[Smcwg-public] [External Sender] RE: [External Sender] Updates to 3.2.4.1/4 relying on signature for personal vetting

Adriano Santoni adriano.santoni at staff.aruba.it
Fri Aug 5 15:03:13 UTC 2022 

It's an improvement, for sure, but I would emphasize the "Subject DN" in 
bold.

What do the others think?

Adriano


Il 05/08/2022 16:12, Stephen Davidson ha scritto:
>
> I had intended that the sentence “Identity attributes are evidenced by 
> the signing Certificate, not by the content of the signed document” 
> would deal with such situations.  I can amplify that intent.
>
> “Identity attributes are evidenced by the Subject DN of the personal 
> Certificate used to create the digital signature, not by the content 
> of the signed document.”
>
> That resolve your concern?
>
> *From:* Smcwg-public <smcwg-public-bounces at cabforum.org> *On Behalf Of 
> *Adriano Santoni via Smcwg-public
> *Sent:* Friday, August 5, 2022 5:02 AM
> *To:* smcwg-public at cabforum.org
> *Subject:* Re: [Smcwg-public] [External Sender] Updates to 3.2.4.1/4 
> relying on signature for personal vetting
>
> Hello,
>
> Regarding section 3.2.4.1 Attribute collection of individual identity, 
> item 4:
>
> On the subject of reference frameworks for digital signatures, I 
> believe there is a problem that should be solved.
>
> The AATL framework also includes digital signatures that are not 
> associated with a "personal certificate" (as required by §3.2.4.1) and 
> therefore, in my opinion, should not be accepted. I am referring in 
> particular to the DocuSign remote signature service in which the 
> signatures are (commonly) always made with the same key and relative 
> certificate whose Subject is the DocuSign company itself (and not the 
> person signing the document). I have not spent a lot of time 
> investigating the matter, but my understanding is that the link of the 
> DocuSign signature with the signer is just based on a previous email 
> exchange. An "ID Verification" step is a Premium Feature that the 
> average DocuSign user is not obliged to buy.
>
> To plug this security hole, I recommend clarifying in the BR that 
> DocuSign signatures are only accepted (if ever) only when made with a 
> /personal certificate/ (i.e., not one issued to DocuSign, but rather 
> to Johh Smith, Arianna Garcia, François Bertrand, Hiroshi Nakamura, ecc.)
>
> Regards
>
> Adriano
>
> Il 05/08/2022 00:06, Stephen Davidson via Smcwg-public ha scritto:
>
>     NOTICE:Pay attention - external email - Sender is
>     010001826ae5b527-8ca45c40-e692-4c53-84fa-5296ec0f43f1-000000 at amazonses.com
>
>
>     Hello:
>
>     Certificate Issuer members of the SMCWG had noted a desire to
>     expand the list of regimes of digital certificates that may be
>     relied upon in personal validation.  It was also suggested by a
>     Certificate Consumer that criteria for evaluating these regimes be
>     described.
>
>     Based on our discussions, I have proposed some text in the draft
>     as follows:
>
>     https://github.com/cabforum/smime/commit/33ce560204eaed4162cb70c919bf9f86ffac90cc
>
>     Thanks to Ashish Dhiman and to Eva Van Steenberge for the help!
>
>     Regards, Stephen
>
>
>
>     _______________________________________________
>
>     Smcwg-public mailing list
>
>     Smcwg-public at cabforum.org
>
>     https://lists.cabforum.org/mailman/listinfo/smcwg-public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220805/ec43556f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220805/ec43556f/attachment.p7s>

More information about the Smcwg-public mailing list