[Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

Stephen Davidson Stephen.Davidson at digicert.com
Tue Sep 20 01:05:36 UTC 2022 

Thanks Matthias for doublechecking that. I will correct.


On Sep 19, 2022, at 3:26 AM, Wiedenhorst, Matthias <M.Wiedenhorst at tuvit.de> wrote:


Hi Stephen,
I think the correction of 8.4 bullet 3) is wrong and should be undone. That section mentions 319 401, not 403.
Explanation:
ETSI EN 319 401 as used in section 8.4 of the SBR includes requirements that have to be fulfilled by the trust service provider (and that the TSP is audited against)
ETSI EN 319 403 / 403-1 as used in section 8.2 of the SBR includes requirements that have to be fulfilled by the conformity assessment body (and that the CAB is accredited against).
Best regards
Matthias

Von: Stephen Davidson <Stephen.Davidson at digicert.com>
Gesendet: Freitag, 16. September 2022 23:24
An: Wiedenhorst, Matthias <M.Wiedenhorst at tuvit.de>; smcwg-public at cabforum.org
Betreff: RE: Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

Thank you Matthias.
There is also a reference in Section 8.4 bullet 3 which I have updated as
3. "ETSI EN 319 411-1 v1.3.1 or newer", which includes normative references to ETSI EN 319 401 or ETSI EN 319 403-1 (the latest version of referenced ETSI documents should be applied); or

The tooling that creates the PDF is being updated to better handle tables so those table display issues should be resolved soon.
Regards, Stephen


From: Wiedenhorst, Matthias <M.Wiedenhorst at tuvit.de<mailto:M.Wiedenhorst at tuvit.de>>
Sent: Thursday, September 15, 2022 5:39 AM
To: Stephen Davidson <Stephen.Davidson at digicert.com<mailto:Stephen.Davidson at digicert.com>>; smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>
Subject: AW: Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

Dear Stephen, Dear all,
I just realized one issue with regard to auditing and I am very sorry that I didn’t realize it earlier in one of the many times I read through the draft during its creation.
In section 8.2, number 4 it is written: "(For audits conducted in accordance with any one of the ETSI standards)accredited in accordance with ISO 17065 applying the requirements specified in ETSI EN 319 403;" However, since some time the ETSI EN 319 403-1 has been released as successor of 319 403. At the time being, both versions are valid and can be used for CAB accreditation. I assume most CAB’s are on their way to migrate accreditation to the newer 403-1, some have already finished. Hence, section 8.2 number 4 should be amended as follows:
"(For audits conducted in accordance with any one of the ETSI standards)accredited in accordance with ISO 17065 applying the requirements specified in ETSI EN 319 403 or ETSI EN 319 403-1;"
In addition, a reference to the new version should be added to section 1.6.3:
“ETSI EN 319 403-1, Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment; Part 1:‐ Requirements for conformity assessment bodies assessing Trust Service Providers”

I also noticed one other thing:
In the provided PDF there are some sections with tables, where text of the first two columns partly overlay each other. I found examples in sections 7.1.2.3 e), 7.1.4.2.5 and 7.1.4.2.6. I realize that this is only an issue of presentation and not of content, but nevertheless, maybe there is a way to fix it.
Best regards
Matthias

Von: Smcwg-public <smcwg-public-bounces at cabforum.org<mailto:smcwg-public-bounces at cabforum.org>> Im Auftrag von Stephen Davidson via Smcwg-public
Gesendet: Donnerstag, 8. September 2022 09:03
An: smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>
Betreff: [Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”


Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”



Purpose of Ballot:


The S/MIME Certificate Working Group was chartered to discuss, adopt, and maintain policies, frameworks, and standards for the issuance and management of Publicly-Trusted S/MIME Certificates.  This ballot adopts a new “S/MIME Baseline Requirements” that includes requirements for verification of control over email addresses, identity validation for natural persons and legal entities, key management and certificate lifecycle, certificate profiles for S/MIME Certificates and Issuing CA Certificates, as well as CA operational and audit practices.



An S/MIME Certificate for the purposes of this document can be identified by the existence of an Extended Key Usage (EKU) for id-kp-emailProtection (OID: 1.3.6.1.5.5.7.3.4) and the inclusion of a rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox in the subjectAltName extension in the Certificate.



The following motion has been proposed by Stephen Davidson of DigiCert and endorsed by Martijn Katerbarg of Sectigo and ­­­Ben Wilson of Mozilla.



Charter Voting References



Section 5.1 (“Voting Structure”)<https://github.com/cabforum/servercert/blob/e6ad111f4477010cbff409cd939c5ac1c7c85ccc/docs/SMCWG-charter.md#51-voting-structure> of the SMCWG Charter says:



In order for a ballot to be adopted by the SMCWG, two-thirds or more of the votes cast by the Certificate Issuers must be in favor of the ballot and more than 50% of the votes cast by the Certificate Consumers must be in favor of the ballot. At least one member of each class must vote in favor of a ballot for it to be adopted. Quorum is the average number of Member organizations (cumulative, regardless of Class) that have participated in the previous three (3) SMCWG Meetings or Teleconferences (not counting subcommittee meetings thereof).



— MOTION BEGINS —

This ballot adopts the “Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates” (“S/MIME Baseline Requirements”) as Version 1.0.0.



The proposed S/MIME Baseline Requirements may be found at https://github.com/cabforum/smime/compare/7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52 or the attached document.



The SMCWG Chair or Vice-Chair is permitted to update the Relevant Dates and Version Number of the S/MIME Baseline Requirements to reflect final dates.



— MOTION ENDS —

This ballot proposes a Final Guideline. The procedure for approval of this ballot is as follows:



Discussion (7+ days)
Start Time: 8 September 2022 17:00 UTC
End Time: 15 September 2022 17:00 UTC



Vote for approval (7 days)
Start Time: 15 September 2022 17:00 UTC
End Time: 22 September 2022 17:00 UTC



IPR Review (60 days)



______________________________________________________________________________________________________________________

Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH * Am TÜV 1 * 45307 Essen, Germany

Registergericht/Register Court: Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251

Geschäftsführung/Management Board: Dirk Kretzschmar


TÜV NORD GROUP

Expertise for your Success

Please visit our website: www.tuv-nord.com<http://www.tuv-nord.com>

Besuchen Sie unseren Internetauftritt: www.tuev-nord.de<http://www.tuev-nord.de>


______________________________________________________________________________________________________________________
Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH * Am TÜV 1 * 45307 Essen, Germany
Registergericht/Register Court: Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251
Geschäftsführung/Management Board: Dirk Kretzschmar



TÜV NORD GROUP
Expertise for your Success


Please visit our website: www.tuv-nord.com<http://www.tuv-nord.com>
Besuchen Sie unseren Internetauftritt: www.tuev-nord.de<http://www.tuev-nord.de>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220920/7aab1f20/attachment-0001.html>

More information about the Smcwg-public mailing list