[Smcwg-public] [External Sender] Re: Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”
adriano.santoni at staff.aruba.it
Tue Sep 13 12:17:25 UTC 2022
I fully concur with Dimitris.
Il 13/09/2022 13:22, Dimitris Zacharopoulos (HARICA) via Smcwg-public ha
> NOTICE: Pay attention - external email - Sender is
> 0100018336965856-f5f1fdca-d4be-4d8d-be80-203cb973920b-000000 at amazonses.com
> In addition, we should clarify which countryName is expected in the
> subject of the certificate in the "sponsor-validated" profile.
> Since the subject:organizationName is mandatory, it is expected that
> the subject:countryName is the Country of the Organization, not the
> individual. This could be added in the Note of section 126.96.36.199.5.
> In the same section, 188.8.131.52.5 the subject:countryName should be
> updated to a SHALL for all cases (Legacy, Multipurpose, Strict).
> ETSI Certificates (See ETSI EN 319 412-2 section 4.2.4) require the
> countryName even for certificates issued to Natural Persons which
> makes the countryName a potential SHALL under 184.108.40.206.6
> (individual-validated profile). The CA always knows and validates the
> country of the individual because it is related to the identity
> document that the CA verifies.
> Thank you for considering these changes,
> On 13/9/2022 1:24 μ.μ., Dimitris Zacharopoulos (HARICA) via
> Smcwg-public wrote:
>> After a more detailed review by the HARICA team, we noticed some
>> areas of concern that we hope will be considered for update by the
>> authors and endorsers of this ballot.
>> * 220.127.116.11 c
>> o authorityInformationAccess (*SHALL* be present) ->
>> authorityInformationAccess (*SHOULD* be present) [Rationale:
>> OCSP is not currently required for S/MIME Certificates by all
>> Certificate Consumers. Only Microsoft Root Program requires
>> it and perhaps this is due to a copy-over from the TLS BRs
>> without performing a technical analysis specifically on
>> S/MIME or clientAuth or codeSigning Certificates. The CSCWG
>> already removed the requirement for OCSP in Subscriber
>> Certificates in the CSBRs].
>> o The authorityInformationAccess extension *SHALL* contain at
>> least one accessMethod value of type id-ad-ocsp that
>> specifies the URI of the Issuing CA’s OCSP responder. -> The
>> authorityInformationAccess extension *MAY* contain at least
>> one accessMethod value of type id-ad-ocsp that specifies the
>> URI of the Issuing CA’s OCSP responder. [Rationale: same as
>> * 18.104.22.168.4 Subject DN attributes for organization-validated
>> profile and 22.214.171.124.5 Subject DN attributes for sponsor-validated
>> subject:countryName *MAY* -> subject:countryName *SHALL*
>> [Rationale: Organization Names must contain a Country Name to
>> indicate where this Organization is located. This applies to the
>> organization-validated and the sponsor-validated profile. It is
>> also referenced in Appendix A - Registration Schemes]
>> Thank you,
>> On 8/9/2022 10:03 π.μ., Stephen Davidson via Smcwg-public wrote:
>>> *Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements” *
>>> *Purpose of Ballot:*
>>> The S/MIME Certificate Working Group was chartered to discuss,
>>> adopt, and maintain policies, frameworks, and standards for the
>>> issuance and management of Publicly-Trusted S/MIME Certificates.
>>> This ballot adopts a new “S/MIME Baseline Requirements” that
>>> includes requirements for verification of control over email
>>> addresses, identity validation for natural persons and legal
>>> entities, key management and certificate lifecycle, certificate
>>> profiles for S/MIME Certificates and Issuing CA Certificates, as
>>> well as CA operational and audit practices.
>>> An S/MIME Certificate for the purposes of this document can be
>>> identified by the existence of an Extended Key Usage (EKU) for
>>> id-kp-emailProtection (OID: 126.96.36.199.188.8.131.52.4) and the inclusion of
>>> a rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox in the
>>> subjectAltName extension in the Certificate.
>>> The following motion has been proposed by Stephen Davidson of
>>> DigiCert and endorsed by Martijn Katerbarg of Sectigo and Ben
>>> Wilson of Mozilla.
>>> *Charter Voting References*
>>> Section 5.1 (“Voting Structure”)
>>> of the SMCWG Charter says:
>>> In order for a ballot to be adopted by the SMCWG, two-thirds or more
>>> of the votes cast by the Certificate Issuers must be in favor of the
>>> ballot and more than 50% of the votes cast by the Certificate
>>> Consumers must be in favor of the ballot. At least one member of
>>> each class must vote in favor of a ballot for it to be adopted.
>>> Quorum is the average number of Member organizations (cumulative,
>>> regardless of Class) that have participated in the previous three
>>> (3) SMCWG Meetings or Teleconferences (not counting subcommittee
>>> meetings thereof).
>>> *— MOTION BEGINS —**
>>> This ballot adopts the “Baseline Requirements for the Issuance and
>>> Management of Publicly-Trusted S/MIME Certificates” (“S/MIME
>>> Baseline Requirements”) as Version 1.0.0.
>>> The proposed S/MIME Baseline Requirements may be found at
>>> or the attached document.
>>> The SMCWG Chair or Vice-Chair is permitted to update the Relevant
>>> Dates and Version Number of the S/MIME Baseline Requirements to
>>> reflect final dates.
>>> *— MOTION ENDS —**
>>> This ballot proposes a Final Guideline. The procedure for approval
>>> of this ballot is as follows:
>>> Discussion (7+ days)
>>> Start Time: 8 September 2022 17:00 UTC
>>> End Time: 15 September 2022 17:00 UTC
>>> Vote for approval (7 days)
>>> Start Time: 15 September 2022 17:00 UTC
>>> End Time: 22 September 2022 17:00 UTC
>>> IPR Review (60 days)
>>> Smcwg-public mailing list
>>> Smcwg-public at cabforum.org
>> Smcwg-public mailing list
>> Smcwg-public at cabforum.org
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4557 bytes
Desc: Firma crittografica S/MIME
More information about the Smcwg-public