[Smcwg-public] Approved Minutes of SMCWG February 16, 2022

[Stephen Davidson]

Minutes of SMCWG


February 16, 2022

 

These are the Approved Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.


Attendees 


Adrian Mueller (SwissSign), Andreas Henschel (D-TRUST), Ashish Dhiman (GlobalSign), Ben Wilson (Mozilla), Cade Cairns (Google), Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (Digicert), Dimitris Zacharopoulos (HARICA), Don Sheehy (CPA Canada/WebTrust), Doug Beattie (GlobalSign), Enrico Entschew (D-TRUST), Fotis Loukos (Google), Hazhar Ismail (MSC Trustgate Sdn Bhd), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Jamie Mackey (US Federal PKI Management Authority), Joanna Fox (TrustCor Systems), Mads Henriksveen (Buypass AS), Martijn Katerbarg (Sectigo), Matthias Wiedenhorst (ACAB Council), Mauricio Fernandez (TeleTrust), Morad Abou Naser (TeleTrust), Mrugesh Chandarana (IdenTrust), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE Foundation), Rebecca Kelley (Apple), Russ Housley (Russ Housley), Stephen Davidson (Digicert), Tadahiko Ito (SECOM Trust Systems), Thomas Connelly (US Federal PKI Management Authority), Tim Crawford (CPA Canada/WebTrust), Wendy Brown (US Federal PKI Management Authority) 


1. Roll Call


The Roll Call was taken.


2. Read Antitrust Statement


The Antitrust/Compliance Statement was read.


3. Review Agenda


4. Approval of minutes from last teleconference


The minutes of the February 2 teleconference were approved.  


5. Discussion 


The WG discussed the agenda and topics for the upcoming (Feb 22-24) face to face hosted by DigiCert in Salt Lake City:

*	For the plenary:  2021 recap of WG charter, members, and activity and 2022 goals with walk thru of tentative content
*	For the WG session: Enterprise RA (particularly section 1.3.2 and 8.8), Individual vetting approach (see draft at section 3.24), roadmap to a ballot

 

The WG continued to discuss the organizationalIdentifier field in the Subject.  Stephen Davidson noted that there was a desire to have a unique legal identifier in Organization-validated and Sponsor-validated certificates.  He noted that in previous discussion of the WG, there had been some concerns expressed about the approach specified in the EVG: 

*	For its use of serialNumber - which is commonly used otherwise in S/MIME
*	Lot of info in Subject (entity type, serialNumber, JOI levels in the cert)

 

He noted that previously WG discussion had shown preference for subject:organizationalIdentifier attribute such as defined in the EVG (and inspired by ETSI EN 319 412-1).  He noted the variation added by the EVG to accommodate "state" level registries such as in the United States.  For example, a Swiss registry would be NTRCH-12345 but a US one might be NTRUS+UT-12345.

 

Stephen proposed adding LEI to the organizationalIdentifier.  LEI is included in the original ETSI standard but was omitted from the EVG.  Dimitris Zacharopoulos noted that there was concern in the past EV discussions that LEI could be issued on the basis of self-enrolled information.  Paul van Brouwershaven shared links to the GLEIF lookup for several entities whose LEI displayed different vetting levels.

 

Stephen noted that the BR text would narrow the use of LEI with language such as "The CA MUST verify that the RegistrationStatus for the LEI record is ISSUED and the EntityStatus is ACTIVE.  An LEI shall only be used if the ValidationSources entry is FULLY_CORROBORATED; an LEI MUST NOT be used if ValidationSources entry is PARTIALLY_CORROBORATED, PENDING, or ENTITY_SUPPLIED_ONLY."  He invited comment from the WG if this was sufficient and appropriate.


After discussion, it was emphasized that the CA must verify the entity according to the requirements in 3.2.3.  The LEI must not be an authorized source; it is simply an alternate identifier.  

 

It was unresolved if the LEI useful to CAs in establishing the corporate relationships of entities in the context of the BR (in other words is juniorco an affiliate or subsidiary of seniorco?)

 

The draft the S/MIME Baseline Requirements is available at https://github.com/cabforum/smime/blob/preSBR/SBR.md 

 


6. Any Other Business


 

None


7. Next call


Next call: Face to face meeting on February 24 (information in wiki) and then call on Wednesday, March 2, 2022 at 11 a.m. US Eastern.


Adjourned