[Smcwg-public] [External Sender] Ballot SMC01v3: Final Guideline for “S/MIME Baseline Requirements”

Adriano Santoni adriano.santoni at staff.aruba.it
Mon Oct 24 15:33:27 UTC 2022 

All,

I apologize for raising doubts at the very "last minute", but since the 
SMC BR are about to be put to the vote, I wanted to give them a complete 
re-reading and I noticed a passage that leaves me a little perplexed.

Maybe this aspect was discussed at length, but then I missed that 
discussion - sorry about that (in case).

Under "3.2.4.2 Validation of individual identity" we have the following 
sentence:

> The CA or RA MAY use manual (in person) or remote procedures. A remote 
> process SHALL ensure that the Applicant has the document in hand and 
> presents the document /in real‐time /in front of a camera.

Where did we borrow "in real-time" from? Not from the TLS BR nor from 
EVGL, it seems.

What's the rationale for that? It seems too demanding, to me, for S/MIME 
certificates.

Several CAs that I am aware of are doing individual identity 
verification (for S/MIME certificates) based on a Photo ID and a selfie 
(showing both the Applicant and his/her Photo ID), and this latter is 
not required to be taken in "real time".

I am therefore a bit surprised that all the people here agree on this 
"in real time" which implies the non-compliance of current procedures 
and the need to move to more complex and more expensive procedures. 
Seems a bit excessive for S/MIME certificates.

Adriano



Il 14/10/2022 20:12, Stephen Davidson via Smcwg-public ha scritto:
> NOTICE: Pay attention - external email - Sender is 
> 01000183d7b27b10-4ccf8875-64fd-49e8-817e-0df9fe3a5117-000000 at amazonses.com 
>
>
>
>
> *Ballot SMC01v3: Final Guideline for “S/MIME Baseline Requirements” *
>
> **
>
> /Note: the voting period for this ballot will commence following the 
> SMCWG session at the upcoming CA/B Forum face-to-face Meeting 57./
>
> **
>
> *Purpose of Ballot:*
>
> The S/MIME Certificate Working Group was chartered to discuss, adopt, 
> and maintain policies, frameworks, and standards for the issuance and 
> management of Publicly-Trusted S/MIME Certificates.  This ballot 
> adopts a new “S/MIME Baseline Requirements” that includes requirements 
> for verification of control over email addresses, identity validation 
> for natural persons and legal entities, key management and certificate 
> lifecycle, certificate profiles for S/MIME Certificates and Issuing CA 
> Certificates, as well as CA operational and audit practices.
>
> An S/MIME Certificate for the purposes of this document can be 
> identified by the existence of an Extended Key Usage (EKU) for 
> id-kp-emailProtection (OID: 1.3.6.1.5.5.7.3.4) and the inclusion of a 
> rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox in the 
> subjectAltName extension in the Certificate.
>
> The following motion has been proposed by Stephen Davidson of DigiCert 
> and endorsed by Martijn Katerbarg of Sectigo and ­­­Ben Wilson of Mozilla.
>
> In accordance with the By-Laws, the discussion period has been 
> extended with the distribution of this new version of the ballot, 
> incorporating content that arose during the discussion period 
> including regarding the use of suspension and updating ETSI references 
> in section 8.2.
>
> *Charter Voting References*
>
> Section 5.1 (“Voting Structure”) of the SMCWG Charter says:
>
> In order for a ballot to be adopted by the SMCWG, two-thirds or more 
> of the votes cast by the Certificate Issuers must be in favor of the 
> ballot and more than 50% of the votes cast by the Certificate 
> Consumers must be in favor of the ballot. At least one member of each 
> class must vote in favor of a ballot for it to be adopted. Quorum is 
> the average number of Member organizations (cumulative, regardless of 
> Class) that have participated in the previous three (3) SMCWG Meetings 
> or Teleconferences (not counting subcommittee meetings thereof).
>
> *— MOTION BEGINS —*
>
> This ballot adopts the “Baseline Requirements for the Issuance and 
> Management of Publicly-Trusted S/MIME Certificates” (“S/MIME Baseline 
> Requirements”) as Version 1.0.0.
>
> The proposed S/MIME Baseline Requirements may be found at 
> https://github.com/cabforum/smime/pull/178/files or the attached 
> document.  A redline of changes since the SMC01 Ballot discussion 
> started may be found at 
> https://github.com/cabforum/smime/compare/28c0b904fe54f1c5f6c71d18c4786a3e02c76f52...b1ff7867dc85392e4c57b1993ed571e61e34dee2 
>
>
> The SMCWG Chair or Vice-Chair is permitted to update the Relevant 
> Dates and Version Number of the S/MIME Baseline Requirements to 
> reflect final dates.
>
> *— MOTION ENDS —*
>
> This ballot proposes a Final Guideline. The procedure for approval of 
> this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: 14 October 2022 14:00 ET (US Eastern)
>
> End Time: not before 21 October 2022 14:00 ET (US Eastern)
>
> Vote for approval (7 days)
>
> Start Time: To be confirmed
>
> End Time: To be confirmed
>
> IPR Review (60 days)
>
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20221024/7841106e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20221024/7841106e/attachment.p7s>

More information about the Smcwg-public mailing list