[Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”
Stephen.Davidson at digicert.com
Fri Sep 16 21:47:23 UTC 2022
Many thanks for the input. As you recall, the OU attribute has been a much debated topic in various CABF WG, including this one. Our discussions lead to some allowable use of the OU as such:
c. Certificate Field: subject:organizationalUnitName (OID: 184.108.40.206)
Contents: If present, the CA SHALL confirm that the subject:organizationalUnitName is the full legal organization name of an Affiliate of the subject:organizationName in the Certificate and has been verified in accordance with the requirements of Section 3.2.3. The CA MAY include information in this field that differs slightly from the verified name, such as common variations or abbreviations, provided that the CA documents the difference and any abbreviations used are locally accepted abbreviations.
As I understand it, you are describing existing uses of the OU Qualified signature certificates issued to Spanish Government entities as follows:
1. "SELLO ELECTRONICO" or "CERTIFICADO ELECTRONICO DE EMPLEADO PUBLICO" or
2. “codes used by the public administrations” or
3. Other content provided by the Subject.
In previous CABF standards the branding described in (1) was banned. Can you provide a pointer to the Spanish law that requires this use?
Similarly, are the codes described in (2) described in a Spanish law or regulation?
Based on the SMCWG’s discussions, it is unlikely that the general use described in (3) is sustainable, however it is possible that the subject:serialNumber may be appropriate for the use you describe.
Many thanks, Stephen
From: Eusebio Herrera <eusebio.herrera at camerfirma.com>
Sent: Thursday, September 15, 2022 7:53 AM
To: Stephen Davidson <Stephen.Davidson at digicert.com>; SMIME Certificate Working Group <smcwg-public at cabforum.org>
Subject: RE: Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”
1. OU FIELDS
The final draft version of the 'Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates' (BR S/MIME) requires that certain information be included in the subject:organizationalUnitName field.
This information is not sufficient to be included in SMIME certificates of sponsor-validated and organization-validated types issued by Spanish Qualified Trust Service Providers (QTSP) for Government Entities, which is regulated.
Spanish QTSPs are legally forced to comply with this regulation regarding certificates issued for Government Entities.
The Spanish regulation requires that these certificates must include in an OU field some specific text strings, such as:
- OU = "SELLO ELECTRONICO" (electronic seal)
- OU = "CERTIFICADO ELECTRONICO DE EMPLEADO PUBLICO" (electronic certificate for employees of the public administration)
In addition, according to the Spanish regulation, these certificates may include in OU fields some codes used by the public administrations.
Moreover, S/MIME certificates of sponsor-validated and organization-validated types issued by Spanish QTSP for non-Government Entities usually include in OU fields other specific information (i.e.: Department), that is not contemplated in the Affiliate definition in BR S/MIME. This information is used by certain applications, and also by certificate subscribers and relying parties. Therefore, the lack of this information would create serious problems in certificate usage.
The possibility of including the department in the OU fields for non-Government Entities, but in a more general way, was previously raised on the Smcwg-public mailing list by a GlobalSign representative, Christophe Bonjean. (April 25th : https://lists.cabforum.org/pipermail/smcwg-public/2022-April/000318.html and May 11th https://lists.cabforum.org/pipermail/smcwg-public/2022-May/000338.html )
All these data included in OU fields of SMIME certificates of sponsor-validated and organization-validated types issued by Spanish QTSP are verified by the RAs against supporting documentation, a Reliable Data Source, or Attestation, that is, in the same way that the subject:title shall be verified (BR S/MIME 220.127.116.11)
2. MAXIMUM VALIDITY PERIOD
The final draft version of the 'Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates' (BR S/MIME) requires a maximum validity period of 825 days for Strict and Multipurpose Generations and 1,185 days for Legacy Generations.
The Spanish Law which regulates trust services according to EU eIDAS Regulation allows qualified certificates to have a validity period up to 5 years (1824 days), including SMIME certificates of organization-validated, sponsored-validated and individual-validated types.
De: Smcwg-public <smcwg-public-bounces at cabforum.org<mailto:smcwg-public-bounces at cabforum.org>> En nombre de Stephen Davidson via Smcwg-public
Enviado el: jueves, 8 de septiembre de 2022 9:03
Para: smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>
Asunto: [Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”
Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”
Purpose of Ballot:
The S/MIME Certificate Working Group was chartered to discuss, adopt, and maintain policies, frameworks, and standards for the issuance and management of Publicly-Trusted S/MIME Certificates. This ballot adopts a new “S/MIME Baseline Requirements” that includes requirements for verification of control over email addresses, identity validation for natural persons and legal entities, key management and certificate lifecycle, certificate profiles for S/MIME Certificates and Issuing CA Certificates, as well as CA operational and audit practices.
An S/MIME Certificate for the purposes of this document can be identified by the existence of an Extended Key Usage (EKU) for id-kp-emailProtection (OID: 18.104.22.168.22.214.171.124.4) and the inclusion of a rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox in the subjectAltName extension in the Certificate.
The following motion has been proposed by Stephen Davidson of DigiCert and endorsed by Martijn Katerbarg of Sectigo and Ben Wilson of Mozilla.
Charter Voting References
Section 5.1 (“Voting Structure”)<https://github.com/cabforum/servercert/blob/e6ad111f4477010cbff409cd939c5ac1c7c85ccc/docs/SMCWG-charter.md#51-voting-structure> of the SMCWG Charter says:
In order for a ballot to be adopted by the SMCWG, two-thirds or more of the votes cast by the Certificate Issuers must be in favor of the ballot and more than 50% of the votes cast by the Certificate Consumers must be in favor of the ballot. At least one member of each class must vote in favor of a ballot for it to be adopted. Quorum is the average number of Member organizations (cumulative, regardless of Class) that have participated in the previous three (3) SMCWG Meetings or Teleconferences (not counting subcommittee meetings thereof).
— MOTION BEGINS —
This ballot adopts the “Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates” (“S/MIME Baseline Requirements”) as Version 1.0.0.
The proposed S/MIME Baseline Requirements may be found at https://github.com/cabforum/smime/compare/7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52 or the attached document.
The SMCWG Chair or Vice-Chair is permitted to update the Relevant Dates and Version Number of the S/MIME Baseline Requirements to reflect final dates.
— MOTION ENDS —
This ballot proposes a Final Guideline. The procedure for approval of this ballot is as follows:
Discussion (7+ days)
Start Time: 8 September 2022 17:00 UTC
End Time: 15 September 2022 17:00 UTC
Vote for approval (7 days)
Start Time: 15 September 2022 17:00 UTC
End Time: 22 September 2022 17:00 UTC
IPR Review (60 days)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Smcwg-public