[Smcwg-public] Allowing a signature made with an S/MIME IV or SV certificate as an additional individual identity validation method

Mon May 13 13:32:12 UTC 2024

Hi all,

I already made the following proposal previously, both in writing here 
on the mailing list and also verbally during the last call (at the very 
last minutes as it was not on the agenda, sorry), but I don't see it 
mentioned in the call minutes of May 8 below, so I'll try to propose it 
again.

Among the methods for the "Validation of individual identity" (SMBR 
3.2.4.2), as part of the validation process of a request for an S/MIME 
IV certificate (or an SV certificate, where there is no Enterprise RA 
involved), I think it would make sense to admit - in addition to a 
digital signature based on an eIDAS compliant qualified certificate - 
also a digital signature based on another S/MIME IV or SV (BR-compliant) 
certificate of the applicant. This seems quite logical to me considering 
the rigor inherent in the validation requirements already established by 
the S/MIME BR to date.

At least in the case of /renewal/, I think it would be completely 
logical and safe to accept a request signed by the applicant with 
his/her current S/MIME IV or SV certificate (the one soon to expire) 
without the need to perform a further "verification of individual 
identity" with other methods.

If this idea for some reason doesn't seem practical or useful or safe 
enough, I'd like someone to explain their objections or concerns.

Thank you all for your attention.

Adriano

Il 11/05/2024 22:02, Stephen Davidson via Smcwg-management ha scritto:
> NOTICE: Pay attention - external email - Sender is 
> 0100018f693fd56b-e31b4721-c8ba-4ae7-a5bb-de9b42be70ce-000000 at amazonses.com 
>
>
>
>
> ## Minutes of SMCWG
>
> May 8, 2024
>
> These are the Draft Minutes of the meeting described in the subject of 
> this message. Corrections and clarifications where needed are 
> encouraged by reply.
>
> ## Attendees
>
> Abhishek Bhat - (eMudhra), Adriano Santoni - (Actalis S.p.A.), Aggie 
> Wang - (TrustAsia), Andrea Holland - (VikingCloud), Ashish Dhiman - 
> (GlobalSign), Ben Wilson - (Mozilla), Bruce Morton - (Entrust), Clint 
> Wilson - (Apple), Corey Bonnell - (DigiCert), Dimitris Zacharopoulos - 
> (HARICA), Inaba Atsushi - (GlobalSign), Inigo Barreira - (Sectigo), 
> Janet Hines - (VikingCloud), Judith Spencer - (CertiPath), Keshava 
> Nagaraju - (eMudhra), Marco Schambach - (IdenTrust), Martijn Katerbarg 
> - (Sectigo), Morad Abou Nasser - (TeleTrust), Mrugesh Chandarana - 
> (IdenTrust), Nome Huang - (TrustAsia), Rebecca Kelly - (SSL.com), 
> Renne Rodriguez - (Apple), Rollin Yu - (TrustAsia), Scott Rea - 
> (eMudhra), Stefan Selbitschka - (rundQuadrat), Stephen Davidson - 
> (DigiCert), Tadahiko Ito - (SECOM Trust Systems), Tathan Thacker - 
> (IdenTrust), Tsung-Min Kuo - (Chunghwa Telecom), Wendy Brown - (US 
> Federal PKI Management Authority)
>
> ## 1. Roll Call
>
> The Roll Call was taken.
>
> ## 2. Read Antitrust Statement
>
> The statement was read concerning the antitrust policy, code of 
> conduct, and intellectual property rights agreement.
>
> ## 3. Review Agenda
>
> Minutes were prepared by Stephen Davidson.
>
> ## 4. Approval of minutes from last teleconference
>
> The minutes for the teleconference of April 24 were approved.
>
> ## 5. Discussion
>
> Stephen Davidson noted that Ballot SMC06 was in IPR until May 11. See 
> https://lists.cabforum.org/pipermail/smcwg-public/2024-April/000957.html.
>
> The WG discussed and approved the change of KeyFactor from an 
> Interested Party to an Associate Member, Ellie Schieder as an 
> Interested Party, and Posteo e.K as a Certificate Consumer.
>
> The WG reviewed and discussed a ballot proposed by Martijn Katerbarg 
> which would bring the S/MIME BR up to date with a recent ballot at the 
> TLS BR for logging. See more at 
> https://github.com/cabforum/smime/issues/241
>
> The WG had an extensive discussion regarding the migration to 
> Multipurpose/Strict profiles.  Stephen noted that so far only two 
> points had been raised by Certificate Issuers:
>
>   * Having adequate time (such as one year) to allow ERAs using
>     integration time to adapt.
>   * Concerns relating to the impact of shorter validity on deployments
>     using tokens/smartcards.
>
> Judith Spencer and Wendy Brown commented that the shorter validity had 
> real impact on large (including public sector) deployments that use 
> tokens/smartcards, including:
>
>   * limited storage on tokens/smartcards;
>   * the increased burden of key exchange; and
>   * and the costs of support for rekeying.
>
> The question was raised whether it would be feasible to increase the 
> validity for the Multipurpose profile to 1185 days in general, or in 
> cases where tokens/smartcards are used.  Clint Wilson spoke about the 
> security and crypto agility benefits of shorter validity periods.  It 
> was agreed this topic would be continued in Bergamo.
>
> ## 6. Any Other Business
>
> None.
>
> ## 7. Next call
>
> Next call:  the teleconference scheduled for May 22 has been 
> cancelled. Next meeting is Bergamo F2F.
>
> ## Adjourned
>
>
> _______________________________________________
> Smcwg-management mailing list
> Smcwg-management at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-management
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20240513/58833715/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20240513/58833715/attachment-0001.p7s>