specialised Root hierarchies by certificate type (eku).

 

https://docs.google.com/spreadsheets/d/1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQ
b7PedLU/edit#gid=1891546205
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.goog
le.com%2Fspreadsheets%2Fd%2F1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU%2Fe
dit%23gid%3D1891546205&data=04%7C01%7Cjward%40bdo.com%7C593c27b29a1343cb27bb
08d8d37f1ecf%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C637491890234493933
%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWw
iLCJXVCI6Mn0%3D%7C1000&sdata=NrPlkIJf5NLTwsBnfKD2xOaW%2FHweQdb48Y4NAvHPtG4%3
D&reserved=0>  

 

It was proposed to allow the Subject email and commonName field in all
certificate types (discouraged but permitted) in all profiles due to unknown
use in Certificate Consumer UI and allowed use in other standards such as
ETSI.  

 

A long discussion occurred regarding the flexible definition of commonName
in many standards.  Morad Abou Nasser indicated that the TeleTrust policies
may have useful rules for commonName.

 

A lengthy discussion occurred regarding validity.  It was agreed that the
Strict policy should have a maximum 27 month validity in order to provide
better policy agility, refresh of validation, and consistency with the move
of other CABF standards towards shorter validity. Wendy Brown noted there
was an argument in favor of longer validity when keys were held on tokens,
and that fast rotation of keys may work against end users who have to manage
them to read their email archive.  She proposed that differing allowed
validity spans for signing vs encryption may help if split keys are used.

 

Bruce Morton proposed that the Multipurpose should allow a longer (ie 39
month) validity, while Dimitris Zacharopoulos proposed the same validity
should apply across all types.  It was suggested this be tabled for feedback
on public list or at the CABF Virtual F2F.  Dimitris and Sebastian Schulz
agreed to help draft that proposal.

 

Stephen Davidson reminded that at this stage our concern is defining the
core certificate profiles and to defer detailed discussion of field formats
and validation until later.  It was agreed in our next meeting to discuss
what would be presented to the Virtual F2F and what areas of feedback would
be sought at that meeting.

 


6. Any Other Business


 

None


7. Next call


The next call will take place on February 17, 2021 at 11:00am Eastern Time.



Adjourned


 

 

 



The health and safety of our people and communities is our top priority, as
we all do our part to help stop the spread of COVID-19. All BDO USA offices
will be closed until further notice. While we will be working from home, our
already-flexible work environment enables us to make this transition
seamlessly and we have the technology in place to continue to provide the
same excellent level of service our clients are accustomed to. We are here
if you need us, just as before, and if we can be helpful as you navigate the
uncertainty, we stand ready. 

BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member
of BDO International Limited, a UK company limited by guarantee, and forms
part of the international BDO network of independent member firms. 

BDO is the brand name for the BDO network and for each of the BDO Member
Firms.

IMPORTANT NOTICES

The contents of this email and any attachments to it may contain privileged
and confidential information from BDO USA, LLP. This information is only for
the viewing or use of the intended recipient. If you are not the intended
recipient, you are hereby notified that any disclosure, copying,
distribution or use of, or the taking of any action in reliance upon, the
information contained in this e-mail, or any of the attachments to this
e-mail, is strictly prohibited and that this e-mail and all of the
attachments to this e-mail, if any, must be immediately returned to BDO USA,
LLP or destroyed and, in either case, this e-mail and all attachments to
this e-mail must be immediately deleted from your computer without making
any copies hereof. If you have received this e-mail in error, please notify
BDO USA, LLP by e-mail immediately.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20210217/2e1a7525/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 476 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20210217/2e1a7525/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4999 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20210217/2e1a7525/attachment-0001.p7s>

More information about the Smcwg-public mailing list