[Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

Buschart, Rufus rufus.buschart at siemens.com
Mon Sep 19 13:20:30 UTC 2022


I think this proposed date of Oct. 2024 is far too early, as there are systems down stream which are consuming the certificates and might need to be adjusted. It will take time to inform the customers of the CAs, the customers need to understand and need to identify the affected systems, need to get in touch with the vendors, identify necessary changes, allocate money, get development resources, implement the changes, test them and roll them into production --> I’d say we should aim for something like as early as end of 2026 as sunset date for legacy profiles.

/Rufus

From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Clint Wilson via Smcwg-public
Sent: Thursday, 15 September 2022 18:28
To: Stephen Davidson <Stephen.Davidson at digicert.com>; SMIME Certificate Working Group <smcwg-public at cabforum.org>
Subject: Re: [Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

As you’re considering changes, one concern that I still have is there remains no deprecation date for the Legacy profile — just the callout that it will be deprecated in the future. While I don’t believe this to be a blocker to voting in favor of the ballot, I do think it would be better to adopt a date sooner than later so there’s ample time for CAs to adjust, rather than having a shorter time frame if a date is set in the future instead.
My proposal would be roughly (give or take a few months) October 1, 2024 as the date after which no new Legacy certs should be issued, which would mean the deprecation would complete some time in 2028. While I’d prefer an earlier deprecation date, as mentioned numerous times, I think this time frame remains tractable.


On Sep 15, 2022, at 9:01 AM, Stephen Davidson via Smcwg-public <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>> wrote:

Thank you Matthias.
Under the by-laws we may incorporate feedback into the text.  I will add this, as well as changes addressing some other suggestions that have been made, for circulation to the SMCWG before we move to ballot.
Best regards, Stephen

From: Wiedenhorst, Matthias <M.Wiedenhorst at tuvit.de<mailto:M.Wiedenhorst at tuvit.de>>
Sent: Thursday, September 15, 2022 5:39 AM
To: Stephen Davidson <Stephen.Davidson at digicert.com<mailto:Stephen.Davidson at digicert.com>>; smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>
Subject: AW: Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

Dear Stephen, Dear all,
I just realized one issue with regard to auditing and I am very sorry that I didn’t realize it earlier in one of the many times I read through the draft during its creation.
In section 8.2, number 4 it is written: "(For audits conducted in accordance with any one of the ETSI standards)accredited in accordance with ISO 17065 applying the requirements specified in ETSI EN 319 403;" However, since some time the ETSI EN 319 403-1 has been released as successor of 319 403. At the time being, both versions are valid and can be used for CAB accreditation. I assume most CAB’s are on their way to migrate accreditation to the newer 403-1, some have already finished. Hence, section 8.2 number 4 should be amended as follows:
"(For audits conducted in accordance with any one of the ETSI standards)accredited in accordance with ISO 17065 applying the requirements specified in ETSI EN 319 403 or ETSI EN 319 403-1;"
In addition, a reference to the new version should be added to section 1.6.3:
“ETSI EN 319 403-1, Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment; Part 1:‐Requirements for conformity assessment bodies assessing Trust Service Providers”

I also noticed one other thing:
In the provided PDF there are some sections with tables, where text of the first two columns partly overlay each other. I found examples in sections 7.1.2.3 e), 7.1.4.2.5 and 7.1.4.2.6. I realize that this is only an issue of presentation and not of content, but nevertheless, maybe there is a way to fix it.
Best regards
Matthias

Von: Smcwg-public <smcwg-public-bounces at cabforum.org<mailto:smcwg-public-bounces at cabforum.org>> Im Auftrag von Stephen Davidson via Smcwg-public
Gesendet: Donnerstag, 8. September 2022 09:03
An: smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>
Betreff: [Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

Purpose of Ballot:

The S/MIME Certificate Working Group was chartered to discuss, adopt, and maintain policies, frameworks, and standards for the issuance and management of Publicly-Trusted S/MIME Certificates.  This ballot adopts a new “S/MIME Baseline Requirements” that includes requirements for verification of control over email addresses, identity validation for natural persons and legal entities, key management and certificate lifecycle, certificate profiles for S/MIME Certificates and Issuing CA Certificates, as well as CA operational and audit practices.

An S/MIME Certificate for the purposes of this document can be identified by the existence of an Extended Key Usage (EKU) for id-kp-emailProtection (OID: 1.3.6.1.5.5.7.3.4) and the inclusion of a rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox in the subjectAltName extension in the Certificate.

The following motion has been proposed by Stephen Davidson of DigiCert and endorsed by Martijn Katerbarg of Sectigo and ­­­Ben Wilson of Mozilla.

Charter Voting References

Section 5.1 (“Voting Structure”)<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fblob%2Fe6ad111f4477010cbff409cd939c5ac1c7c85ccc%2Fdocs%2FSMCWG-charter.md%2351-voting-structure&data=05%7C01%7Crufus.buschart%40siemens.com%7C4870968ff59749942f2608da97373799%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637988560659590268%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EYu0W8rhRyRrfmaQVHOz%2Bfy9kroKVXbUfU2wZiae%2FXg%3D&reserved=0> of the SMCWG Charter says:

In order for a ballot to be adopted by the SMCWG, two-thirds or more of the votes cast by the Certificate Issuers must be in favor of the ballot and more than 50% of the votes cast by the Certificate Consumers must be in favor of the ballot. At least one member of each class must vote in favor of a ballot for it to be adopted. Quorum is the average number of Member organizations (cumulative, regardless of Class) that have participated in the previous three (3) SMCWG Meetings or Teleconferences (not counting subcommittee meetings thereof).

— MOTION BEGINS —

This ballot adopts the “Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates” (“S/MIME Baseline Requirements”) as Version 1.0.0.

The proposed S/MIME Baseline Requirements may be found athttps://github.com/cabforum/smime/compare/7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fsmime%2Fcompare%2F7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52&data=05%7C01%7Crufus.buschart%40siemens.com%7C4870968ff59749942f2608da97373799%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637988560659590268%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=sY9X4mvc3aQ%2FS8iluBds9g%2BafC7WPQHLwa8XdLBz9B4%3D&reserved=0> or the attached document.

The SMCWG Chair or Vice-Chair is permitted to update the Relevant Dates and Version Number of the S/MIME Baseline Requirements to reflect final dates.

— MOTION ENDS —

This ballot proposes a Final Guideline. The procedure for approval of this ballot is as follows:

Discussion (7+ days)
Start Time: 8 September 2022 17:00 UTC
End Time: 15 September 2022 17:00 UTC

Vote for approval (7 days)
Start Time: 15 September 2022 17:00 UTC
End Time: 22 September 2022 17:00 UTC

IPR Review (60 days)



______________________________________________________________________________________________________________________

Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH * Am TÜV 1 * 45307 Essen, Germany

Registergericht/Register Court: Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251

Geschäftsführung/Management Board: Dirk Kretzschmar


TÜV NORD GROUP

Expertise for your Success

Please visit our website: www.tuv-nord.com<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.tuv-nord.com%2F&data=05%7C01%7Crufus.buschart%40siemens.com%7C4870968ff59749942f2608da97373799%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637988560659590268%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KIRCPs4R0hEpLia0YH4BR0nnGrq8MaFLGKtYPIDg%2FXc%3D&reserved=0>

Besuchen Sie unseren Internetauftritt: www.tuev-nord.de<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.tuev-nord.de%2F&data=05%7C01%7Crufus.buschart%40siemens.com%7C4870968ff59749942f2608da97373799%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637988560659746501%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WnHtOg3WVtAl6NwX2pGuY2%2FRyrJ%2FlGFq2rBD%2BvzUMZY%3D&reserved=0>
_______________________________________________
Smcwg-public mailing list
Smcwg-public at cabforum.org<mailto:Smcwg-public at cabforum.org>
https://lists.cabforum.org/mailman/listinfo/smcwg-public<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fsmcwg-public&data=05%7C01%7Crufus.buschart%40siemens.com%7C4870968ff59749942f2608da97373799%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637988560659746501%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=a%2BjZ2qsdgUnTp9uMqlg6oQSEjnMlS7NrjwECvrX%2FWd4%3D&reserved=0>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220919/333aaeb5/attachment-0001.html>


More information about the Smcwg-public mailing list