[Smcwg-public] [External Sender] Re: [External Sender] Re: Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

Adriano Santoni adriano.santoni at staff.aruba.it
Tue Sep 13 12:25:06 UTC 2022 

Also, I just realized that S/MIME signatures (which I apply to all my 
emails) are not preserved in this discussion list, which is rather 
disappointing and particularly contradictory for a list devoted to S/MIME.

I am sure this is not due to bad will, but nonetheless...

Adriano


Il 13/09/2022 14:17, Adriano Santoni via Smcwg-public ha scritto:
>
> I fully concur with Dimitris.
>
> Adriano
>
>
> Il 13/09/2022 13:22, Dimitris Zacharopoulos (HARICA) via Smcwg-public 
> ha scritto:
>> NOTICE: Pay attention - external email - Sender is 
>> 0100018336965856-f5f1fdca-d4be-4d8d-be80-203cb973920b-000000 at amazonses.com 
>>
>>
>>
>>
>> In addition, we should clarify which countryName is expected in the 
>> subject of the certificate in the "sponsor-validated" profile.
>>
>> Since the subject:organizationName is mandatory, it is expected that 
>> the subject:countryName is the Country of the Organization, not the 
>> individual. This could be added in the Note of section 7.1.4.2.5.
>>
>> In the same section, 7.1.4.2.5 the subject:countryName should be 
>> updated to a SHALL for all cases (Legacy, Multipurpose, Strict).
>>
>> ETSI Certificates (See ETSI EN 319 412-2 section 4.2.4) require the 
>> countryName even for certificates issued to Natural Persons which 
>> makes the countryName a potential SHALL under 7.1.4.2.6 
>> (individual-validated profile). The CA always knows and validates the 
>> country of the individual because it is related to the identity 
>> document that the CA verifies.
>>
>>
>> Thank you for considering these changes,
>> Dimitris.
>>
>> On 13/9/2022 1:24 μ.μ., Dimitris Zacharopoulos (HARICA) via 
>> Smcwg-public wrote:
>>>
>>> After a more detailed review by the HARICA team, we noticed some 
>>> areas of concern that we hope will be considered for update by the 
>>> authors and endorsers of this ballot.
>>>
>>>   * 7.1.2.3 c
>>>       o authorityInformationAccess (*SHALL* be present) ->
>>>         authorityInformationAccess (*SHOULD* be present) [Rationale:
>>>         OCSP is not currently required for S/MIME Certificates by
>>>         all Certificate Consumers. Only Microsoft Root Program
>>>         requires it and perhaps this is due to a copy-over from the
>>>         TLS BRs without performing a technical analysis specifically
>>>         on S/MIME or clientAuth or codeSigning Certificates. The
>>>         CSCWG already removed the requirement for OCSP in Subscriber
>>>         Certificates in the CSBRs].
>>>       o The authorityInformationAccess extension *SHALL* contain at
>>>         least one accessMethod value of type id-ad-ocsp that
>>>         specifies the URI of the Issuing CA’s OCSP responder. -> The
>>>         authorityInformationAccess extension *MAY* contain at least
>>>         one accessMethod value of type id-ad-ocsp that specifies the
>>>         URI of the Issuing CA’s OCSP responder. [Rationale: same as
>>>         above]
>>>   * 7.1.4.2.4 Subject DN attributes for organization-validated
>>>     profile and 7.1.4.2.5 Subject DN attributes for
>>>     sponsor-validated profile
>>>         subject:countryName *MAY* -> subject:countryName *SHALL*
>>>     [Rationale: Organization Names must contain a Country Name to
>>>     indicate where this Organization is located. This applies to the
>>>     organization-validated and the sponsor-validated profile. It is
>>>     also referenced in Appendix A - Registration Schemes]
>>>
>>>
>>> Thank you,
>>> Dimitris.
>>>
>>>
>>> On 8/9/2022 10:03 π.μ., Stephen Davidson via Smcwg-public wrote:
>>>>
>>>> *Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements” *
>>>>
>>>> **
>>>>
>>>> *Purpose of Ballot:*
>>>>
>>>> The S/MIME Certificate Working Group was chartered to discuss, 
>>>> adopt, and maintain policies, frameworks, and standards for the 
>>>> issuance and management of Publicly-Trusted S/MIME Certificates.  
>>>> This ballot adopts a new “S/MIME Baseline Requirements” that 
>>>> includes requirements for verification of control over email 
>>>> addresses, identity validation for natural persons and legal 
>>>> entities, key management and certificate lifecycle, certificate 
>>>> profiles for S/MIME Certificates and Issuing CA Certificates, as 
>>>> well as CA operational and audit practices.
>>>>
>>>> An S/MIME Certificate for the purposes of this document can be 
>>>> identified by the existence of an Extended Key Usage (EKU) for 
>>>> id-kp-emailProtection (OID: 1.3.6.1.5.5.7.3.4) and the inclusion of 
>>>> a rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox in the 
>>>> subjectAltName extension in the Certificate.
>>>>
>>>> The following motion has been proposed by Stephen Davidson of 
>>>> DigiCert and endorsed by Martijn Katerbarg of Sectigo and ­­­Ben 
>>>> Wilson of Mozilla.
>>>>
>>>> *Charter Voting References*
>>>>
>>>> Section 5.1 (“Voting Structure”) 
>>>> <https://github.com/cabforum/servercert/blob/e6ad111f4477010cbff409cd939c5ac1c7c85ccc/docs/SMCWG-charter.md#51-voting-structure> 
>>>> of the SMCWG Charter says:
>>>>
>>>> In order for a ballot to be adopted by the SMCWG, two-thirds or 
>>>> more of the votes cast by the Certificate Issuers must be in favor 
>>>> of the ballot and more than 50% of the votes cast by the 
>>>> Certificate Consumers must be in favor of the ballot. At least one 
>>>> member of each class must vote in favor of a ballot for it to be 
>>>> adopted. Quorum is the average number of Member organizations 
>>>> (cumulative, regardless of Class) that have participated in the 
>>>> previous three (3) SMCWG Meetings or Teleconferences (not counting 
>>>> subcommittee meetings thereof).
>>>>
>>>> *— MOTION BEGINS —**
>>>> *
>>>> This ballot adopts the “Baseline Requirements for the Issuance and 
>>>> Management of Publicly-Trusted S/MIME Certificates” (“S/MIME 
>>>> Baseline Requirements”) as Version 1.0.0.
>>>>
>>>> The proposed S/MIME Baseline Requirements may be found at 
>>>> https://github.com/cabforum/smime/compare/7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52 
>>>> or the attached document.
>>>>
>>>> The SMCWG Chair or Vice-Chair is permitted to update the Relevant 
>>>> Dates and Version Number of the S/MIME Baseline Requirements to 
>>>> reflect final dates.
>>>>
>>>> *— MOTION ENDS —**
>>>> *
>>>> This ballot proposes a Final Guideline. The procedure for approval 
>>>> of this ballot is as follows:
>>>>
>>>> Discussion (7+ days)
>>>> Start Time: 8 September 2022 17:00 UTC
>>>> End Time: 15 September 2022 17:00 UTC
>>>>
>>>> Vote for approval (7 days)
>>>> Start Time: 15 September 2022 17:00 UTC
>>>> End Time: 22 September 2022 17:00 UTC
>>>>
>>>> IPR Review (60 days)
>>>>
>>>>
>>>> _______________________________________________
>>>> Smcwg-public mailing list
>>>> Smcwg-public at cabforum.org
>>>> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>>>
>>>
>>> _______________________________________________
>>> Smcwg-public mailing list
>>> Smcwg-public at cabforum.org
>>> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>>
>>
>> _______________________________________________
>> Smcwg-public mailing list
>> Smcwg-public at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220913/e98ef524/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220913/e98ef524/attachment-0001.p7s>

More information about the Smcwg-public mailing list