[Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Tue Sep 13 11:22:32 UTC 2022 

In addition, we should clarify which countryName is expected in the 
subject of the certificate in the "sponsor-validated" profile.

Since the subject:organizationName is mandatory, it is expected that the 
subject:countryName is the Country of the Organization, not the 
individual. This could be added in the Note of section 7.1.4.2.5.

In the same section, 7.1.4.2.5 the subject:countryName should be updated 
to a SHALL for all cases (Legacy, Multipurpose, Strict).

ETSI Certificates (See ETSI EN 319 412-2 section 4.2.4) require the 
countryName even for certificates issued to Natural Persons which makes 
the countryName a potential SHALL under 7.1.4.2.6 (individual-validated 
profile). The CA always knows and validates the country of the 
individual because it is related to the identity document that the CA 
verifies.


Thank you for considering these changes,
Dimitris.

On 13/9/2022 1:24 μ.μ., Dimitris Zacharopoulos (HARICA) via Smcwg-public 
wrote:
>
> After a more detailed review by the HARICA team, we noticed some areas 
> of concern that we hope will be considered for update by the authors 
> and endorsers of this ballot.
>
>   * 7.1.2.3 c
>       o authorityInformationAccess (*SHALL *be present) ->
>         authorityInformationAccess (*SHOULD *be present) [Rationale:
>         OCSP is not currently required for S/MIME Certificates by all
>         Certificate Consumers. Only Microsoft Root Program requires it
>         and perhaps this is due to a copy-over from the TLS BRs
>         without performing a technical analysis specifically on S/MIME
>         or clientAuth or codeSigning Certificates. The CSCWG already
>         removed the requirement for OCSP in Subscriber Certificates in
>         the CSBRs].
>       o The authorityInformationAccess extension *SHALL *contain at
>         least one accessMethod value of type id-ad-ocsp that specifies
>         the URI of the Issuing CA’s OCSP responder. -> The
>         authorityInformationAccess extension *MAY *contain at least
>         one accessMethod value of type id-ad-ocsp that specifies the
>         URI of the Issuing CA’s OCSP responder. [Rationale: same as above]
>   * 7.1.4.2.4 Subject DN attributes for organization-validated profile
>     and 7.1.4.2.5 Subject DN attributes for sponsor-validated profile
>         subject:countryName *MAY *-> subject:countryName *SHALL
>     *[Rationale: Organization Names must contain a Country Name to
>     indicate where this Organization is located. This applies to the
>     organization-validated and the sponsor-validated profile. It is
>     also referenced in Appendix A - Registration Schemes]
>
>
> Thank you,
> Dimitris.
>
>
> On 8/9/2022 10:03 π.μ., Stephen Davidson via Smcwg-public wrote:
>>
>> *Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements” *
>>
>> **
>>
>> *Purpose of Ballot:*
>>
>> The S/MIME Certificate Working Group was chartered to discuss, adopt, 
>> and maintain policies, frameworks, and standards for the issuance and 
>> management of Publicly-Trusted S/MIME Certificates.  This ballot 
>> adopts a new “S/MIME Baseline Requirements” that includes 
>> requirements for verification of control over email addresses, 
>> identity validation for natural persons and legal entities, key 
>> management and certificate lifecycle, certificate profiles for S/MIME 
>> Certificates and Issuing CA Certificates, as well as CA operational 
>> and audit practices.
>>
>> An S/MIME Certificate for the purposes of this document can be 
>> identified by the existence of an Extended Key Usage (EKU) for 
>> id-kp-emailProtection (OID: 1.3.6.1.5.5.7.3.4) and the inclusion of a 
>> rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox in the 
>> subjectAltName extension in the Certificate.
>>
>> The following motion has been proposed by Stephen Davidson of 
>> DigiCert and endorsed by Martijn Katerbarg of Sectigo and ­­­Ben 
>> Wilson of Mozilla.
>>
>> *Charter Voting References*
>>
>> Section 5.1 (“Voting Structure”) 
>> <https://github.com/cabforum/servercert/blob/e6ad111f4477010cbff409cd939c5ac1c7c85ccc/docs/SMCWG-charter.md#51-voting-structure>of 
>> the SMCWG Charter says:
>>
>> In order for a ballot to be adopted by the SMCWG, two-thirds or more 
>> of the votes cast by the Certificate Issuers must be in favor of the 
>> ballot and more than 50% of the votes cast by the Certificate 
>> Consumers must be in favor of the ballot. At least one member of each 
>> class must vote in favor of a ballot for it to be adopted. Quorum is 
>> the average number of Member organizations (cumulative, regardless of 
>> Class) that have participated in the previous three (3) SMCWG 
>> Meetings or Teleconferences (not counting subcommittee meetings thereof).
>>
>> *— MOTION BEGINS —**
>> *
>> This ballot adopts the “Baseline Requirements for the Issuance and 
>> Management of Publicly-Trusted S/MIME Certificates” (“S/MIME Baseline 
>> Requirements”) as Version 1.0.0.
>>
>> The proposed S/MIME Baseline Requirements may be found at 
>> https://github.com/cabforum/smime/compare/7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52 
>> or the attached document.
>>
>> The SMCWG Chair or Vice-Chair is permitted to update the Relevant 
>> Dates and Version Number of the S/MIME Baseline Requirements to 
>> reflect final dates.
>>
>> *— MOTION ENDS —**
>> *
>> This ballot proposes a Final Guideline. The procedure for approval of 
>> this ballot is as follows:
>>
>> Discussion (7+ days)
>> Start Time: 8 September 2022 17:00 UTC
>> End Time: 15 September 2022 17:00 UTC
>>
>> Vote for approval (7 days)
>> Start Time: 15 September 2022 17:00 UTC
>> End Time: 22 September 2022 17:00 UTC
>>
>> IPR Review (60 days)
>>
>>
>> _______________________________________________
>> Smcwg-public mailing list
>> Smcwg-public at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220913/dc2a861c/attachment-0001.html>

More information about the Smcwg-public mailing list