[Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

Stephen Davidson Stephen.Davidson at digicert.com
Fri Sep 16 21:24:10 UTC 2022


Hi Inigo

Thanks for this!

The reference to ETSI TS 119 172-4 was in the section (temporarily withdrawn) for relying upon eIDAS Qualified signatures for personal vetting.  I assume that section will be returned.

A reference to ETSI EN 319 412-1 has been added.

Best, Stephen

 

 

From: Inigo Barreira <Inigo.Barreira at sectigo.com> 
Sent: Thursday, September 15, 2022 12:59 PM
To: Wiedenhorst, Matthias <M.Wiedenhorst at tuvit.de>; SMIME Certificate Working Group <smcwg-public at cabforum.org>; Stephen Davidson <Stephen.Davidson at digicert.com>
Subject: RE: Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

 

Continue with the revision of the ETSI stuff, adding to what Matthias has said below, these are other changes:

*	ETSI TS 119 172-4, Electronic Signatures and Infrastructures (ESI); Signature Policies;. Part 4: Signature applicability rules. To be update to ETSI TS 119 172-4, Electronic Signatures and Infrastructures (ESI); Signature Policies; Part 4: Signature applicability rules (validation policy) for European qualified electronic signatures/seals using trusted lists

But it´s not used in the document, so can be removed. Further, it´s not related to S/MIME.

*	The ETSI EN 319 412-1 used in the document is not defined in section 1.6.3. Need to be added. The title is Electronic Signatures and Infrastructures (ESI); Certificate Profiles; Part 1: Overview and common data structures

Regards

 

De: Smcwg-public <smcwg-public-bounces at cabforum.org <mailto:smcwg-public-bounces at cabforum.org> > En nombre de Wiedenhorst, Matthias via Smcwg-public
Enviado el: jueves, 15 de septiembre de 2022 10:39
Para: Stephen.Davidson at digicert.com <mailto:Stephen.Davidson at digicert.com> ; smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> 
Asunto: Re: [Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

Dear Stephen, Dear all,

I just realized one issue with regard to auditing and I am very sorry that I didn’t realize it earlier in one of the many times I read through the draft during its creation.

In section 8.2, number 4 it is written: "(For audits conducted in accordance with any one of the ETSI standards)accredited in accordance with ISO 17065 applying the requirements specified in ETSI EN 319 403;" However, since some time the ETSI EN 319 403-1 has been released as successor of 319 403. At the time being, both versions are valid and can be used for CAB accreditation. I assume most CAB’s are on their way to migrate accreditation to the newer 403-1, some have already finished. Hence, section 8.2 number 4 should be amended as follows:
"(For audits conducted in accordance with any one of the ETSI standards)accredited in accordance with ISO 17065 applying the requirements specified in ETSI EN 319 403 or ETSI EN 319 403-1;"

In addition, a reference to the new version should be added to section 1.6.3:
“ETSI EN 319 403-1, Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment; Part 1:‐ Requirements for conformity assessment bodies assessing Trust Service Providers”

 

I also noticed one other thing:
In the provided PDF there are some sections with tables, where text of the first two columns partly overlay each other. I found examples in sections 7.1.2.3 e), 7.1.4.2.5 and 7.1.4.2.6. I realize that this is only an issue of presentation and not of content, but nevertheless, maybe there is a way to fix it.

Best regards
Matthias

 

Von: Smcwg-public <smcwg-public-bounces at cabforum.org <mailto:smcwg-public-bounces at cabforum.org> > Im Auftrag von Stephen Davidson via Smcwg-public
Gesendet: Donnerstag, 8. September 2022 09:03
An: smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> 
Betreff: [Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

 

Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements” 

 

Purpose of Ballot:

 

The S/MIME Certificate Working Group was chartered to discuss, adopt, and maintain policies, frameworks, and standards for the issuance and management of Publicly-Trusted S/MIME Certificates.  This ballot adopts a new “S/MIME Baseline Requirements” that includes requirements for verification of control over email addresses, identity validation for natural persons and legal entities, key management and certificate lifecycle, certificate profiles for S/MIME Certificates and Issuing CA Certificates, as well as CA operational and audit practices.

 

An S/MIME Certificate for the purposes of this document can be identified by the existence of an Extended Key Usage (EKU) for id-kp-emailProtection (OID: 1.3.6.1.5.5.7.3.4) and the inclusion of a rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox in the subjectAltName extension in the Certificate.

 

The following motion has been proposed by Stephen Davidson of DigiCert and endorsed by Martijn Katerbarg of Sectigo and ­­­Ben Wilson of Mozilla.

 

Charter Voting References

 

Section 5.1 (“Voting Structure”) of the SMCWG Charter says:

 

In order for a ballot to be adopted by the SMCWG, two-thirds or more of the votes cast by the Certificate Issuers must be in favor of the ballot and more than 50% of the votes cast by the Certificate Consumers must be in favor of the ballot. At least one member of each class must vote in favor of a ballot for it to be adopted. Quorum is the average number of Member organizations (cumulative, regardless of Class) that have participated in the previous three (3) SMCWG Meetings or Teleconferences (not counting subcommittee meetings thereof).

 

— MOTION BEGINS —

This ballot adopts the “Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates” (“S/MIME Baseline Requirements”) as Version 1.0.0.

 

The proposed S/MIME Baseline Requirements may be found at https://github.com/cabforum/smime/compare/7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52 or the attached document.

 

The SMCWG Chair or Vice-Chair is permitted to update the Relevant Dates and Version Number of the S/MIME Baseline Requirements to reflect final dates.

 

— MOTION ENDS —

This ballot proposes a Final Guideline. The procedure for approval of this ballot is as follows:

 

Discussion (7+ days)
Start Time: 8 September 2022 17:00 UTC
End Time: 15 September 2022 17:00 UTC

 

Vote for approval (7 days)
Start Time: 15 September 2022 17:00 UTC
End Time: 22 September 2022 17:00 UTC

 

IPR Review (60 days)

 
______________________________________________________________________________________________________________________
Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH * Am TÜV 1 * 45307 Essen, Germany
Registergericht/Register Court: Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251
Geschäftsführung/Management Board: Dirk Kretzschmar 

 

TÜV NORD GROUP
Expertise for your Success
Please visit our website: www.tuv-nord.com <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.tuv-nord.com%2F&data=05%7C01%7Cinigo.barreira%40sectigo.com%7Cafe7601c1da64c8a3f5208da96f5c18d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637988279523787780%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=j0lRDPJImTYQooJGnXai8Pn2IvIwuEbkZVnw9%2F6OxbY%3D&reserved=0> 
Besuchen Sie unseren Internetauftritt: www.tuev-nord.de <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.tuev-nord.de%2F&data=05%7C01%7Cinigo.barreira%40sectigo.com%7Cafe7601c1da64c8a3f5208da96f5c18d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637988279523787780%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=cARCoPj9Xbzp8fmhGsAXAG1YgxDuenZjptpQ2x098WY%3D&reserved=0> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220916/91d37666/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4999 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220916/91d37666/attachment-0001.p7s>


More information about the Smcwg-public mailing list