[Smcwg-public] Update redline for recent changes to S/MIME BR

Judith Spencer Judith.Spencer at certipath.com
Wed Aug 31 16:20:34 UTC 2022 

Stephen

On the subject of Suspension, I agree that if the applications don't verify
signature at time of signing, suspension can be a problem.  It concerns me
that this behavior is a 'given' and therefore the organizations that use
these credentials are inconvenienced.  I do not agree that the encryption
use case is similarly impacted.  

I believe there are some legitimate use cases for this beyond those
suggested on the call.  In my experience organizations often use suspension
for seasonal or sporadic workers.  

I have some language for your consideration on the inclusion of suspension -
perhaps a starting point:


4.9.13   Circumstances for Suspension


Suspension may be permitted for end-user certificates as follows: 1) the
discretion of the certificate issuer; 2) the user's token is temporarily
unavailable; 3) authority to use the token has been suspended temporarily;
4) token possession is unknown.


4.9.14    Who can Request Suspension


The certificate subject, certificate subject's organization, issuing CA, or
RA may request suspension of a certificate.


4.9.15    Procedure for Suspension Request


A request to suspend a certificate shall identify the certificate to be
suspended, explain the reason for suspension, and allow the request to be
authenticated (e.g., digitally or manually signed).

The reason code CRL entry extension shall be populated with
"certificateHold".  


4.9.16    Limits on Suspension Period


The CA shall specify the maximum time period a certificate may be suspended.
The CPS shall describe in detail how this maximum suspension period is
enforced.  If the subscriber has not removed the certificate from hold
(suspension) within that period, the certificate shall be revoked for reason
of "Key Compromise".

In order to mitigate the threat of unauthorized person removing the
certificate from hold, the subscriber identity shall be authenticated in
person using initial identity proofing process described in Section 3.2.3 or
using the Human Subscriber Re-Authentication process described in Section
3.2.3.2.

If a certificate is suspended for a period greater than 30 days, an
authorizing official must verify the need for restoring the credential to
the individual.  Certificates that have expired or otherwise been revoked
for other reasons shall not be restored.

 

Judy   

 

Judith Spencer | PMA Chair | CertiPath, Inc.

1900 Reston Metro Plaza, Suite 303, Reston, VA 20190

PH +1.703.793.7875

Email  <mailto:Judith.Spencer at CertiPath.com> Judith.Spencer at CertiPath.com 

 

From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Stephen
Davidson via Smcwg-public
Sent: Wednesday, August 31, 2022 10:37 AM
To: smcwg-public at cabforum.org
Subject: [Smcwg-public] Update redline for recent changes to S/MIME BR

 

For ease of tracking, here is a comparison of changes that have been made in
the last week to the S/MIME BR as a result of feedback from the group.

https://github.com/cabforum/smime/compare/1dc71b4a72ea93fbed010640f37bdbabe8
8c2591...222d4ae676ed2bc7134fd03ad4b72003051ee3f6

 

Regards, Stephen

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220831/53cacd03/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 9053 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220831/53cacd03/attachment-0001.p7s>

More information about the Smcwg-public mailing list