[Smcwg-public] [External Sender] Re: Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

Adriano Santoni adriano.santoni at staff.aruba.it
Tue Sep 13 12:17:25 UTC 2022 

I fully concur with Dimitris.

Adriano


Il 13/09/2022 13:22, Dimitris Zacharopoulos (HARICA) via Smcwg-public ha 
scritto:
> NOTICE: Pay attention - external email - Sender is 
> 0100018336965856-f5f1fdca-d4be-4d8d-be80-203cb973920b-000000 at amazonses.com 
>
>
>
>
> In addition, we should clarify which countryName is expected in the 
> subject of the certificate in the "sponsor-validated" profile.
>
> Since the subject:organizationName is mandatory, it is expected that 
> the subject:countryName is the Country of the Organization, not the 
> individual. This could be added in the Note of section 7.1.4.2.5.
>
> In the same section, 7.1.4.2.5 the subject:countryName should be 
> updated to a SHALL for all cases (Legacy, Multipurpose, Strict).
>
> ETSI Certificates (See ETSI EN 319 412-2 section 4.2.4) require the 
> countryName even for certificates issued to Natural Persons which 
> makes the countryName a potential SHALL under 7.1.4.2.6 
> (individual-validated profile). The CA always knows and validates the 
> country of the individual because it is related to the identity 
> document that the CA verifies.
>
>
> Thank you for considering these changes,
> Dimitris.
>
> On 13/9/2022 1:24 μ.μ., Dimitris Zacharopoulos (HARICA) via 
> Smcwg-public wrote:
>>
>> After a more detailed review by the HARICA team, we noticed some 
>> areas of concern that we hope will be considered for update by the 
>> authors and endorsers of this ballot.
>>
>>   * 7.1.2.3 c
>>       o authorityInformationAccess (*SHALL* be present) ->
>>         authorityInformationAccess (*SHOULD* be present) [Rationale:
>>         OCSP is not currently required for S/MIME Certificates by all
>>         Certificate Consumers. Only Microsoft Root Program requires
>>         it and perhaps this is due to a copy-over from the TLS BRs
>>         without performing a technical analysis specifically on
>>         S/MIME or clientAuth or codeSigning Certificates. The CSCWG
>>         already removed the requirement for OCSP in Subscriber
>>         Certificates in the CSBRs].
>>       o The authorityInformationAccess extension *SHALL* contain at
>>         least one accessMethod value of type id-ad-ocsp that
>>         specifies the URI of the Issuing CA’s OCSP responder. -> The
>>         authorityInformationAccess extension *MAY* contain at least
>>         one accessMethod value of type id-ad-ocsp that specifies the
>>         URI of the Issuing CA’s OCSP responder. [Rationale: same as
>>         above]
>>   * 7.1.4.2.4 Subject DN attributes for organization-validated
>>     profile and 7.1.4.2.5 Subject DN attributes for sponsor-validated
>>     profile
>>         subject:countryName *MAY* -> subject:countryName *SHALL*
>>     [Rationale: Organization Names must contain a Country Name to
>>     indicate where this Organization is located. This applies to the
>>     organization-validated and the sponsor-validated profile. It is
>>     also referenced in Appendix A - Registration Schemes]
>>
>>
>> Thank you,
>> Dimitris.
>>
>>
>> On 8/9/2022 10:03 π.μ., Stephen Davidson via Smcwg-public wrote:
>>>
>>> *Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements” *
>>>
>>> **
>>>
>>> *Purpose of Ballot:*
>>>
>>> The S/MIME Certificate Working Group was chartered to discuss, 
>>> adopt, and maintain policies, frameworks, and standards for the 
>>> issuance and management of Publicly-Trusted S/MIME Certificates.  
>>> This ballot adopts a new “S/MIME Baseline Requirements” that 
>>> includes requirements for verification of control over email 
>>> addresses, identity validation for natural persons and legal 
>>> entities, key management and certificate lifecycle, certificate 
>>> profiles for S/MIME Certificates and Issuing CA Certificates, as 
>>> well as CA operational and audit practices.
>>>
>>> An S/MIME Certificate for the purposes of this document can be 
>>> identified by the existence of an Extended Key Usage (EKU) for 
>>> id-kp-emailProtection (OID: 1.3.6.1.5.5.7.3.4) and the inclusion of 
>>> a rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox in the 
>>> subjectAltName extension in the Certificate.
>>>
>>> The following motion has been proposed by Stephen Davidson of 
>>> DigiCert and endorsed by Martijn Katerbarg of Sectigo and ­­­Ben 
>>> Wilson of Mozilla.
>>>
>>> *Charter Voting References*
>>>
>>> Section 5.1 (“Voting Structure”) 
>>> <https://github.com/cabforum/servercert/blob/e6ad111f4477010cbff409cd939c5ac1c7c85ccc/docs/SMCWG-charter.md#51-voting-structure> 
>>> of the SMCWG Charter says:
>>>
>>> In order for a ballot to be adopted by the SMCWG, two-thirds or more 
>>> of the votes cast by the Certificate Issuers must be in favor of the 
>>> ballot and more than 50% of the votes cast by the Certificate 
>>> Consumers must be in favor of the ballot. At least one member of 
>>> each class must vote in favor of a ballot for it to be adopted. 
>>> Quorum is the average number of Member organizations (cumulative, 
>>> regardless of Class) that have participated in the previous three 
>>> (3) SMCWG Meetings or Teleconferences (not counting subcommittee 
>>> meetings thereof).
>>>
>>> *— MOTION BEGINS —**
>>> *
>>> This ballot adopts the “Baseline Requirements for the Issuance and 
>>> Management of Publicly-Trusted S/MIME Certificates” (“S/MIME 
>>> Baseline Requirements”) as Version 1.0.0.
>>>
>>> The proposed S/MIME Baseline Requirements may be found at 
>>> https://github.com/cabforum/smime/compare/7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52 
>>> or the attached document.
>>>
>>> The SMCWG Chair or Vice-Chair is permitted to update the Relevant 
>>> Dates and Version Number of the S/MIME Baseline Requirements to 
>>> reflect final dates.
>>>
>>> *— MOTION ENDS —**
>>> *
>>> This ballot proposes a Final Guideline. The procedure for approval 
>>> of this ballot is as follows:
>>>
>>> Discussion (7+ days)
>>> Start Time: 8 September 2022 17:00 UTC
>>> End Time: 15 September 2022 17:00 UTC
>>>
>>> Vote for approval (7 days)
>>> Start Time: 15 September 2022 17:00 UTC
>>> End Time: 22 September 2022 17:00 UTC
>>>
>>> IPR Review (60 days)
>>>
>>>
>>> _______________________________________________
>>> Smcwg-public mailing list
>>> Smcwg-public at cabforum.org
>>> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>>
>>
>> _______________________________________________
>> Smcwg-public mailing list
>> Smcwg-public at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220913/c550a090/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220913/c550a090/attachment-0001.p7s>

More information about the Smcwg-public mailing list