[Smcwg-public] Ballot SMC01v3: Final Guideline for “S/MIME Baseline Requirements” - 3.2.4.2 Validation of individual identity

Adriano Santoni adriano.santoni at staff.aruba.it
Mon Oct 24 23:55:32 UTC 2022 

Yes, and for the same reason I propose to zap the following sentence 
also found in §3.2.4.2:

> The CA or RA registration agent SHALL have access to authoritative 
> sources of information on
> document appearance and validation for forms of identity document 
> accepted by the CA.

That might perhaps be appropriate for legally binding digital signature 
certificates (e.g. eIDAS qualified), but for S/MIME certificates it's an 
exaggeration.

I have filed issue 190 on github to fix these two aspects:

https://github.com/cabforum/smime/issues/190

Adriano


Il 24/10/2022 17:39, Pedro FUENTES ha scritto:
> Hello Adriano,
> Thanks for bringing this up. I must confess that I oversaw that line 
> too… and I totally agree with your views.
>
> There are methods for remote vetting that are based on document 
> capture and face recognition that are largely sufficient for S/MIME 
> certificates… This requirement for video identifications could be seen 
> as reasonable for certificates used for qualified digital signatures, 
> but for this is totally overkill here.
>
> BR/P
>
>> On 24 Oct 2022, at 17:33, Adriano Santoni via Smcwg-public 
>> <smcwg-public at cabforum.org> wrote:
>>
>> All,
>>
>> I apologize for raising doubts at the very "last minute", but since 
>> the SMC BR are about to be put to the vote, I wanted to give them a 
>> complete re-reading and I noticed a passage that leaves me a little 
>> perplexed.
>>
>> Maybe this aspect was discussed at length, but then I missed that 
>> discussion - sorry about that (in case).
>>
>> Under "3.2.4.2 Validation of individual identity" we have the 
>> following sentence:
>>
>>
>>> The CA or RA MAY use manual (in person) or remote procedures. A 
>>> remote process SHALL ensure that the Applicant has the document in 
>>> hand and presents the document/in real‐time/in front of a camera.
>>
>> Where did we borrow "in real-time" from? Not from the TLS BR nor from 
>> EVGL, it seems.
>>
>> What's the rationale for that? It seems too demanding, to me, for 
>> S/MIME certificates.
>>
>> Several CAs that I am aware of are doing individual identity 
>> verification (for S/MIME certificates) based on a Photo ID and a 
>> selfie (showing both the Applicant and his/her Photo ID), and this 
>> latter is not required to be taken in "real time".
>>
>> I am therefore a bit surprised that all the people here agree on this 
>> "in real time" which implies the non-compliance of current procedures 
>> and the need to move to more complex and more expensive procedures. 
>> Seems a bit excessive for S/MIME certificates.
>>
>> Adriano
>>
>>
>>
>> Il 14/10/2022 20:12, Stephen Davidson via Smcwg-public ha scritto:
>>> NOTICE:Pay attention - external email - Sender 
>>> is01000183d7b27b10-4ccf8875-64fd-49e8-817e-0df9fe3a5117-000000 at amazonses.com 
>>>
>>>
>>>
>>>
>>> *Ballot SMC01v3: Final Guideline for “S/MIME Baseline Requirements”*
>>> **
>>> /Note: the voting period for this ballot will commence following the 
>>> SMCWG session at the upcoming CA/B Forum face-to-face Meeting 57./
>>> **
>>> *Purpose of Ballot:*
>>> The S/MIME Certificate Working Group was chartered to discuss, 
>>> adopt, and maintain policies, frameworks, and standards for the 
>>> issuance and management of Publicly-Trusted S/MIME Certificates.  
>>> This ballot adopts a new “S/MIME Baseline Requirements” that 
>>> includes requirements for verification of control over email 
>>> addresses, identity validation for natural persons and legal 
>>> entities, key management and certificate lifecycle, certificate 
>>> profiles for S/MIME Certificates and Issuing CA Certificates, as 
>>> well as CA operational and audit practices.
>>> An S/MIME Certificate for the purposes of this document can be 
>>> identified by the existence of an Extended Key Usage (EKU) for 
>>> id-kp-emailProtection (OID: 1.3.6.1.5.5.7.3.4) and the inclusion of 
>>> a rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox in the 
>>> subjectAltName extension in the Certificate.
>>> The following motion has been proposed by Stephen Davidson of 
>>> DigiCert and endorsed by Martijn Katerbarg of Sectigo and ­­­Ben 
>>> Wilson of Mozilla.
>>> In accordance with the By-Laws, the discussion period has been 
>>> extended with the distribution of this new version of the ballot, 
>>> incorporating content that arose during the discussion period 
>>> including regarding the use of suspension and updating ETSI 
>>> references in section 8.2.
>>> *Charter Voting References*
>>> Section 5.1 (“Voting Structure”) of the SMCWG Charter says:
>>> In order for a ballot to be adopted by the SMCWG, two-thirds or more 
>>> of the votes cast by the Certificate Issuers must be in favor of the 
>>> ballot and more than 50% of the votes cast by the Certificate 
>>> Consumers must be in favor of the ballot. At least one member of 
>>> each class must vote in favor of a ballot for it to be adopted. 
>>> Quorum is the average number of Member organizations (cumulative, 
>>> regardless of Class) that have participated in the previous three 
>>> (3) SMCWG Meetings or Teleconferences (not counting subcommittee 
>>> meetings thereof).
>>> *— MOTION BEGINS —*
>>> This ballot adopts the “Baseline Requirements for the Issuance and 
>>> Management of Publicly-Trusted S/MIME Certificates” (“S/MIME 
>>> Baseline Requirements”) as Version 1.0.0.
>>> The proposed S/MIME Baseline Requirements may be found 
>>> athttps://github.com/cabforum/smime/pull/178/filesor the attached 
>>> document.  A redline of changes since the SMC01 Ballot discussion 
>>> started may be found 
>>> athttps://github.com/cabforum/smime/compare/28c0b904fe54f1c5f6c71d18c4786a3e02c76f52...b1ff7867dc85392e4c57b1993ed571e61e34dee2
>>> The SMCWG Chair or Vice-Chair is permitted to update the Relevant 
>>> Dates and Version Number of the S/MIME Baseline Requirements to 
>>> reflect final dates.
>>> *— MOTION ENDS —*
>>> This ballot proposes a Final Guideline. The procedure for approval 
>>> of this ballot is as follows:
>>> Discussion (7+ days)
>>> Start Time: 14 October 2022 14:00 ET (US Eastern)
>>> End Time: not before 21 October 2022 14:00 ET (US Eastern)
>>> Vote for approval (7 days)
>>> Start Time: To be confirmed
>>> End Time: To be confirmed
>>> IPR Review (60 days)
>>>
>>>
>>> _______________________________________________
>>> Smcwg-public mailing list
>>> Smcwg-public at cabforum.org
>>> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>> _______________________________________________
>> Smcwg-public mailing list
>> Smcwg-public at cabforum.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=jCia7RSmVDOcrscxCPK64xYuNl1KfxJvNb6tKjyFkmk&s=hGsCeFNeRJtKV9oPaNgW2xcwyhFixeFTlVkbXpWPhAU&e= 
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=jCia7RSmVDOcrscxCPK64xYuNl1KfxJvNb6tKjyFkmk&s=hGsCeFNeRJtKV9oPaNgW2xcwyhFixeFTlVkbXpWPhAU&e=>
>
> *
> WISeKey SA
> *
> *Pedro Fuentes
> *CSO - Trust Services Manager
> Office: + 41 (0) 22 594 30 00
> Mobile: + 41 (0) 791 274 790
> Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland
> *Stay connected with WISeKey <http://www.wisekey.com>
> *
> *THIS IS A TRUSTED MAIL*: This message is digitally signed with a 
> WISeKey identity. If you get a mail from WISeKey please check 
> the signature to avoid security risks
>
> *CONFIDENTIALITY: *This email and any files transmitted with it can be 
> confidential and it’s intended solely for the use of the individual or 
> entity to which they are addressed. If you are not the named addressee 
> you should not disseminate, distribute or copy this e-mail. If 
> you have received this email in error please notify the sender
>
> *DISCLAIMER: *WISeKey does not warrant the accuracy or completeness of 
> this message and does not accept any liability for any errors or 
> omissions herein as this message has been transmitted over a public 
> network. Internet communications cannot be guaranteed to be secure or 
> error-free as information may be intercepted, corrupted, or contain 
> viruses. Attachments to this e-mail are checked for viruses; 
> however, we do not accept any liability for any damage sustained by 
> viruses and therefore you are kindly requested to check for viruses 
> upon receipt.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20221025/052740c6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20221025/052740c6/attachment-0001.p7s>

More information about the Smcwg-public mailing list