[Smcwg-public] Draft SMCWG agenda - Wednesday, June 19 2024

[Stephen Davidson via Smcwg-public]

S/MIME Certificate Working Group


Draft SMCWG agenda - Wednesday, June 19 2024 at 11:00 am Eastern Time



Here is a draft agenda for the teleconference described in the subject of this 
message. Please review and propose changes if necessary.



1.Roll Call

2.Note well:  Antitrust / Compliance Statement

3.Review Agenda

4.Approval of past minutes

*   May 30 - Bergamo
*   June 5



5.Discussion as time permits:

*   Note about upcoming email list migration
*   Ballot SMC07 in IPR until July 12
*   Proposed Ballot SMC08 on Legacy deprecation to follow, proposed by 
Stephen Davidson and endorsed by Clint Wilson and Martijn Katerbarg 
https://github.com/cabforum/smime/compare/main...srdavidson:smime:Ballot-SMC08
*   Presentation by Tim Hollebeek on Quantum Safe algorithms in the context 
of S/MIME
*   Issue #251, NetSec audit https://github.com/cabforum/smime/issues/251



6.Any other business



7.Next meeting: Wednesday, July 3 2024 at 11:00 am Eastern Time



Adjourn



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Approved Minutes of SMCWG May 8, 2024

[Stephen Davidson via Smcwg-public]

## Minutes of SMCWG



May 8, 2024



These are the Approved Minutes of the meeting described in the subject of this 
message. Corrections and clarifications where needed are encouraged by reply.



## Attendees



Abhishek Bhat - (eMudhra), Adriano Santoni - (Actalis S.p.A.), Aggie Wang - 
(TrustAsia), Andrea Holland - (VikingCloud), Ashish Dhiman - (GlobalSign), Ben 
Wilson - (Mozilla), Bruce Morton - (Entrust), Clint Wilson - (Apple), Corey 
Bonnell - (DigiCert), Dimitris Zacharopoulos - (HARICA), Inaba Atsushi - 
(GlobalSign), Inigo Barreira - (Sectigo), Janet Hines - (VikingCloud), Judith 
Spencer - (CertiPath), Keshava Nagaraju - (eMudhra), Marco Schambach - 
(IdenTrust), Martijn Katerbarg - (Sectigo), Morad Abou Nasser - (TeleTrust), 
Mrugesh Chandarana - (IdenTrust), Nome Huang - (TrustAsia), Rebecca Kelly - 
(SSL.com), Renne Rodriguez - (Apple), Rollin Yu - (TrustAsia), Scott Rea - 
(eMudhra), Stefan Selbitschka - (rundQuadrat), Stephen Davidson - (DigiCert), 
Tadahiko Ito - (SECOM Trust Systems), Tathan Thacker - (IdenTrust), Tsung-Min 
Kuo - (Chunghwa Telecom), Wendy Brown - (US Federal PKI Management Authority)



## 1. Roll Call



The Roll Call was taken.



## 2. Read Antitrust Statement



The statement was read concerning the antitrust policy, code of conduct, and 
intellectual property rights agreement.



## 3. Review Agenda



Minutes were prepared by Stephen Davidson.



## 4. Approval of minutes from last teleconference



The minutes for the teleconference of April 24 were approved.



## 5. Discussion



Stephen Davidson noted that Ballot SMC06 was in IPR until May 11. See 
https://lists.cabforum.org/pipermail/smcwg-public/2024-April/000957.html.

The WG discussed and approved the change of KeyFactor from an Interested Party 
to an Associate Member, Ellie Schieder as an Interested Party, and Posteo e.K 
as a Certificate Consumer.

The WG reviewed and discussed a ballot proposed by Martijn Katerbarg which 
would bring the S/MIME BR up to date with a recent ballot at the TLS BR for 
logging.   See more at 
https://github.com/cabforum/smime/issues/241

The WG had an extensive discussion regarding the migration to 
Multipurpose/Strict profiles.  Stephen noted that so far only two points had 
been raised by Certificate Issuers:

*   Having adequate time (such as one year) to allow ERAs using integration 
time to adapt.
*   Concerns relating to the impact of shorter validity on deployments 
using tokens/smartcards.

Judith Spencer and Wendy Brown commented that the shorter validity had real 
impact on large (including public sector) deployments that use 
tokens/smartcards, including:

*   limited storage on tokens/smartcards;
*   the increased burden of key exchange; and
*   and the costs of support for rekeying.

The question was raised whether it would be feasible to increase the validity 
for the Multipurpose profile to 1185 days in general, or in cases where 
tokens/smartcards are used.  Clint Wilson spoke about the security and crypto 
agility benefits of shorter validity periods.  It was agreed this topic would 
be continued in Bergamo.



## 6. Any Other Business



None.



## 7. Next call



Next call:  the teleconference scheduled for May 22 has been cancelled. Next 
meeting is Bergamo F2F #60.



## Adjourned



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Draft SMCWG agenda - Wednesday, June 5 2024

[Stephen Davidson via Smcwg-public]

APOLOGIES: I fumblesent an incomplete draft of the agenda.  Correct version 
follows.




S/MIME Certificate Working Group


Draft SMCWG agenda - Wednesday, June 5 2024 at 11:00 am Eastern Time



Here is a draft agenda for the teleconference described in the subject of this 
message. Please review and propose changes if necessary.



1.   Roll Call

2.   Note well:  Antitrust / Compliance Statement

3.   Review Agenda

4.   Approval of past minutes

*   May 8
*   Bergamo minutes still pending



5.   Discussion as time permits:

*   Ballot SMC07 discussion period ends today, balloting starts. See 
https://cabforum.org/2024/05/24/ballot-smc07-align-logging-requirement-and-key-escrow-clarification/
*   Discussion regarding deprecation ballot for Legacy Generation profiles. 
See 
https://github.com/cabforum/smime/compare/main...srdavidson:smime:Ballot-SMC08
*   As time allows: Issues review. See 
https://github.com/cabforum/smime/issues



6.   Any other business



7.   Next meeting: Wednesday, June 19 2024 at 11:00 am Eastern Time



  Adjourn



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Draft SMCWG agenda - Wednesday, May 8 2024

[Stephen Davidson via Smcwg-public]

S/MIME Certificate Working Group


Draft SMCWG agenda - Wednesday, May 8 2024 at 11:00 am Eastern Time



Here is a draft agenda for the teleconference described in the subject of this 
message. Please review and propose changes if necessary.



1.   Roll Call

2.   Note well:  Antitrust / Compliance Statement

3.   Review Agenda

4.   Approval of past minutes

*   May 8
*   Bergamo minutes still pending



5.   Discussion as time permits:

*   Ballot SMC07 discussion period ends today, balloting starts. See 
https://cabforum.org/2024/05/24/ballot-smc07-align-logging-requirement-and-key-escrow-clarification/
*   Discussion regarding draft deprecation ballot for Legacy Generation 
profiles. See 
https://github.com/cabforum/smime/compare/main...srdavidson:smime:Ballot-SMC08
*   Issues review. See https://github.com/cabforum/smime/issues



6.   Any other business



7.   Next meeting: Wednesday, May 19 2024 at 11:00 am Eastern Time



  Adjourn



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Adopted: Ballot SMC06 (Post implementation clarification and corrections)

[Stephen Davidson via Smcwg-public]

The Intellectual Property Review (IPR) period for Ballot SMC06 (Post 
implementation clarification and corrections) has completed. No IPR Exclusion 
Notices were filed, and the ballot is adopted as of May 11, 2024.



The new S/MIME BR v.1.0.4 have been published to the CABF public website in 
accordance with the Bylaws: 
https://cabforum.org/uploads/CA-Browser-Forum-SMIMEBR-1.0.4.pdf or 
https://cabforum.org/2024/03/26/ballot-smc06-post-implementation-clarification-and-corrections/



Many thanks, Stephen



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Approved Minutes of SMCWG April 24, 2024

[Stephen Davidson via Smcwg-public]

## Minutes of SMCWG



April 24, 2024



These are the Approved Minutes of the meeting described in the subject of this 
message. Corrections and clarifications where needed are encouraged by reply.



## Attendees



Abhishek Bhat - (eMudhra), Adriano Santoni - (Actalis S.p.A.), Aggie Wang - 
(TrustAsia), Andrea Holland - (VikingCloud), Ashish Dhiman - (GlobalSign), 
Clint Wilson - (Apple), Inaba Atsushi - (GlobalSign), Inigo Barreira - 
(Sectigo), Janet Hines - (VikingCloud), Jozef Nigut - (Disig), Judith Spencer - 
(CertiPath), Keshava Nagaraju - (eMudhra), Marco Schambach - (IdenTrust), 
Martijn Katerbarg - (Sectigo), Morad Abou Nasser - (TeleTrust), Naveen Kumar - 
(eMudhra), Nome Huang - (TrustAsia), Pedro Fuentes - (OISTE Foundation), Rollin 
Yu - (TrustAsia), Russ Housley - (Vigil Security LLC), Scott Rea - (eMudhra), 
Stephen Davidson - (DigiCert), Tadahiko Ito - (SECOM Trust Systems), Thomas 
Zermeno - (SSL.com), Tsung-Min Kuo - (Chunghwa Telecom), Wendy Brown - (US 
Federal PKI Management Authority)



## 1. Roll Call



The Roll Call was taken.



## 2. Read Antitrust Statement



The statement was read concerning the antitrust policy, code of conduct, and 
intellectual property rights agreement.



## 3. Review Agenda



Minutes were prepared by Stephen Davidson.



## 4. Approval of minutes from last teleconference



The minutes for the teleconference of April 10 were approved.



## 5. Discussion



Stephen Davidson noted that Ballot SMC06 was in IPR until May 11. See 
https://lists.cabforum.org/pipermail/smcwg-public/2024-April/000957.html.

Stephen reviewed a proposed clarification from Tim Hollebeek, where section 1.1 
defines applicability to leaf certificates only.  A proposed change makes clear 
the applicability to subCAs as well.  There were no objections.  See 
https://github.com/cabforum/smime/issues/243.

Among the allowed methods for individual vetting is the ability for the CA or 
RA to accept a certificate request that has been digitally signed using a 
certificate from approved frameworks, and to rely on validated certificate 
details.

Stephen noted that when the BR was published it laid out acceptance criteria in 
3.2.4.1 (4) (b) - but purposefully did not name any approved frameworks in 
3.2.4.1 (4) (a) following a decision by the working group that each such 
framework should be the subject of a separate ballot. The working group 
discussed a draft proposed by Stephen to introduce reliance of eIDAS Qualified 
certificates. He clarified that this was to rely upon attributes in the 
certificate as evidence of vetting.  It did not affect the ability to rely upon 
electronically signed documents overall.

Clint Wilson said the existing acceptance criteria could also be improved, for 
example, by requiring confirmation that this type of reliance was intended in 
the use case for the certificate. He said it was important to be clear on the 
allowed reliance period. For more see 
https://github.com/cabforum/smime/issues/244.

Stephen noted that with the advent of eIDAS2 the text relating to eID would 
also need review (subsequently added as 
https://github.com/cabforum/smime/issues/245)

Stephen noted that feedback was still welcomed from Certificate Issuers on 
improvements that would facilitate the transition to the Multipurpose and 
Strict profiles.  He proposed a two stage approach to deprecating the Legacy 
profile. Stage one proposed a cease issuance approximately a year following the 
ballot, for example June 15 2025. The long window is advisable to allow 
Enterprise RAs with integrations to CAs with adequate time to prepare. Stage 
two would occur after that time, to remove the many Legacy references in the 
S/MIME BR.  See more at 
https://github.com/cabforum/smime/issues/193

[Smcwg-public] Draft SMCWG agenda - Wednesday, May 8 2024

[Stephen Davidson via Smcwg-public]

S/MIME Certificate Working Group 


Draft SMCWG agenda - Wednesday, May 8 2024 at 11:00 am Eastern Time

 

Here is a draft agenda for the teleconference described in the subject of
this message. Please review and propose changes if necessary.

 

1.Roll Call 

2.Note well:  Antitrust / Compliance Statement

3.Review Agenda

4.Approval of past minutes

*   April 24



5.Discussion as time permits:

*   Ballot SMC06 completes IPR on May 11 
*   Membership requests:

*   Interested Party: Ellie Schieder (private person)
*   Certificate Consumer: Posteo e.K.  
https://posteo.de/en 
*   Keyfactor, change to Associate Member

*   Update logging requirements for TLS BR parity (Issue 241)

https://github.com/cabforum/smime/issues/241 
*   Discussion regarding impact of moving to shorter validity
Multipurpose/Strict profiles for deployments using tokens/smartcards
*   Bergamo topics

 

6.Any other business 

 

7.Next meeting: Bergamo F2F. The meeting for May 22 has been
cancelled.

 

Adjourn

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

Re: [Smcwg-public] [External] Draft proposal to add eIDAS QES as vetting evidence for individual

[Stephen Davidson via Smcwg-public]

Hi Judith -

 

The text in question allows a CA to look at a third-party cert associated
with a signature and, if it's issued under an approved framework, the CA can
accept the individual identity attributes in the cert as verified.

 

When the BR was published it laid out acceptance criteria in 3.2.4.1 (4) (b)
- but purposefully did not name any approved frameworks in 3.2.4.1 (4) (a)
following a decision by the working group that each such framework should be
the subject of a separate ballot. The current draft is an effort to "test"
that process.

 

See more at
https://github.com/cabforum/smime/blob/main/SBR.md#3241-attribute-collection
-of-individual-identity

 

Best, Stephen

 

 

 

 

From: Judith Spencer  
Sent: Thursday, April 25, 2024 11:21 AM
To: Stephen Davidson ; SMIME Certificate
Working Group 
Subject: RE: [External] [Smcwg-public] Draft proposal to add eIDAS QES as
vetting evidence for individual

 

Stephen

My primary concern with the proposed change is that once it finds it's way
into the BR, anyone not in the EU will be eliminated from trusting existing
digital signatures as evidence.  For example, here in the U.S., the U.S.
Government has an extremely robust digital credential based on a full
background check that is independently assessed and accompanied by reams of
documentation, regulation and policy.  Over 7 million individuals hold these
credentials.  But by this policy, signatures from this community would not
be sufficient as evidence.  The CertiPath community, comprised of major
Aerospace Corporations, would likewise be eliminated.  While we don't employ
the same level of background checks in our identity proofing, it is
certainly based on sound practice and audited annually under WebTrust for
CA, which may not be a "national scheme" but is certainly a robust review
process widely recognized in the U.S. and Canada.  

Unless you are prepared to identify schemes that cover all other regions of
the world, I believe it is too early to make this change.  As a compromise,
I suggest you could identify eIDAS as the qualifying scheme for Europe and
remain silent on the rest of the world.  I recommend you revise the opening
as follows:

"If a digital signature is to be used as evidence in the European Union, the
CA or RA SHALL only rely upon the following certificate type:"

Once sufficient assessment has taken place to include all participating
regions, the language could be further modified as you suggest.  

Judy

 

Judith Spencer | PMA Chair | CertiPath, Inc.

1900 Reston Metro Plaza, Suite 303, Reston, VA 20190

PH +1.301.974.4227

Email  <mailto:judith.spen...@certipath.com> judith.spen...@certipath.com 

 

From: Smcwg-public mailto:smcwg-public-boun...@cabforum.org> > On Behalf Of Stephen Davidson
via Smcwg-public
Sent: Wednesday, April 24, 2024 8:06 PM
To: smcwg-public@cabforum.org <mailto:smcwg-public@cabforum.org> 
Subject: [External] [Smcwg-public] Draft proposal to add eIDAS QES as
vetting evidence for individual

 

 

Hello all:

 

As discussed today, here is draft language for consideration to allow CAs to
rely upon signatures created with eIDAS Qualified certificates as evidence
supporting validation of individual identity.

https://github.com/srdavidson/QES-SMIME-BR/blob/master/QES-proposal.md

 

I'd be grateful for feedback on this language.

Best, Stephen

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Approved Minutes of SMCWG April 10, 2024

[Stephen Davidson via Smcwg-public]

## Minutes of SMCWG



April 10, 2024



These are the Approved Minutes of the meeting described in the subject of this 
message. Corrections and clarifications where needed are encouraged by reply.



## Attendees



Abhishek Bhat - (eMudhra), Adrian Mueller - (SwissSign), Adriano Santoni - 
(Actalis S.p.A.), Aggie Wang - (TrustAsia), Andreas Henschel - (D-TRUST), 
Ashish Dhiman - (GlobalSign), Ben Wilson - (Mozilla), Clint Wilson - (Apple), 
Dave Chin - (CPA Canada/WebTrust), Eva Vansteenberge - (GlobalSign), Inaba 
Atsushi - (GlobalSign), Inigo Barreira - (Sectigo), Keshava Nagaraju - 
(eMudhra), Martijn Katerbarg - (Sectigo), Naveen Kumar - (eMudhra), Nome Huang 
- (TrustAsia), Renne Rodriguez - (Apple), Rollin Yu - (TrustAsia), Sandy Balzer 
- (SwissSign), Scott Rea - (eMudhra), Stefan Selbitschka - (rundQuadrat), 
Stephen Davidson - (DigiCert), Tadahiko Ito - (SECOM Trust Systems), Thomas 
Zermeno - (SSL.com), Tsung-Min Kuo - (Chunghwa Telecom), Yashwanth TM - 
(eMudhra)



## 1. Roll Call



The Roll Call was taken.



## 2. Read Antitrust Statement



The statement was read concerning the antitrust policy, code of conduct, and 
intellectual property rights agreement.



## 3. Review Agenda



Minutes were prepared by Stephen Davidson.



## 4. Approval of minutes from last teleconference



The minutes for the teleconference of March 27 were approved.



## 5. Discussion



Stephen Davidson  noted that Ballot SMC06 was in Voting Period until April 11. 
See https://lists.cabforum.org/pipermail/smcwg-public/2024-April/000957.html.

The WG reviewed Issue 240 raised by Martijn Karterbarg that the GOV 
registration scheme did not allow the use of the XX country code for countries 
that do not yet have an ISO-assigned code.  See 
https://github.com/cabforum/smime/issues/240

Stephen confirmed that there are CAs with significant existing populations of 
valid Legacy generation certificates, particularly in the Sponsor- and 
Org-validated categories.

The WG commenced a discussion of the differences between the Legacy generation 
certificate profiles versus the Multipurpose and Strict.  The following 
summarises the conversation, providing links to the related sections.

https://cabforum.org/posts/2024/2024-04-10-legacy-deprecation/SMCWG_20240410_Final.pdf

Stephen asked Certificate Issuers to review this information and provide 
feedback to help the SMCWG determine appropriate steps and timelines to migrate 
to the Multipurpose/Strict profiles. If preferred, that information can be 
provided directly to Stephen or Martijn to consolidate.

## 6. Any Other Business



It was agreed to cancel the teleconference scheduled for May 22 due to 
proximity to the F2F 62 meeting.



## 7. Next call



Next call: Wednesday, April 24, 2024 at 11:00 am Eastern Time



## Adjourned





___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Draft proposal to add eIDAS QES as vetting evidence for individual

[Stephen Davidson via Smcwg-public]

Hello all:



As discussed today, here is draft language for consideration to allow CAs to 
rely upon signatures created with eIDAS Qualified certificates as evidence 
supporting validation of individual identity.



https://github.com/srdavidson/QES-SMIME-BR/blob/master/QES-proposal.md



I'd be grateful for feedback on this language.

Best, Stephen





___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Draft SMCWG agenda - Wednesday, April 24 2024

[Stephen Davidson via Smcwg-public]

S/MIME Certificate Working Group


Draft SMCWG agenda - Wednesday, April 24 2024 at 11:00 am Eastern Time



Here is a draft agenda for the teleconference described in the subject of this 
message. Please review and propose changes if necessary.



1.Roll Call

2.Note well:  Antitrust / Compliance Statement

3.Review Agenda

4.Approval of past minutes

*   April 10



5.Discussion as time permits:

*   Ballot SMC06 passed and is in IPR until May 11 
https://lists.cabforum.org/pipermail/smcwg-public/2024-April/000957.html
*   Clarify scope for S/MIME ICAs (Issue 243) 
https://github.com/cabforum/smime/issues/243
*   Relying on a certificate/digital signature applied by the Applicant 
(Issue 244) https://github.com/cabforum/smime/issues/244
*   Deprecation date for Legacy Generation profiles (Issue 193) 
https://github.com/cabforum/smime/issues/193



6.Any other business



7.Next meeting: Wednesday, May 8 2024 at 11:00 am Eastern Time.
The meeting for May 22 has been cancelled due to the F2F the following week.



Adjourn



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

Re: [Smcwg-public] NOTICE OF REVIEW PERIOD – SMCWG BALLOT SMC06

[Stephen Davidson via Smcwg-public]

Thanks Bruce.

The link should be working again: 
https://cabforum.org/posts/2024/2024-04-11-SMCWG-ballot-SMC06/CA-Browser-Forum-SMIMEBR-1.0.4-redline.pdf<https://urldefense.com/v3/__https:/cabforum.org/posts/2024/2024-04-11-SMCWG-ballot-SMC06/CA-Browser-Forum-SMIMEBR-1.0.4-redline.pdf__;!!FJ-Y8qCqXTj2!bLfrX0o8qGkaMTNJ8y4BqhNNt8XRDsqSZY9oG2WCAEluJzDejgAL2n7IANIMl5xJHpYr4LoAGUEfGA9DYy-Xog3_7Voq$>

Regards, Stephen



From: Bruce Morton 
Sent: Tuesday, April 16, 2024 3:08 PM
To: Stephen Davidson ; SMIME Certificate Working 
Group 
Subject: RE: NOTICE OF REVIEW PERIOD – SMCWG BALLOT SMC06



The redline document does not appear to clearly show the changes to be reviewed.



Thanks, Bruce.



From: Smcwg-public 
mailto:smcwg-public-boun...@cabforum.org>> 
On Behalf Of Stephen Davidson via Smcwg-public
Sent: Thursday, April 11, 2024 2:41 PM
To: smcwg-public@cabforum.org<mailto:smcwg-public@cabforum.org>
Subject: [EXTERNAL] [Smcwg-public] NOTICE OF REVIEW PERIOD – SMCWG BALLOT SMC06



NOTICE OF REVIEW PERIOD – BALLOT SMC06 This Review Notice is sent pursuant to 
Section 4. 1 of the CA/Browser Forum’s Intellectual Property Rights Policy (v1. 
3). This 30-day Review Period is for the Final Maintenance Guideline that is 
attached



NOTICE OF REVIEW PERIOD – BALLOT SMC06

This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum’s 
Intellectual Property Rights Policy (v1.3). This 30-day Review Period is for 
the Final Maintenance Guideline that is attached to this Review Notice.

Ballot for Review: Ballot SMC06, redline at 
https://cabforum.org/posts/2024/2024-04-11-SMCWG-ballot-SMC06/CA-Browser-Forum-SMIMEBR-1.0.4-redline.pdf<https://urldefense.com/v3/__https:/cabforum.org/posts/2024/2024-04-11-SMCWG-ballot-SMC06/CA-Browser-Forum-SMIMEBR-1.0.4-redline.pdf__;!!FJ-Y8qCqXTj2!bLfrX0o8qGkaMTNJ8y4BqhNNt8XRDsqSZY9oG2WCAEluJzDejgAL2n7IANIMl5xJHpYr4LoAGUEfGA9DYy-Xog3_7Voq$>
Start of Review Period: April 11, 2024
End of Review Period: 2359 UTC on May 11, 2024

Please forward a written notice to exclude Essential Claims by email to 
smcwg-public@cabforum.org<mailto:smcwg-public@cabforum.org> and a copy to the 
CA/B Forum public mailing list pub...@cabforum.org<mailto:pub...@cabforum.org> 
before the end of the Review Period.

See current version of CA/Browser Forum Intellectual Property Rights Policy for 
details. See also 
https://cabforum.org/ipr-policy/<https://urldefense.com/v3/__https:/url.avanan.click/v2/___https:/cabforum.org/ipr-policy/___.YXAzOmRpZ2ljZXJ0OmE6bzowYTU2NTQwMjNkZDAyZGI4ZmIzZTFkYTk1OGFkMjE0Nzo2OjcxYTk6ZGVhNWM1MDBmNWQwNTU1N2Y1ZWUxMjA2ZTQ0ZmEzZjIwOGI3MWVhYzlhOTI4NjE3YzZkNDBmMzMyOWUyMDcwMzpoOkY__;!!FJ-Y8qCqXTj2!bLfrX0o8qGkaMTNJ8y4BqhNNt8XRDsqSZY9oG2WCAEluJzDejgAL2n7IANIMl5xJHpYr4LoAGUEfGA9DYy-XorK-p1aV$>.
  An optional format for an Exclusion Notice is available at 
https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf<https://urldefense.com/v3/__https:/url.avanan.click/v2/___https:/cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf___.YXAzOmRpZ2ljZXJ0OmE6bzowYTU2NTQwMjNkZDAyZGI4ZmIzZTFkYTk1OGFkMjE0Nzo2OmY4ZmY6ZTkzZWJjYjA2ZDM1NmZhZDAzNDA1Y2ZiYzdkY2M1MjBlM2E1OWI2NThlZTZmY2UyYTdjNDRkZThmMjIzNzI5YTpoOkY__;!!FJ-Y8qCqXTj2!bLfrX0o8qGkaMTNJ8y4BqhNNt8XRDsqSZY9oG2WCAEluJzDejgAL2n7IANIMl5xJHpYr4LoAGUEfGA9DYy-XohRQsO1E$>.



Any email and files/attachments transmitted with it are intended solely for the 
use of the individual or entity to whom they are addressed. If this message has 
been sent to you in error, you must not copy, distribute or disclose of the 
information it contains. Please notify Entrust immediately and delete the 
message from your system.

___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Draft Minutes of SMCWG April 10, 2024

[Stephen Davidson via Smcwg-public]

## Minutes of SMCWG



April 10, 2024



These are the Draft Minutes of the meeting described in the subject of this 
message. Corrections and clarifications where needed are encouraged by reply.



## Attendees



Abhishek Bhat - (eMudhra), Adrian Mueller - (SwissSign), Adriano Santoni - 
(Actalis S.p.A.), Aggie Wang - (TrustAsia), Andreas Henschel - (D-TRUST), 
Ashish Dhiman - (GlobalSign), Ben Wilson - (Mozilla), Clint Wilson - (Apple), 
Dave Chin - (CPA Canada/WebTrust), Eva Vansteenberge - (GlobalSign), Inaba 
Atsushi - (GlobalSign), Inigo Barreira - (Sectigo), Keshava Nagaraju - 
(eMudhra), Martijn Katerbarg - (Sectigo), Naveen Kumar - (eMudhra), Nome Huang 
- (TrustAsia), Renne Rodriguez - (Apple), Rollin Yu - (TrustAsia), Sandy Balzer 
- (SwissSign), Scott Rea - (eMudhra), Stefan Selbitschka - (rundQuadrat), 
Stephen Davidson - (DigiCert), Tadahiko Ito - (SECOM Trust Systems), Thomas 
Zermeno - (SSL.com), Tsung-Min Kuo - (Chunghwa Telecom), Yashwanth TM - 
(eMudhra)



## 1. Roll Call



The Roll Call was taken.



## 2. Read Antitrust Statement



The statement was read concerning the antitrust policy, code of conduct, and 
intellectual property rights agreement.



## 3. Review Agenda



Minutes were prepared by Stephen Davidson.



## 4. Approval of minutes from last teleconference



The minutes for the teleconference of March 27 were approved.



## 5. Discussion



Stephen Davidson  noted that Ballot SMC06 was in Voting Period until April 11. 
See https://lists.cabforum.org/pipermail/smcwg-public/2024-April/000957.html.

The WG reviewed Issue 240 raised by Martijn Karterbarg that the GOV 
registration scheme did not allow the use of the XX country code for countries 
that do not yet have an ISO-assigned code.  See 
https://github.com/cabforum/smime/issues/240

Stephen confirmed that there are CAs with significant existing populations of 
valid Legacy generation certificates, particularly in the Sponsor- and 
Org-validated categories.

The WG commenced a discussion of the differences between the Legacy generation 
certificate profiles versus the Multipurpose and Strict.  The following 
summarises the conversation, providing links to the related sections.

https://cabforum.org/posts/2024/2024-04-10-legacy-deprecation/SMCWG_20240410_Final.pdf

Stephen asked Certificate Issuers to review this information and provide 
feedback to help the SMCWG determine appropriate steps and timelines to migrate 
to the Multipurpose/Strict profiles. If preferred, that information can be 
provided directly to Stephen or Martijn to consolidate.

## 6. Any Other Business



It was agreed to cancel the teleconference scheduled for May 22 due to 
proximity to the F2F 62 meeting.



## 7. Next call



Next call: Wednesday, April 24, 2024 at 11:00 am Eastern Time



## Adjourned





___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] NOTICE OF REVIEW PERIOD – SMCWG BALLOT SMC06

[Stephen Davidson via Smcwg-public]

NOTICE OF REVIEW PERIOD – BALLOT SMC06

This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum’s 
Intellectual Property Rights Policy (v1.3). This 30-day Review Period is for 
the Final Maintenance Guideline that is attached to this Review Notice.

Ballot for Review: Ballot SMC06, redline at 
https://cabforum.org/posts/2024/2024-04-11-SMCWG-ballot-SMC06/CA-Browser-Forum-SMIMEBR-1.0.4-redline.pdf
Start of Review Period: April 11, 2024
End of Review Period: 2359 UTC on May 11, 2024

Please forward a written notice to exclude Essential Claims by email to 
smcwg-public@cabforum.org and a copy to the 
CA/B Forum public mailing list pub...@cabforum.org 
before the end of the Review Period.

See current version of CA/Browser Forum Intellectual Property Rights Policy for 
details. See also 
https://cabforum.org/ipr-policy/.
  An optional format for an Exclusion Notice is available at 
https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf.



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Results of Ballot SMC06: Post implementation clarification and corrections

[Stephen Davidson via Smcwg-public]

 

Results of Ballot SMC06: Post implementation clarification and corrections

 

The voting period for "Ballot SMC06: Post implementation clarification and
corrections" has completed, and the ballot has passed.

 

Voting Results

Certificate Issuers

16 votes total, with no abstentions:

*   16 Issuers voting YES: Actalis S.p.A., Asseco Data Systems SA
(Certum), DigiCert, D-TRUST, eMudhra, Entrust, GlobalSign, HARICA,
IdenTrust, OISTE Foundation, SECOM Trust Systems, Sectigo, SSL.com,
SwissSign, Telia Company, TWCA
*   0 Issuers voting NO
*   0 Issuers ABSTAIN

Certificate Consumers

3 votes total, with no abstentions:

*   3 Consumers voting YES: Apple, Mozilla, rundQuadrat
*   0 Consumers voting NO
*   0 Consumers ABSTAIN

Bylaws Requirements

1.  Bylaw 2.3(f) requires:

0.  A "yes" vote by two-thirds of Certificate Issuer votes and by
50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted
for this purpose. This requirement was MET for Certificate Issuers and MET
for Certificate Consumers.
1.  At least one Certificate Issuer and one Certificate Consumer Member
must vote in favor of a ballot for the ballot to be adopted. This
requirement was MET.

2.  Bylaw 2.3(g) requires that a ballot result only be considered valid
when "more than half of the number of currently active Members has
participated". The number of currently active Voting Members is the average
number of Voting Member organizations that have participated in the previous
three meetings. Votes to abstain are counted in determining quorum. The
quorum was 7 for this ballot. This requirement was MET.

This ballot now enters the 30-day IP Rights Review Period to permit members
to review the ballot for relevant IP rights issues.  The IP Rights Review
Period ends at 2359 UTC on May 11, 2024.

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Background for discussion of Legacy Profiles

[Stephen Davidson via Smcwg-public]

Hello all:



I attach the summary that we reviewed in the SMCWG call yesterday.



It highlights the differences between the Legacy generation profiles and the 
Multipurpose/Strict profiles, including links to the relevant text sections in 
the S/MIME BR.



https://cabforum.org/posts/2024/2024-04-10-legacy-deprecation/SMCWG_20240410_Final.pdf



This should facilitate review and feedback to help the SMCWG determine 
appropriate steps and timelines to migrate to the Multipurpose/Strict profiles.



Regards, Stephen

___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Approved Minutes of SMCWG March 27, 2024

[Stephen Davidson via Smcwg-public]

## Minutes of SMCWG



March 27, 2024



These are the Approved Minutes of the meeting described in the subject of this 
message. Corrections and clarifications where needed are encouraged by reply.



## Attendees



Adrian Mueller - (SwissSign), Adriano Santoni - (Actalis S.p.A.), Andreas 
Henschel - (D-TRUST), Ben Wilson - (Mozilla), Clint Wilson - (Apple), Corey 
Bonnell - (DigiCert), Inaba Atsushi - (GlobalSign), Inigo Barreira - (Sectigo), 
Judith Spencer - (CertiPath), Marco Schambach - (IdenTrust), Martijn Katerbarg 
- (Sectigo), Morad Abou Nasser - (TeleTrust), Rollin Yu - (TrustAsia), Sandy 
Balzer - (SwissSign), Scott Rea - (eMudhra), Stephen Davidson - (DigiCert), Tim 
Crawford - (CPA Canada/WebTrust), Wendy Brown - (US Federal PKI Management 
Authority)



## 1. Roll Call



The Roll Call was taken.



## 2. Read Antitrust Statement



The statement was read concerning the antitrust policy, code of conduct, and 
intellectual property rights agreement.



## 3. Review Agenda



Minutes were prepared by Stephen Davidson.



## 4. Approval of minutes from last teleconference



The minutes for the teleconference of March 13 were approved.



## 5. Discussion



Stephen Davidson noted that Ballot SMC06 was in Discussion Period 
https://lists.cabforum.org/pipermail/smcwg-public/2024-March/000950.html
 with voting to begin on April 4.

The group discussed 
https://github.com/cabforum/smime/issues/233
 relating to the use of recursive nameservers outside the CA's audit scope.  He 
noted a related ballot had passed in Server Cert working group but was subject 
to an IP claim.  Should that be resolved, the language would need to be added 
to the S/MIME BR.

He noted that some of the relevant new language was inserted in the middle of 
section 3.2.2.2 of the TLS BR. The S/MIME BR incorporate the text from section 
3.2.2.4.  He requested that the TLS BR, when new requirements are added that 
will be incorporated by other WG, isolate the new requirement in a new numbered 
section.

The WG went on to discuss another pending ballot in the Server Cert working 
group relating to Multi-perspective Domain Validation 
https://github.com/cabforum/smime/issues/239.
 This too introduces new requirements that are relevant to the S/MIME BR, and 
if the TLS ballot passes, will require an update to the S/MIME BR.

The WG then discussed 
https://github.com/cabforum/smime/issues/230
 a request to "relax" the subject requirements in the S/MIME BR such that the 
subject:country may be allowed to differ from the country used in the 
organizationIdentifier.  This allowance exists in the EV Guidelines.  Stephen 
asked if CAs could provide concrete examples where an entity incorporated in 
one country had operations in another that did not include an entity registered 
in that country.

Stephen noted that this subject had been discussed at length earlier in the 
writing of the S/MIME BR and it was agreed that only address information from 
government sources should be used in the Subject and that the two jurisdictions 
should agree.  Adrian Mueller of SwissSign agreed.

The WG discussed that the S/MIME "adopted and then improved" the 
organizationIdentifier text from the EV Guidelines - particularly in the use of 
the GOV, INT, and LEI (when Active/Corroborated) registration schemes.  It was 
urged that these methods be fed back and introduced in the EV Guidelines.

Stephen again urged certificate issuers to gather information relating to the 
use of the Legacy profiles, in particular improvements to the Strict and 
Multipurpose profiles that would facilitate migration, and the reasonable 
timeframe for the deprecation of Legacy.

## 6. Any Other Business



None



## 7. Next call



Next call: Wednesday, April 10, 2024 at 11:00 am Eastern Time



## Adjourned





___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Draft SMCWG agenda - Wednesday, April 10 2024

[Stephen Davidson via Smcwg-public]

S/MIME Certificate Working Group


Draft SMCWG agenda - Wednesday, April 10 2024 at 11:00 am Eastern Time



Here is a draft agenda for the teleconference described in the subject of this 
message. Please review and propose changes if necessary.



1.Roll Call

2.Note well:  Antitrust / Compliance Statement

3.Review Agenda

4.Approval of past minutes

*   March 27



5.Discussion as time permits:

*   Ballot SMC06 is in Voting Period until April 11 
https://lists.cabforum.org/pipermail/smcwg-public/2024-April/000957.html
*   Use of XX country code in Gov OrgID (Issue 240) 
https://github.com/cabforum/smime/issues/240
*   Discussion relating to Legacy profile deprecation (summary of 
differences between Legacy/Multi/Strict)



6.Any other business



7.Next meeting: Wednesday, April 24 2024 at 11:00 am Eastern Time.



Adjourn





___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

Re: [Smcwg-public] Ballot SMC06v2: Post implementation clarification and corrections

[Stephen Davidson via Smcwg-public]

Hello Marco
This email came through as blank.  If it was a vote on SMC06, can you please 
resend with a clear yes, abstain or no statement?
Many thanks!
Stephen


-Original Message-
From: Smcwg-public  On Behalf Of Marco 
Schambach via Smcwg-public
Sent: Friday, April 5, 2024 10:40 AM
To: SMIME Certificate Working Group 
Subject: [Smcwg-public] Ballot SMC06v2: Post implementation clarification and 
corrections

___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://url.avanan.click/v2/___https://lists.cabforum.org/mailman/listinfo/smcwg-public___.YXAzOmRpZ2ljZXJ0OmE6bzplYmQ3N2FlYjBkYmU2YjAyZmQwOTk5NzEwYWY5ZDYyMjo2OjBmNTY6ZTRlMWNiNmRhMzgxYWI5NjA1Yjg0YTMzMGZkZGU4NGMxMmViZTgwNmNhNTM5MzJjN2VjYTBlZWNkM2M2ZDU4ZjpwOkY
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Ballot SMC06v2: Post implementation clarification and corrections

[Stephen Davidson via Smcwg-public]

Ballot SMC06: Post implementation clarification and corrections



Purpose of Ballot:



The ballot proposes changes to the S/MIME Baseline Requirements to provide 
clarifications and corrections arising from the implementation of the S/MIME BR 
and initial audits.



The following motion has been proposed by Stephen Davidson of DigiCert and 
endorsed by Martijn Katerbarg of Sectigo and Roman Fischer of SwissSign.



- MOTION BEGINS -



This ballot modifies the "Baseline Requirements for the Issuance and Management 
of Publicly-Trusted S/MIME Certificates" ("S/MIME Baseline Requirements") 
resulting in Version 1.0.4.



The proposed modifications to the S/MIME Baseline Requirements may be found at 
https://github.com/srdavidson/smime/compare/ed36440d7c967732aa08739b14cc29bed257a67d...246fab8b8880aa62cec95b6d055b872173d4dadf



The SMCWG Chair or Vice-Chair is permitted to update the Relevant Dates and 
Version Number of the S/MIME Baseline Requirements to reflect final dates.



- MOTION ENDS -



This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:



Discussion (9 days)

Start Time: Tuesday March 26, 2024 17:00 UTC

End Time: Thursday April 4, 2024 17:00 UTC



Vote for approval (7 days)

Start Time: Thursday April 4, 2024 17:00 UTC

End Time: Thursday April 11, 2024 17:00 UTC



IPR Review (30 days)



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Times on Ballot SMC06

[Stephen Davidson via Smcwg-public]

Hello all:



I now realize that I did not take DST into account in the timing of Ballot
SMC06.  I will restart the ballot, and Tim has agreed to recast his vote.

 

My apologies!

 



smime.p7s
Description: S/MIME cryptographic signature
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Voting period begins for Ballot SMC06: Post implementation clarification and corrections

[Stephen Davidson via Smcwg-public]

Ballot SMC06: Post implementation clarification and corrections



Purpose of Ballot:



The ballot proposes changes to the S/MIME Baseline Requirements to provide 
clarifications and corrections arising from the implementation of the S/MIME BR 
and initial audits.



The following motion has been proposed by Stephen Davidson of DigiCert and 
endorsed by Martijn Katerbarg of Sectigo and Roman Fischer of SwissSign.



- MOTION BEGINS -



This ballot modifies the "Baseline Requirements for the Issuance and Management 
of Publicly-Trusted S/MIME Certificates" ("S/MIME Baseline Requirements") 
resulting in Version 1.0.4.



The proposed modifications to the S/MIME Baseline Requirements may be found at 
https://github.com/srdavidson/smime/compare/ed36440d7c967732aa08739b14cc29bed257a67d...246fab8b8880aa62cec95b6d055b872173d4dadf



The SMCWG Chair or Vice-Chair is permitted to update the Relevant Dates and 
Version Number of the S/MIME Baseline Requirements to reflect final dates.



- MOTION ENDS -



This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:



Discussion (9 days)

Start Time: Tuesday March 26, 2024 17:00 UTC

End Time: Thursday April 4, 2024 17:00 UTC



Vote for approval (7 days)

Start Time: Thursday April 4, 2024 18:00 UTC

End Time: Thursday April 11, 2024 18:00 UTC



IPR Review (30 days)



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Approved Minutes of SMCWG March 13, 2024

[Stephen Davidson via Smcwg-public]

## Minutes of SMCWG



March 13, 2024



These are the Approved Minutes of the meeting described in the subject of this 
message. Corrections and clarifications where needed are encouraged by reply.



## Attendees



Adriano Santoni - (Actalis S.p.A.), Andreas Henschel - (D-TRUST), Ashish Dhiman 
- (GlobalSign), Bruce Morton - (Entrust), Clint Wilson - (Apple), Dave Chin - 
(CPA Canada/WebTrust), Inaba Atsushi - (GlobalSign), Inigo Barreira - 
(Sectigo), Judith Spencer - (CertiPath), Marco Schambach - (IdenTrust), Martijn 
Katerbarg - (Sectigo), Morad Abou Nasser - (TeleTrust), Nome Huang - 
(TrustAsia), Paul van Brouwershaven - (Entrust), Rollin Yu - (TrustAsia), Sandy 
Balzer - (SwissSign), Scott Rea - (eMudhra), Stefan Selbitschka - 
(rundQuadrat), Stephen Davidson - (DigiCert), Tadahiko Ito - (SECOM Trust 
Systems), Tathan Thacker - (IdenTrust), Wendy Brown - (US Federal PKI 
Management Authority)



## 1. Roll Call



The Roll Call was taken.



## 2. Read Antitrust Statement



The statement was read concerning the antitrust policy, code of conduct, and 
intellectual property rights agreement.



## 3. Review Agenda



Minutes were prepared by Stephen Davidson.



## 4. Approval of minutes from last teleconference



The minutes for the teleconference of February 28 were approved.



The membership of DiSig in the SMCWG was confirmed.



## 5. Discussion



Stephen Davidson



Stephen Davidson provided an overview of the draft text of SMC06 clarifications 
and corrections ballot, including several new items relating to 
https://github.com/cabforum/smime/issues/236
 and 
https://github.com/cabforum/smime/issues/237.
 Following discussion it was agreed that suspension be clarified as 
specifically as certificateHold. Adriano Santoni noted that it was unclear if 
suspension was even supported by email clients and perhaps should be considered 
for removal in future.  See 
https://github.com/srdavidson/smime/compare/ed36440d7c967732aa08739b14cc29bed257a67d...246fab8b8880aa62cec95b6d055b872173d4dadf



Stephen encouraged members to use the Issues list at 
https://github.com/cabforum/smime/issues
 to submit topics for consideration.



Stephen noted that the ballot would soon move ahead with endorsers including 
Martijn Katerbarg of Sectigo and Roman Fischer of SwissSign.



The group had a discussion of SC ballots for relevance to the SMCWG, noting 
that if the MPV ballot is successful a review may be required for the S/MIME BR.



Stephen noted that the server certificate working group is working towards 
automatically distributing audio recordings of meetings to participants, which 
may be extended to the SMCWG as well. There was no objection.



Stephen noted that the group would soon discuss the possible deprecation of the 
Legacy profiles and again asked Certificate Issuers to review items that 
presented obstacles to moving to the Multipurpose or Strict profiles.  He noted 
that there were concerns on the ability of ERAs to parse out giveName and 
surname as separate Subject attributes, and shorter certificate validity may be 
an issue for implementations using smartcards.



Stephen asked if using CCADB to poll Certificate Issuers regarding their S/MIME 
BR profiles would present a by-laws/anticompetitive issue?



## 6. Any Other Business



None



## 7. Next call



Next call: Wednesday, March 27, 2024 at 11:00 am Eastern Time



## Adjourned





___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Draft SMCWG agenda - Wednesday, March 27 2024

[Stephen Davidson via Smcwg-public]

SMCWG Agenda


Draft SMCWG agenda - Wednesday, March 27 2024 at 11:00 am Eastern Time
Reminder: the US has already moved to Daylight Savings Time.



Here is a draft agenda for the teleconference described in the subject of this 
message. Please review and propose changes if necessary.



1.Roll Call

2.Note well:  Antitrust / Compliance Statement

3.Review Agenda

4.Approval of past minutes

*   March 13



5.Discussion as time permits:

*   Ballot SMC06 is in Discussion Period 
https://lists.cabforum.org/pipermail/smcwg-public/2024-March/000950.html
*   How to incorporate DTPs in SBR (Issue 233)
*   Early look: how to incorporate MPV in SBR (Issue 239)
*   Matching OrgID to Subject Country (Issue 230)



6.Any other business

*   Coming soon: discussion of deprecation of Legacy profiles. Please 
document obstacles to migration to Multipurpose and Strict profiles.



7.Next meeting: Wednesday, April 10 2024 at 11:00 am Eastern Time



Adjourn



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Discussion period for Ballot SMC06: Post implementation clarification and corrections

[Stephen Davidson via Smcwg-public]

Ballot SMC06: Post implementation clarification and corrections



Purpose of Ballot:



The ballot proposes changes to the S/MIME Baseline Requirements to provide 
clarifications and corrections arising from the implementation of the S/MIME BR 
and initial audits.



The following motion has been proposed by Stephen Davidson of DigiCert and 
endorsed by Martijn Katerbarg of Sectigo and Roman Fischer of SwissSign.



- MOTION BEGINS -



This ballot modifies the "Baseline Requirements for the Issuance and Management 
of Publicly-Trusted S/MIME Certificates" ("S/MIME Baseline Requirements") 
resulting in Version 1.0.4.



The proposed modifications to the S/MIME Baseline Requirements may be found at 
https://github.com/srdavidson/smime/compare/ed36440d7c967732aa08739b14cc29bed257a67d...246fab8b8880aa62cec95b6d055b872173d4dadf



The SMCWG Chair or Vice-Chair is permitted to update the Relevant Dates and 
Version Number of the S/MIME Baseline Requirements to reflect final dates.



- MOTION ENDS -



This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:



Discussion (9 days)

Start Time: Tuesday March 26, 2024 17:00 UTC

End Time: Thursday April 4, 2024 17:00 UTC



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Approved Minutes of SMCWG February 28, 2024

[Stephen Davidson via Smcwg-public]

## Minutes of SMCWG



February 28, 2024, F2F #61



These are the Approved Minutes of the meeting described in the subject of this 
message. Corrections and clarifications where needed are encouraged by reply.



## Attendees (physical and online)



Aaron Poulsen - (Amazon), Abhishek Bhat  - (eMudhra), Adam Jones - (Microsoft), 
Adrian Mueller - (SwissSign), Adriano Santoni - (Actalis S.p.A.), Andrea 
Holland - (VikingCloud), Andres Henschel - (D-TRUST), Antti Backman - (Telia 
Company), Arno Fiedler - (ETSI), Arnold Essing - (Telekom Security), Arvid 
Vermote - (GlobalSign), Ashish Dhiman - (GlobalSign), Ben Wilson - (Mozilla), 
Bilal Ashraf - (SSL.com), Brittany Randall - (GoDaddy), Bruce Morton - 
(Entrust), Christophe Bonjean - (GlobalSign), Clint Wilson - (Apple), Corey 
Bonnell - (DigiCert), Dave Chin - (CPA Canada/WebTrust), Dean Coclin - 
(DigiCert), Dimitris Zacharopoulos - (HARICA), Enrico Entschew - (D-TRUST), Eva 
Vansteenberge - (GlobalSign), Fumi Yoneda - (Japan Registry Services), Hogeun 
Yoo - (NAVER Cloud Trust Services), Inaba Atsushi - (GlobalSign), Inigo 
Barreira - (Sectigo), Jeremy Rowley - (DigiCert), Jos Purvis - (Fastly), Jozef 
Nigut - (Disig), Kateryna Aleksieieva - (Asseco Data Systems SA (Certum)), 
Keshava Nagaraju - (eMudhra), Leo Grove - (SSL.com), Li-Chun Chen - (Chunghwa 
Telecom), Mads Henriksveen - (Buypass AS), Marco Schambach - (IdenTrust), 
Martijn Katerbarg - (Sectigo), Matthias Wiedenhorst - (ACAB Council), Miguel 
Sanchez - (Google), Mike Kushner - (KeyFactor), Mrugesh Chandarana - 
(IdenTrust), Nargis Mannan - (VikingCloud), Nate Smith - (GoDaddy), Naveen 
Kumar - (eMudhra), Nicol So - (CommScope), Nome Huang - (TrustAsia), Paul van 
Brouwershaven - (Entrust), Peter Miskovic - (Disig), Raffaela Achermann - 
(SwissSign), RIch Smith - (DigiCert), Rollin Yu - (TrustAsia), Roman Fischer - 
(SwissSign), Sandy Balzer - (SwissSign), Scott Rea - (eMudhra), Sissel Hoel - 
(Buypass AS), Sooyoung Eo - (NAVER Cloud Trust Services), Star Simmons - 
(GoDaddy), Stephen Davidson - (DigiCert), Sven Rajala -(KeyFactor), Tadahiko 
Ito - (SECOM Trust Systems), Thomas Zermeno - (SSL.com), Tim Callan - 
(Sectigo), Tim Hollebeek - (DigiCert), Trevoli Ponds-White - (Amazon), 
Tsung-Min Kuo - (Chunghwa Telecom), Vijayakumar (Vijay) Manjunatha - (eMudhra), 
Yaswanth  - (eMudhra)



## 1. Roll Call



The Roll Call was taken.



## 2. Read Antitrust Statement



The statement was read concerning the antitrust policy, code of conduct, and 
intellectual property rights agreement.



## 3. Review Agenda



Minutes were prepared by Stephen Davidson.



## 4. Approval of minutes from last teleconference



The minutes for the teleconference of February 14 were approved.



The membership of DiSig in the SMCWG was confirmed.



## 5. Discussion



Stephen Davidson provided an overview of recent activity at the SMCWG, which 
included passage of Ballot SMC04 (ETSI audit criteria) and Ballot SMC05 (CAA).  
The group has also expended considerable effort on a draft Ballot SMC06 which 
is largely comprised of clarifications based on feedback from implementers, 
auditors, and users of the open source pkilint linter for the S/MIME BR, see 
https://github.com/digicert/pkilint.



Key Transparency Workshop

Stephen proposed holding a workshop at #62 F2F to discuss Key Transparency 
(KT).  KT addresses key discovery and key history, two of the biggest issues in 
S/MIME deployments.  See 
https://github.com/google/keytransparency/blob/master/docs/overview.md.
  Large examples exist in messaging such as by Whatsapp, Signal, KeyBase, and 
Apple.  ProtonMail has a pilot for webmail:  
https://proton.me/support/key-transparency



As cloud service providers are now the dominant mode for email services, both 
personal and enterprise, Key Transparency becomes a possible enhancement for 
S/MIME certificates providing better discovery and lifecycle support.  Paul van 
Brouwershaven asked if this was within scope of the WG; Stephen argued that it 
fit within the charter focus on key management and certificate lifecycle; Clint 
Wilson agreed. Stephen said we had an opportunity to have "right people in the 
room" to advance the topic.  Tim Hollebeek noted that in the past in

[Smcwg-public] Draft SMCWG agenda - Wednesday, March 13 2024

[Stephen Davidson via Smcwg-public]

SMCWG Agenda


Draft SMCWG agenda - Wednesday, March 13 2024 at 11:00 am Eastern Time



NOTE THAT USA HAS ALREADY MOVED TO DAYLIGHT SAVINGS TIME!



Here is a draft agenda for the teleconference described in the subject of this 
message. Please review and propose changes if necessary.



1.   Roll Call

2.   Note well:  Antitrust / Compliance Statement

3.   Review Agenda

4.   Approval of past minutes

*   February 28, Face to Face 61



5.   Discussion as time permits:

*   Review of new changes to Ballot SMC06
*   Review of other recent CABF ballots for relevance
*   Path to ballot on SMC06
*   Reminder for preparation on Legacy discussion



6.   Any other business



7.   Next meeting is Wednesday, March 27 2024 at 11:00 am Eastern Time.



  Adjourn





___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Approved Minutes of SMCWG February 14, 2024

[Stephen Davidson via Smcwg-public]

Minutes of SMCWG


February 14, 2024



These are the Approved Minutes of the meeting described in the subject of this 
message. Corrections and clarifications where needed are encouraged by reply.


Attendees


Abhishek Bhat - (eMudhra), Andreas Henschel - (D-TRUST), Ashish Dhiman - 
(GlobalSign), Ben Wilson - (Mozilla), Bruce Morton - (Entrust), Clint Wilson - 
(Apple), Corey Bonnell - (DigiCert), Don Sheehy - (CPA Canada/WebTrust), Eva 
Vansteenberge - (GlobalSign), Inaba Atsushi - (GlobalSign), Inigo Barreira - 
(Sectigo), Judith Spencer - (CertiPath), Keshava Nagaraju - (eMudhra), Lucy 
Buecking - (IdenTrust), Marco Schambach - (IdenTrust), Martijn Katerbarg - 
(Sectigo), Morad Abou Nasser - (TeleTrust), Nome Huang - (TrustAsia), Renne 
Rodriguez - (Apple), Rollin Yu - (TrustAsia), Scott Rea - (eMudhra), Taavi 
Eomäe - (Zone Media), Tadahiko Ito - (SECOM Trust Systems), Tathan Thacker - 
(IdenTrust), Thomas Zermeno - (SSL.com), Tim Crawford - (CPA Canada/WebTrust), 
Tim Hollebeek - (DigiCert), Tsung-Min Kuo - (Chunghwa Telecom)


1. Roll Call


The Roll Call was taken.


2. Read Antitrust Statement


The statement was read concerning the antitrust policy, code of conduct, and 
intellectual property rights agreement.


3. Review Agenda


Minutes were prepared by Stephen Davidson.


4. Approval of minutes from last teleconference


The minutes for the teleconference of January 31 were approved.


5. Discussion


Martijn Katerbarg lead the WG discussion.



Martijn noted that "Ballot SMC05: Adoption of CAA for 
S/MIME"
 was in IPR, ending on February 16.  Thus far there were no filings.  He noted 
that the WG would be moving on to Ballot SMC06 soon and that Stephen Davidson's 
draft could be found at 
https://github.com/srdavidson/smime/blob/Ballot-SMC06/SBR.md



Eva Vansteenberge raised the point that the SBR requires the subject:country to 
match the country of the registration scheme, and noted that this was not a 
requirement in the EVG.  She asked for a discussion on this point.



Martijn raised a draft text to clarify that extensions (such as EKU) that meet 
open standards are allowed.  See 
https://github.com/cabforum/smime/issues/235
  Russ Housley had raised that such extensions should not be marked critical.  
Following discussion with Tim Hollebeek and Tadahiko Ito it was agreed that 
criticality should be determined by the extension's open standards.



Martijn raised the subject of topics for the F2F.  Tim said the group should 
focus on laying out a topic roadmap for the year.  Martijn said that the 
timetable for deprecation of Legacy should be discussed, as well as a review of 
open topics on the Issues board.  He requested that WG members reach out to he 
or Stephen Davidson if they have topics they'd like addressed at the F2F.



Martin raised 
https://github.com/cabforum/smime/issues/199
 on duplicated subject DN attributes, noting that this was hardened in the TLS 
BR under ballot SC62.  Corey noted that we should retain flexibility for 
multiple attributes for givenName and surname as this was a known use case in 
countries like Spain.  Scott Rea said the same applied in UAE.  The existing 
SBR text allows separation of the names, or bundling them within attributes.  
Tim proposed looking at the ISO x500 specs.  It was suggested that this might 
be a F2F topic.



Martijn noted that this might lead to a ballot to drive increased specification 
of cert profiles as was handled for TLS by SC62.  Tim agreed that in time it 
was preferable to reduce the divergences between CABF standards.




6. Any Other Business




None


7. Next call


Next call: see schedule for the New Delhi F2F.


Adjourned




___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] SMCWG on Wed Feb 28

[Stephen Davidson via Smcwg-public]

Hello all:



A reminder that, due to CABF #62 taking place next week, the SMCWG normal 
meeting on Feb 28 is cancelled.

In its place, the SMCWG will meet on Wednesday starting at 14:00 Indian 
Standard Time (time zone converter at 
https://dateful.com/time-zone-converter?t=1930&tz2=Delhi-India).



See the whole F2F schedule and dial ins here:

https://wiki.cabforum.org/books/meetings/page/meeting-61-agenda



The agenda is tentatively:



1.  Roll Call
2.  Note well: Antitrust / Compliance Statement
3.  Review Agenda
4.  Approval of prior meeting minutes
5.  Overview of recent activity
6.  Review of proposed Ballot SMC06
7.  Roadmap of 2024 activity (for example: signature vetting method, 
alternative email control methods, deprecation of legacy, review of issues)
8.  Any other business
9.  Next teleconference: tentative March 13
10. Adjourn



Regards, Stephen

___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] ADOPTED: Ballot SMC05: Adoption of CAA for S/MIME

[Stephen Davidson via Smcwg-public]

The Intellectual Property Review (IPR) period for Ballot SMC05 (Adoption of CAA 
for S/MIME) has completed. No IPR Exclusion Notices were filed, and the ballot 
is adopted as of February 20, 2024.

The new S/MIME BR v.1.0.3 have been published to the CABF public website in 
accordance with the Bylaws: 
https://cabforum.org/uploads/CA-Browser-Forum-SMIMEBR-1.0.3.pdf

Best regards,
Stephen Davidson, Chair
CA/Browser Forum S/MIME Certificate Working Group



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Draft SMCWG agenda - Wednesday, February 14 2024

[Stephen Davidson via Smcwg-public]

SMCWG Agenda


Draft SMCWG agenda - Wednesday, February 14 2024 at 11:00 am Eastern Time

 

Here is a draft agenda for the teleconference described in the subject of
this message. Please review and propose changes if necessary.

 

1.Roll Call 

2.Note well:  Antitrust / Compliance Statement

3.Review Agenda

4.Approval of past minutes

*   January 31



5.Discussion as time permits:

*   IPR in progress on Ballot SMC05: CAA until Feb 16
*   Plan to ballot SMC06 soon: seeking endorsers
*   Cancel Feb 28 meeting due to F2F
*   F2F agenda discussion
*   Issue 235: Use of third-party OIDs
*   Issue 199: Repeated subject DN attributes

 

6.Any other business 

 

7.Next meeting is in course of the F2F New Delhi

 

Adjourn

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Approved Minutes of SMCWG January 17, 2024

[Stephen Davidson via Smcwg-public]

Minutes of SMCWG


January 17, 2024



These are the Approved Minutes of the meeting described in the subject of this 
message. Corrections and clarifications where needed are encouraged by reply.


Attendees


Adriano Santoni - (Actalis S.p.A.), Andrea Holland - (VikingCloud), Andreas 
Henschel - (D-TRUST), Ashish Dhiman - (GlobalSign), Cade Cairns - (Google), 
Clint Wilson - (Apple), Corey Bonnell - (DigiCert), Dimitris Zacharopoulos - 
(HARICA), Don Sheehy - (CPA Canada/WebTrust), Enrico Entschew - (D-TRUST), 
Inaba Atsushi - (GlobalSign), Janet Hines - (VikingCloud), Judith Spencer - 
(CertiPath), Marco Schambach - (IdenTrust), Martijn Katerbarg - (Sectigo), Matt 
Cooper - (CertiPath (Private Person)), Mrugesh Chandarana - (IdenTrust), Nome 
Huang - (TrustAsia), Rebecca Kelley - (Apple), Rollin Yu - (TrustAsia), Russ 
Housley - (Vigil Security LLC), Scott Rea - (eMudhra), Stephen Davidson - 
(DigiCert), Tadahiko Ito - (SECOM Trust Systems), Thomas Zermeno - (SSL.com), 
Tim Crawford - (CPA Canada/WebTrust), Tsung-Min Kuo - (Chunghwa Telecom)


1. Roll Call


The Roll Call was taken.


2. Read Antitrust Statement


The statement was read concerning the antitrust policy, code of conduct, and 
intellectual property rights agreement.


3. Review Agenda


Minutes were prepared by Stephen Davidson.


4. Approval of minutes from last teleconference


The minutes for the teleconference of January 3 were approved.


5. Discussion


Stephen Davidson noted that "Ballot SMC05: Adoption of CAA for 
S/MIME"
 was in voting period.



Stephen noted the discussion that was occurring at the Server Certificate WG 
regarding delegated third party, and noted that the outcome of that discussion 
would have equal impact for S/MIME BR.  He invited WG members to consider if 
there where other areas that might be delegated under S/MIME that might differ 
from TLS.



Stephen noted also the discussion occurring on the SMCWG regarding the 
Certificate Template Information extension, including that the inclusion of 
third-party extensions brought along the need to comply with obligations 
relating to those extensions.



The WG considered additional text changes related to Ballot SMC06: 
Clarifications and corrections to S/MIME BR including those found at 
https://github.com/cabforum/smime/issues



*   Issue 229: Update for Registration Scheme for OrgID.  Clint Wilson 
questioned the "as amended" text as he was wary of including external 
references that might change without review.  Tadahiko Ito said that sometimes 
it could be difficult to track amendments to laws referred to in standards. It 
was noted that we already accept untracked amendments in the ISO 3166 
references.  Martijn Katerbarg suggested that the text in A.10 be amended to 
make clear in these cases where the OrgID prefix does not match the Countryname 
ISO code.  The approach was agreed.
*   Issue 223: ISO code as SHOULD not MAY.  It was noted that this language 
also appeared in the TLS BR which has now been updated to MUST.  It was agreed 
to change.
*   Issue 232: Forbid issuance of certificates to ceased organizations.  
Agreed to include language similar to EVG.  It was suggested that similar 
requirements should likely be added to the TLSBR and CSBR.
*   Issue 222: subject:organizationIdentifier requires subject:countryName 
to be present.  Agreed to modify as proposed.



See also 
https://github.com/srdavidson/smime/blob/Ballot-SMC06/SBR.md




6. Any Other Business




None


7. Next call


Next call: Wednesday, January 31, 2024 at 11:00 am Eastern Time


Adjourned




___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Draft SMCWG agenda - Wednesday, January 31 2024

[Stephen Davidson via Smcwg-public]

SMCWG Agenda


Draft SMCWG agenda - Wednesday, January 31 2024 at 11:00 am Eastern Time



Here is a draft agenda for the teleconference described in the subject of this 
message. Please review and propose changes if necessary.



1.Roll Call

2.Note well:  Antitrust / Compliance Statement

3.Review Agenda

4.Approval of past minutes

*   January 17



5.Discussion as time permits:

*   IPR in progress on "Ballot SMC06: Clarifications and corrections to 
S/MIME BR" until Feb 16
*   Note: discussion on use of authoritative DNS at Validation WG
*   Revisit Issue 232: Forbid issuance of certificates to ceased 
organizations
*   Issue 234: Clarify private key delivery to subscriber
*   Issue 199: Repeated subject DN attributes



6.Any other business



7.To be confirmed:  next meeting on Wednesday, February 14, 2024 at 
11:00 am Eastern Time



Adjourn



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Approved Minutes of SMCWG January 3, 2024

[Stephen Davidson via Smcwg-public]

Minutes of SMCWG


January 3, 2024

 

These are the Approved Minutes of the meeting described in the subject of this 
message. Corrections and clarifications where needed are encouraged by reply.


Attendees 


Adriano Santoni - (Actalis S.p.A.), Andrea Holland - (VikingCloud), Andreas 
Henschel - (D-TRUST), Ashish Dhiman - (GlobalSign), Cade Cairns - (Google), 
Clint Wilson - (Apple), Corey Bonnell - (DigiCert), Dimitris Zacharopoulos - 
(HARICA), Don Sheehy - (CPA Canada/WebTrust), Enrico Entschew - (D-TRUST), 
Inaba Atsushi - (GlobalSign), Janet Hines - (VikingCloud), Judith Spencer - 
(CertiPath), Marco Schambach - (IdenTrust), Martijn Katerbarg - (Sectigo), Matt 
Cooper - (CertiPath (Private Person)), Mrugesh Chandarana - (IdenTrust), Nome 
Huang - (TrustAsia), Rebecca Kelley - (Apple), Rollin Yu - (TrustAsia), Russ 
Housley - (Vigil Security LLC), Scott Rea - (eMudhra), Stephen Davidson - 
(DigiCert), Tadahiko Ito - (SECOM Trust Systems), Thomas Zermeno - (SSL.com), 
Tim Crawford - (CPA Canada/WebTrust), Tsung-Min Kuo - (Chunghwa Telecom)


1. Roll Call


The Roll Call was taken.


2. Read Antitrust Statement


The statement was read concerning the antitrust policy, code of conduct, and 
intellectual property rights agreement.


3. Review Agenda


Minutes were prepared by Stephen Davidson.


4. Approval of minutes from last teleconference


The minutes for the teleconference of December 20 were approved.


5. Discussion 


Stephen Davidson noted that "Ballot SMC05: Adoption of CAA for S/MIME" would 
enter discussion period.  The ballot is proposed by Corey Bonnell of DigiCert 
and endorsed by Dimitris Zacharopoulos of HARICA and Ben Wilson of Mozilla.  
The proposed text may be found at 
https://github.com/cabforum/smime/pull/228/files.

 

The WG then began the beginnings of a new Ballot SMC06, a clarification and 
correction ballot based on feedback from Certificate Issuers and their 
experience rolling out the S/MIME BR.  The text may be found at 
https://github.com/srdavidson/smime/blob/Ballot-SMC06/SBR.md.

 

Stephen noted that the Issues board of the main SMCWG repo was the best place 
to track these changes at https://github.com/cabforum/smime/issues.  The WG 
discussed the following proposed changes:

 

a.  Clarification of geographic fields in the Subject (issue 211)
b.  Rules re Pseudonym (issue 203)
c.  Intermediate ICA as Extant CAs (issue 215)
d.  Clarification in keyUsage table in 7.1.2.3(e) (issue 208)
e.  Appendix A country match language for LEI and INT (issue 216)
f.  Clarification that LEI is a global scheme (XG) in 7.1.4.2.2 (d) (issue 
216)
g.  New definitions for Registration Reference and Registration Scheme 
(issue 216)
h.  Clarification of OU for Affiliate in 3.2.3.1 (issue 226)
i.  Update 1.2 for Mailbox-validated to allow CN (issue 227)
j.  Adding EL as Registration scheme in 7.1.4.2.2 (d) and Appendix A (issue 
229)

 

In general the WG was in agreement with the changes proposed with the following 
exceptions.

 

It was decided regarding item (a) that postal code should require country 
rather than the current requirement of locality or state/province.

 

It was noted regarding item (j) that the rules in the S/MIME BR and the EVG for 
the OrgID deviated slightly from the ETSI requirements in from which the 
attribute originated.  This has caused problems for CAs that issue both ETSI 
style certificates as well as S/MIME BR and EVG certificates.  It was suggested 
that the WG seek to reduce the divergence in use of the OrgID.  Dimitris agreed 
to work with Stephen on a proposal as a separate ballot for the S/MIME BR, and 
to work with ETSI as required. 

 

In future calls the WG will address other issues on the GitHub list.  

 

The WG discussed the topic of time accuracy which is also occurring at the 
SCWG.  It was noted that the topic had previously been intensively debated in 
SCWG; it was decided to wait until discussion had settled down in that group 
before proceeding.

 

Ashish Dhiman noted the recent issue added, wherein the EVG allow the country 
in the subject:country field to differ from that used in the OrgID, while the 
S/MIME BR require them to match.  Stephen noted that the group had discussed 
this issue at length before, both for corporate entities and the address of 
individuals in Sponsor certs.  It was agreed at that time to keep it simple for 
the registration of the O.  Stephen requested examples where a company was 
registered in one jurisdiction but had operations in another (typically there 
would be an affiliate registered in the other jurisdiction). He said the group 
could return to the topic at a future meeting.

 

The WG discussed Issue 223 on country codes for countries that do not have 
official ISO codes.  Stephen asked if this was an issue; examples were noted 
for Northern Cyprus.  The WG will return to the Issues from GitHub on future 
calls.

 


6. Any Other Business


 

None


7. Ne

[Smcwg-public] Results of Ballot SMC05: Adoption of CAA for S/MIME

[Stephen Davidson via Smcwg-public]

Results of Ballot SMC05: Adoption of CAA for S/MIME



The voting period for Ballot SMC05: Adoption of CAA for S/MIME has completed, 
and the ballot has passed.



Voting Results

Certificate Issuers

19 votes total, with no abstentions:

*   19 Issuers voting YES: Actalis S.p.A., Asseco Data Systems SA (Certum), 
Chunghwa Telecom, DigiCert, D-TRUST, eMudhra, Entrust, GDCA, GlobalSign, 
HARICA, IdenTrust, OISTE Foundation, SECOM Trust Systems, Sectigo, SSL.com, 
SwissSign, Telia Company, VikingCloud, Visa,
*   0 Issuers voting NO
*   0 Issuers ABSTAIN

Certificate Consumers

3 votes total, with no abstentions:

*   3 Consumers voting YES: Apple, Mozilla, rundQuadrat
*   0 Consumers voting NO
*   0 Consumers ABSTAIN

Bylaws Requirements

1.  Bylaw 2.3(f) requires:

   0.   A "yes" vote by two-thirds of Certificate Issuer votes and by 
50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted 
for this purpose. This requirement was MET for Certificate Issuers and MET for 
Certificate Consumers.
   1.   At least one Certificate Issuer and one Certificate Consumer Member 
must vote in favor of a ballot for the ballot to be adopted. This requirement 
was MET.

2.  Bylaw 2.3(g) requires that a ballot result only be considered valid 
when "more than half of the number of currently active Members has 
participated". The number of currently active Voting Members is the average 
number of Voting Member organizations that have participated in the previous 
three meetings. Votes to abstain are counted in determining quorum. The quorum 
was 9 for this ballot. This requirement was MET.

This ballot now enters the 30-day IP Rights Review Period to permit members to 
review the ballot for relevant IP rights issues.  The IP Rights Review Period 
ends at 2359 UTC on February 16, 2024.





___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Notice of Review Period SMC05: Adoption of CAA for S/MIME

[Stephen Davidson via Smcwg-public]

Notice of Review Period SMC05: Adoption of CAA for S/MIME

This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum's 
Intellectual Property Rights Policy (v1.3). This 30-day Review Period is for 
the Final Maintenance Guideline that is attached to this Review Notice.

Ballot for Review: Ballot SMC05, redline at 
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-SMIMEBR-1.0.3-redline.pdf
Start of Review Period: January 17, 2024
End of Review Period: 2359 UTC on February 16, 2024

Please forward a written notice to exclude Essential Claims by email to 
smcwg-public@cabforum.org and a copy to the 
CA/B Forum public mailing list pub...@cabforum.org 
before the end of the Review Period.

See current version of CA/Browser Forum Intellectual Property Rights Policy for 
details. See also 
https://cabforum.org/ipr-policy/.
  An optional format for an Exclusion Notice is available at 
https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf.



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] FW: [External Sender] Re: Forbid issuance of certificates to ceased organizations

[Stephen Davidson via Smcwg-public]

Am forwarding the message from a list subscriber who is not a member of the WG, 
but whose comments are relevant to our discussions today.

Regards, Stephen





From: Maria Merkel 
Sent: Wednesday, January 10, 2024 9:38 AM
To: Wendy Brown - QT3LB-C 
Cc: Adriano Santoni ; SMIME Certificate Working 
Group 
Subject: Re: [Smcwg-public] [External Sender] Re: Forbid issuance of 
certificates to ceased organizations



Of course I am not claiming to understand every jurisdiction in the world, but 
I believe that in most of them there are two things to differentiate here:



1. Mergers in the corporate law sense and acquisitions (even if both are 
commonly called mergers)
In case of an acquisition, both companies continue to exist. In case of a 
merger, the business of one company is transferred to a new company, and the 
old company is dissolved. Only the new company (the merger target) exists after 
the merger is complete.



From a CA (and general outside) perspective, nothing has changed with an 
acquisition. The same company still exists, it only has a new owner. With 
mergers it becomes a bit more complicated:



2. Legal names, registered business names and unregistered business names

Companies usually have a single legal name under which they are registered. 
This is the name usually included in a certificate. A legal name is tied to the 
specific company and, in virtually all jurisdictions, cannot be used once the 
company is dissolved, even if this is due to a merger (unless, of course, a new 
company is registered under that name or the merger target company changes its 
name to the legal name of the old company).

Additionally, many companies have one or more separate business names under 
which they are known to the public. Depending on the jurisdiction, those may or 
may not be registered with the government, or whether to register them may be 
at the company's discretion. The S/MIME BR allow registered business names to 
be included in a certificate, but not unregistered ones. A business name 
(regardless of whether it is registered or not) can and usually will be taken 
over in a merger, at least temporarily.



General Thoughts

While this knowledge may be useful to understand the backgrounds, I don't think 
this matters too much from a CA perspective, and too much of it is 
jurisdiction-specific for it to be feasible to make specific rules for each 
situation (nor may this be desirable due to the complexity).



I think the reasonable thing to do would be what @Adriano 
Santoni originally suggested, 
specifically requiring that a company is "active" per its home jurisdiction 
(which is usually reflected on that jusrisdiction's website, and datasets like 
LEI data). This would be valuable because there doesn't seem a practical 
situation in which a company that no longer exists could do anything (including 
using a certificate), so at best such an entry would always be misleading. 
There is value in a person relying on a certificate being able to identify the 
specific legal entity on behalf of whom a message was sent, as this will be 
relevant in case of legal disputes. There may also be additional legal 
considerations, such as not being able to hold a dissolved company accountable 
for breaches of subscriber agreements, but this is more of a consideration for 
each CA rather than something that would likely matter to the public at large.



It may be worth noting that not all jurisdictions make the status (like 
"active") of a company publicly available, especially not free of charge. 
Therefore perhaps including the legal name of a company whose status is unknown 
should also be allowed, as long as the CA does not have a reason to believe 
that the status is not "active".



Maria Merkel



On Wed, Jan 10, 2024 at 2:03 PM Wendy Brown - QT3LB-C 
mailto:wendy.br...@gsa.gov>> wrote:

   I am no lawyer and not speaking on behalf of any CA, so the following is 
just my personal opinion, but I think the continued use of a corporate name 
after acquisition by another company may possibly vary based on country.



   I say that based solely on anecdotal information having worked for several 
companies in the past that were acquired by other companies and yet continued 
to use the former name for some time for DNS, emails and other purposes in 
order to fulfill prior contractual obligations.

   Another example might be a company that has an OID arc for protocol 
extensions or certificate policies that may be asserted in certificates that 
did not expire just because the company was acquired.  The new owner retained 
the right to continue using those OiDs.



   Thanks,


   Wendy



   Wendy Brown

   Protiviti Government Services







   On Wed, Jan 10, 2024 at 2:41 AM Adriano Santoni via Smcwg-public 
mailto:smcwg-public@cabforum.org>> wrote:

  Thank you, Maria, for sharing your opinion.

  I'd love to hear from others as well

  Adriano

[Smcwg-public] SMCWG agenda - Wednesday, January 17 2024

[Stephen Davidson via Smcwg-public]

SMCWG Agenda


Draft SMCWG agenda - Wednesday, January 17 2024 at 11:00 am Eastern Time



Here is a draft agenda for the teleconference described in the subject of this 
message. Please review and propose changes if necessary.



1.Roll Call

2.Note well:  Antitrust / Compliance Statement

3.Review Agenda

4.Approval of past minutes

*   January 3



5.Discussion as time permits:

*   Voting on "Ballot SMC06: Clarifications and corrections to S/MIME BR" 
closes January 17 at 23:30 UTC
*   Note: delegated third party discussion at Server Cert WG
*   Note: Certificate Template Information extension on list
*   Issue 229: Update for Registration Scheme for OrgID
*   Issue 223: ISO code as SHOULD not MAY
*   Issue 232: Forbid issuance of certificates to ceased organizations
*   Issue 222: subject:organizationIdentifier requires subject:countryName 
to be present
*   Issue 199: Repeated subject DN attributes



6.Any other business



7.To be confirmed:  next meeting is Wednesday, January 31, 2024 at 
11:00 am Eastern Time



Adjourn





___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Approved Minutes of SMCWG December 20, 2023

[Stephen Davidson via Smcwg-public]

Minutes of SMCWG


December 20, 2023



These are the Approved Minutes of the meeting described in the subject of this 
message. Corrections and clarifications where needed are encouraged by reply.


Attendees


Ashish Dhiman - (GlobalSign), Ben Wilson - (Mozilla), Bruce Morton - (Entrust), 
Cade Cairns - (Google), Corey Bonnell - (DigiCert), Dimitris Zacharopoulos - 
(HARICA), Don Sheehy - (CPA Canada/WebTrust), Enrico Entschew - (D-TRUST), Eva 
Vansteenberge - (GlobalSign), Inaba Atsushi - (GlobalSign), Inigo Barreira - 
(Sectigo), Judith Spencer - (CertiPath), Marco Schambach - (IdenTrust), Martijn 
Katerbarg - (Sectigo), Paul van Brouwershaven - (Entrust), Pekka Lahtiharju - 
(Telia Company), Rebecca Kelley - (Apple), Renne Rodriguez - (Apple), Scott Rea 
- (eMudhra), Stefan Selbitschka - (rundQuadrat), Stephen Davidson - (DigiCert), 
Tadahiko Ito - (SECOM Trust Systems), Thomas Zermeno - (SSL.com), Tim Crawford 
- (CPA Canada/WebTrust), Tsung-Min Kuo - (Chunghwa Telecom)


1. Roll Call


The Roll Call was taken.


2. Read Antitrust Statement


The statement was read concerning the antitrust policy, code of conduct, and 
intellectual property rights agreement.


3. Review Agenda


Minutes were prepared by Stephen Davidson.


4. Approval of minutes from last teleconference


The minutes for the teleconference of December 6 were approved.


5. Discussion


Stephen Davidson confirmed that Ballot SMC04 was published as S/MIME BR 1.0.2 
on December 8. See 
https://cabforum.org/smime-br/
 for more details.



Stephen said there had been extensive consultation and feedback on regarding 
the addition of CAA for S/MIME to the S/MIME BR, and the intent was to go to 
ballot at the start of January 2024, proposed by Corey Bonnell (DigiCert) and 
endorsed by Dimitris Zacharopoulos (HARICA) and Ben Wilson (Mozilla).



Stephen described the ballot text (seen in updated form) at 
https://github.com/cabforum/smime/compare/5fb2a7ee94d1c5684d5f32af11572e8c10cd2f8c...1fbbdc8f908e6eba779b4ea0de1cbfd20e156c3a



Dimitris requested that the references to RFC 8659 be removed as they were 
incorporated as a normative reference within RFC 9495.  Stephen preferred to 
maintain the text in 4.2.2.1 that ruled out the TLS property tags for S/MIME 
but it was agreed that RFC 4945 covered this in sufficient detail.  Stephen 
also agreed to drop the RFC 8659 references.



Bruce Morton queried the language in 4.2.2.1 that required a contract provision 
for the CA to skip CAA for technically constrained subCAs as it seemed that 
might require communication with leaf cert holders.  Stephen agreed to clarify 
the language that the contract was with the subCA not the leaf holders.  It was 
suggested that this change also be made in the TLS BR.



Stephen noted that CAA was one of the areas where coordination was required 
between the different CABF BR such that requirements are consistent and 
specified for the same CPS subsections.  Paul van Brouwershaven noted the 
consolidation analysis underway at 
https://vanbroup.github.io/documents/#3224-caa-records.



Dimitris asked whether additional language needed to be added to the S/MIME BR 
concerning how the DNS verification of CAA should occur, noting the recent bug 
at 
https://bugzilla.mozilla.org/show_bug.cgi?id=1839305.
  Stephen noted that there was already detail on this in RFC 8659.



In cases where DNSSEC is not deployed for a corresponding FQDN, an Issuer 
SHOULD attempt to mitigate this risk by employing appropriate DNS security 
controls. For example, all portions of the DNS lookup process SHOULD be 
performed against the authoritative nameserver. Data cached by third parties 
MUST NOT be relied on as the sole source of DNS CAA information but MAY be used 
to support additional anti‑spoofing or anti-suppression controls.



Corey was not aware of anything in the standards that prevented delegation of 
such a service, but

[Smcwg-public] Draft SMCWG agenda - Wednesday, January 03, 2024

[Stephen Davidson via Smcwg-public]

SMCWG Agenda


Draft SMCWG agenda - Wednesday, January 03, 2024 at 11:00 am Eastern Time.

 

Here is a draft agenda for the teleconference described in the subject of
this message. Please review and propose changes if necessary.

 

1.Roll Call 

2.Note well:  Antitrust / Compliance Statement

3.Review Agenda

4.Approval of past minutes

*   December 20



5.Discussion 

*   Release of "Ballot SMC05: Adoption of CAA for S/MIME"
*   Discussion of issues covered in draft "Ballot SMC06: Clarifications
and corrections to S/MIME BR"

 

6.Any other business 

 

7.To be confirmed:  next meeting is Wednesday, January 17, 2024
at 11:00 am Eastern Time

 

Adjourn

 



smime.p7s
Description: S/MIME cryptographic signature
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Approved Minutes of SMCWG December 6, 2023

[Stephen Davidson via Smcwg-public]

Minutes of SMCWG


December 6, 2023



These are the Approved Minutes of the meeting described in the subject of this 
message. Corrections and clarifications where needed are encouraged by reply.


Attendees


Adrian Mueller - (SwissSign), Alison Wang - (TrustAsia), Andrea Holland - 
(VikingCloud), Andreas Henschel - (D-TRUST), Ashish Dhiman - (GlobalSign), Ben 
Wilson - (Mozilla), Bruce Morton - (Entrust), Cade Cairns - (Google), 
Christophe Bonjean - (GlobalSign), Corey Bonnell - (DigiCert), Dimitris 
Zacharopoulos - (HARICA), Don Sheehy - (CPA Canada/WebTrust), Inaba Atsushi - 
(GlobalSign), Marco Schambach - (IdenTrust), Martijn Katerbarg - (Sectigo), 
Mrugesh Chandarana - (IdenTrust), Nome Huang - (TrustAsia), Rebecca Kelley - 
(Apple), Renne Rodriguez - (Apple), Rollin Yu - (TrustAsia), Russ Housley - 
(Vigil Security LLC), Stephen Davidson - (DigiCert), Tadahiko Ito - (SECOM 
Trust Systems), Thomas Zermeno - (SSL.com), Tim Hollebeek - (DigiCert), 
Tsung-Min Kuo - (Chunghwa Telecom), Wendy Brown - (US Federal PKI Management 
Authority)


1. Roll Call


The Roll Call was taken.


2. Read Antitrust Statement


The statement was read concerning the antitrust policy, code of conduct, and 
intellectual property rights agreement.


3. Review Agenda


Minutes were prepared by Stephen Davidson.


4. Approval of minutes from last teleconference


The minutes for the teleconference of November 15 were approved.


5. Discussion


Stephen Davidson confirmed that Ballot SMC04 was scheduled to conclude IPR 
review on December 8 and no comments had so far been received.



Stephen walked through the draft text of a ballot to introduce CAA for SMIME, 
which may be seen at 
https://github.com/srdavidson/smime/compare/241e92cde85c25d7e0d4a5c70118ecadacd4d72b...c432153a4375fbfa59bd3a75fd55e915b2f31938

He noted that he'd received good feedback from Cade Cairns and others, and 
welcomed comments on the text as the plan is to move to ballot in January. The 
ballot will be proposed by Corey Bonnell.  Ben Wilson offered to be an endorser.



Stephen noted that there was a proposal to change the location of CAA info in 
the TLS BR and that he hoped the groups would maintain consistency.



It was agreed to set adoption as a SHOULD starting on Sept 15 2024 and a SHALL 
starting on March 15 2025. He noted that CAs should be contacting vendors or 
engineering teams about those dates.



The WG discussed the Sponsor Legacy profile, in particular if the standard 
should be made more specific to ensure that the subject is a human user, not an 
unattended mailbox or device (which were intended to use the Mailbox or 
Org-validated profiles).  Stephen noted the Sponsor Legacy was intended to be a 
flexible profile to assist in moving the S/MIME universe into the auditable 
environment of the S/MIME BR.



He said the WG had the choice to tighten the Legacy profiles, which implied 
them being around for a long while, or to focus attention on implementation 
issues that prevented movement to the Multipurpose or Strict profiles.  He 
asked CAs to provide feedback from their implementation, noting that he 
understood that ERAs may have difficulty providing givenName and surname as 
separate fields rather than the just the complete name as a CN.  Tim Hollebeek 
commented this may be a dominant issue for ERAs that might otherwise move to 
the Multipurpose profile.



Ben said that for now the WG should retain the flexibility of the Legacy 
profiles with clarifications if required but that it was important to gather 
data to inform the improvement of the standard as well as the eventual 
deprecation of the Legacy.



Martijn Katerbarg proposed improvement to Section 1.2 describing Mailbox 
profiles as the current text might be understood to ban the CN, which was not 
intended.




6. Any Other Business




None


7. Next call


Next call: Wednesday, December 20, 2023 at 11:00 am Eastern Time


Adjourned




___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Updated text for CAA

[Stephen Davidson via Smcwg-public]

 

Hello all:

 

Following our conversation today, here is updated text for the draft CAA
ballot.  It includes:

*   Removal of RFC 8659 references
Removal in 4.2 of the line prohibiting the use of TLS property tags for
S/MIME
*   Clarification that the contract between the CA and the technically
constrained subCA may drop CAA
*   Two minor fixes of punctuation and spelling

 

https://github.com/cabforum/smime/compare/5fb2a7ee94d1c5684d5f32af11572e8c10
cd2f8c...1fbbdc8f908e6eba779b4ea0de1cbfd20e156c3a

 

Again, I'd like to thank all our members for your participation and support
of the SMCWG over the past year.  It was no small task to create a standard
of this size - pulling together a vast array of existing international
practices into an auditable standard for the first time, and seeing its
successful adoption with relatively few reported bumps in implementation.
It's been a pleasure to work with you, and I wish you the best for the
holidays.

 

Regards, Stephen

 



smime.p7s
Description: S/MIME cryptographic signature
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Draft SMCWG agenda - Wednesday, December 20, 2023

[Stephen Davidson via Smcwg-public]

SMCWG Agenda


Draft SMCWG agenda - Wednesday, December 20, 2023 at 11:00 am Eastern Time



Here is a draft agenda for the teleconference described in the subject of this 
message. Please review and propose changes if necessary.



1.Roll Call

2.Note well:  Antitrust / Compliance Statement

3.Review Agenda

4.Approval of past minutes

*   December 6



5.Discussion

*   Final review of CAA for SMIME 
https://github.com/cabforum/smime/compare/5fb2a7ee94d1c5684d5f32af11572e8c10cd2f8c...c261b5bfdc6dbbe45e3cfeea43e49225bad7faef
*   Will go to ballot as SMC05 in early January



6.Any other business



7.To be confirmed:  next meeting is Wednesday, January 3, 2024 at 
11:00 am Eastern Time



Adjourn



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Approved Minutes of SMCWG November 15, 2023

[Stephen Davidson via Smcwg-public]

Minutes of SMCWG


November 15, 2023

 

These are the Approved Minutes of the meeting described in the subject of
this message. Corrections and clarifications where needed are encouraged by
reply.


Attendees 


Adrian Mueller - (SwissSign), Andrea Holland - (VikingCloud), Ben Wilson -
(Mozilla), Bruce Morton - (Entrust), Chad Ehlers - (IdenTrust), Christophe
Bonjean - (GlobalSign), Clint Wilson - (Apple), Corey Bonnell - (DigiCert),
Dimitris Zacharopoulos - (HARICA), Doug Beattie - (GlobalSign), Inaba
Atsushi - (GlobalSign), Inigo Barreira - (Sectigo), Judith Spencer -
(CertiPath), Marco Schambach - (IdenTrust), Martijn Katerbarg - (Sectigo),
Miguel Sanchez - (Google), Morad Abou Nasser - (TeleTrust), Paul van
Brouwershaven - (Entrust), Rebecca Kelley - (Apple), Robert Lee -
(GlobalSign), Russ Housley - (Vigil Security LLC), Scott Rea - (eMudhra),
Stefan Selbitschka - (rundQuadrat), Stephen Davidson - (DigiCert), Tadahiko
Ito - (SECOM Trust Systems), Wendy Brown - (US Federal PKI Management
Authority)


1. Roll Call


The Roll Call was taken.


2. Read Antitrust Statement


The statement was read concerning the antitrust policy, code of conduct, and
intellectual property rights agreement.


3. Review Agenda


Minutes were prepared by Stephen Davidson.


4. Approval of minutes from last teleconference


The minutes for the meeting at the F2F CABF#60 and the teleconference of
October 25 were approved.


5. Discussion 


Stephen Davidson confirmed that Ballot SMC04 has passed and was now in IP
review, ending at 1700 UTC on December 8.

 

Stephen walked through the draft text of a ballot to introduce CAA for
S/MIME, which may be seen at

https://github.com/srdavidson/smime/compare/241e92cde85c25d7e0d4a5c70118ecad
acd4d72b...29f73eb50573bf3e04cb417aaf67be1c209f066b, noting that it drew
heavily on the text already found in the TLS BR.  Clint Wilson noted that
CAA should be applied to all email addresses in the certificate, and that
mailbox addresses in the Subject should be repeated in the SAN.

 

Stephen noted that he had reached out to KeyFactor (EJBCA) regarding the
topic, and strongly encouraged CAs that use commercial software to speak
with their respective vendors on the implementation of CAA for S/MIME.

 

Stephen outlined the timeline previously discussed in the WG, which would
call for a SHOULD after ~6 months and a SHALL after ~12 months (final dates
to be determined at the time of ballot).  He asked for feedback on the
acceptability of those timeframes.

 

Stephen then reviewed the issues at
 https://github.com/cabforum/smime/issues noting those that
are already implemented in the draft of a future cleanup ballot which can be
found at

https://github.com/srdavidson/smime/commits/Ballot-SMC05/SBR.md.

 

Stephen noted several new issues filed by Rob Lee and suggested to WG
members that this was a good place to file questions that may be raised in
the course of operating under the SBR.

 

The WG discussed the revocation backdating topic seen at
 https://github.com/cabforum/smime/issues/221.  It was
agreed to park the topic for now given the doubts that backdating had a use
in the S/MIME protocol as it stands. Stephen said the WG would return to the
topic in future if it simplified implementations for CA operators.  

 

The WG discussed the topic of the SV Legacy Subject which had arisen in
several teleconferences; Stephen noted that the group would return to it in
December. One consideration was whether to tweak the Legacy profile, or to
focus on the date upon which the Legacy profiles might be reasonably
retired.  Stephen again asked CAs to consider if there were elements missing
from the Multipurpose or Strict profiles that might complicate this
migration.

 


6. Any Other Business


 

None


7. Next call


Next call: Wednesday, December 6, 2023 at 11:00 am Eastern Time


Adjourned


 



smime.p7s
Description: S

Re: [Smcwg-public] CAA for S/MIME

[Stephen Davidson via Smcwg-public]

Thanks Bruce.  That section is planned to be deleted.

https://github.com/srdavidson/smime/compare/241e92cde85c25d7e0d4a5c70118ecad
acd4d72b...c8b0c9ff9fa28c2c7abeb2871aaa2d60a19842ed

 

I can certainly move the content to 3.2.2.4 but I see that the TLS BR are
considering gathering their the CAA information in 3.2.2.8 which may be
confusing for CAs?

 

The use of 4.2 would allow consistency across the two docs.

 

 

 

From: Bruce Morton  
Sent: Wednesday, December 6, 2023 9:09 PM
To: Stephen Davidson ; SMIME Certificate
Working Group 
Subject: RE: CAA for S/MIME

 

I think we need to fix this section:

 

3.2.2.4 CAA records

This version of the S/MIME Baseline Requirements does not require the CA to
check for CAA records. The CAA property tags for `issue`, `issuewild`, and
`iodef` as specified in [RFC
8659](https://datatracker.ietf.org/doc/html/rfc8659) are not recognized for
the issuance of S/MIME Certificates.

 

I would really like to add all CAA requirements to section 3.2.2.4, since it
is called CAA records. This would be in line with this TLS BR comment
https://github.com/cabforum/servercert/issues/466.

 

 

Thanks, Bruce.

 

From: Smcwg-public mailto:smcwg-public-boun...@cabforum.org> > On Behalf Of Stephen Davidson
via Smcwg-public
Sent: Wednesday, December 6, 2023 1:00 PM
To: smcwg-public@cabforum.org <mailto:smcwg-public@cabforum.org> 
Subject: [EXTERNAL] [Smcwg-public] CAA for S/MIME

 

Hello:

 

Here is an updated diff for the CAA text following our discussions today:

 

-As suggested by Cade, to add the TTL/8hr reference consistent with the TLS
BR.

-To add the implementation dates in 2.2 and 4.2

 

https://github.com/srdavidson/smime/compare/241e92cde85c25d7e0d4a5c70118ecad
acd4d72b...43228a41a5cc99a3301c4066621787cde7e0f79a

 

The plan will be to move this to ballot at the start of 2024, so I encourage
CAs to engage with operations teams and/or software vendors on the
suitability of the implementation dates.

 

Best regards, Stephen

 

 

Any email and files/attachments transmitted with it are intended solely for
the use of the individual or entity to whom they are addressed. If this
message has been sent to you in error, you must not copy, distribute or
disclose of the information it contains. Please notify Entrust immediately
and delete the message from your system. 



smime.p7s
Description: S/MIME cryptographic signature
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] CAA for S/MIME

[Stephen Davidson via Smcwg-public]

Hello:

 

Here is an updated diff for the CAA text following our discussions today:

 

-As suggested by Cade, to add the TTL/8hr reference consistent with the TLS
BR.

-To add the implementation dates in 2.2 and 4.2

 

https://github.com/srdavidson/smime/compare/241e92cde85c25d7e0d4a5c70118ecad
acd4d72b...43228a41a5cc99a3301c4066621787cde7e0f79a

 

The plan will be to move this to ballot at the start of 2024, so I encourage
CAs to engage with operations teams and/or software vendors on the
suitability of the implementation dates.

 

Best regards, Stephen

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Draft SMCWG agenda - Wednesday, December 6, 2023

[Stephen Davidson via Smcwg-public]

SMCWG Agenda


Draft SMCWG agenda - Wednesday, December 6, 2023 at 11:00 am Eastern Time

 

Here is a draft agenda for the teleconference described in the subject of
this message. Please review and propose changes if necessary.

 

1.   Roll Call 

2.   Note well:  Antitrust / Compliance Statement

3.   Review Agenda

4.   Approval of past minutes

*   November 15

  

5.   Discussion 

*   Close of IPR on Ballot SMC04 this Friday
*   CAA for SMIME

https://github.com/srdavidson/smime/compare/241e92cde85c25d7e0d4a5c70118ecad
acd4d72b...29f73eb50573bf3e04cb417aaf67be1c209f066b 

*   Text, implementation dates, ballot plans

*   Discussion of Sponsor Legacy and Subject CN, upward migration
*   As time permits, draft SMC05 and Github issues

https://github.com/cabforum/smime/issues 

 

6.   Any other business 

 

7.   To be confirmed:  next meeting is Wednesday, December 20, 2023
at 11:00 am Eastern Time

 

  Adjourn

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

Re: [Smcwg-public] NOTICE OF REVIEW PERIOD - Ballot SMC04: Addition of ETSI TS 119 411-6 to audit standards

[Stephen Davidson via Smcwg-public]

Thanks Dimitris; I have added the attachment for download from 
https://cabforum.org/wp-content/uploads/SBR_SMC04_IPR.pdf

Regards, Stephen

 

From: Smcwg-public  On Behalf Of Dimitris 
Zacharopoulos (HARICA) via Smcwg-public
Sent: Thursday, November 9, 2023 10:22 AM
To: smcwg-public@cabforum.org
Subject: Re: [Smcwg-public] NOTICE OF REVIEW PERIOD - Ballot SMC04: Addition of 
ETSI TS 119 411-6 to audit standards

 

Stephen,

You might want to re-send the email because the attachment was broken (at least 
in my TB mail client).


Thank you,
Dimitris.

On 8/11/2023 7:07 μ.μ., Stephen Davidson via Smcwg-public wrote:

NOTICE OF REVIEW PERIOD – BALLOT SMC04

This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum’s 
Intellectual Property Rights Policy (v1.3). This 30-day Review Period is for 
the Final Maintenance Guideline that is attached to this Review Notice.

Ballot for Review: Ballot SMC04
Start of Review Period: November 8, 2023
End of Review Period: 1700 UTC on December 8, 2023

Please forward a written notice to exclude Essential Claims by email to 
smcwg-public@cabforum.org <mailto:smcwg-public@cabforum.org>  and a copy to the 
CA/B Forum public mailing list pub...@cabforum.org <mailto:pub...@cabforum.org> 
 before the end of the Review Period.

See current version of CA/Browser Forum Intellectual Property Rights Policy for 
details. See also 
https://url.avanan.click/v2/___https://cabforum.org/ipr-policy/___.YXAzOmRpZ2ljZXJ0OmE6bzpjZmIyMDk0YjdkNGMwMjRlMzQ5ODE3OTY3NzRhYzkwNzo2OmZiOGI6ZTgwN2EzMGIyZmUyNTQ1ZjZjN2RkZjdkOWUwNTY1YjIxNWJkMTFlYTk0MzNmMWMyZDBlMmExM2I5OTA1NWIwYjp0OkY
 
<https://url.avanan.click/v2/___https:/cabforum.org/ipr-policy/___.YXAzOmRpZ2ljZXJ0OmE6bzowYTU2NTQwMjNkZDAyZGI4ZmIzZTFkYTk1OGFkMjE0Nzo2OjcxYTk6ZGVhNWM1MDBmNWQwNTU1N2Y1ZWUxMjA2ZTQ0ZmEzZjIwOGI3MWVhYzlhOTI4NjE3YzZkNDBmMzMyOWUyMDcwMzpoOkY>
 .  An optional format for an Exclusion Notice is available at 
https://url.avanan.click/v2/___https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf___.YXAzOmRpZ2ljZXJ0OmE6bzpjZmIyMDk0YjdkNGMwMjRlMzQ5ODE3OTY3NzRhYzkwNzo2OmExZjA6YmFjZWM4ZmFkMjRmNDdiNjBhNDUxYzNlZDM5ZTYxZDM4NTA1ZmViMWVjMDU0MWRmNmMzZTcxNzQ2ZTA0ZDc5Mjp0OkY
 
<https://url.avanan.click/v2/___https:/cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf___.YXAzOmRpZ2ljZXJ0OmE6bzowYTU2NTQwMjNkZDAyZGI4ZmIzZTFkYTk1OGFkMjE0Nzo2OmY4ZmY6ZTkzZWJjYjA2ZDM1NmZhZDAzNDA1Y2ZiYzdkY2M1MjBlM2E1OWI2NThlZTZmY2UyYTdjNDRkZThmMjIzNzI5YTpoOkY>
 .

 





___
Smcwg-public mailing list
Smcwg-public@cabforum.org <mailto:Smcwg-public@cabforum.org> 
https://lists.cabforum.org/mailman/listinfo/smcwg-public 
<https://url.avanan.click/v2/___https:/lists.cabforum.org/mailman/listinfo/smcwg-public___.YXAzOmRpZ2ljZXJ0OmE6bzpjZmIyMDk0YjdkNGMwMjRlMzQ5ODE3OTY3NzRhYzkwNzo2OmIyODM6YTZkMzQ2MTJhNTgyM2EyNTE5MDBiZmQ3ZWRlYjM3YjZjOWIzYWZlZTI1NDIzYWJlNGZmYjdjM2UyNmQ4NGNiOTpoOkY>
 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] NOTICE OF REVIEW PERIOD - Ballot SMC04: Addition of ETSI TS 119 411-6 to audit standards

[Stephen Davidson via Smcwg-public]

NOTICE OF REVIEW PERIOD - BALLOT SMC04

This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum's 
Intellectual Property Rights Policy (v1.3). This 30-day Review Period is for 
the Final Maintenance Guideline that is attached to this Review Notice.

Ballot for Review: Ballot SMC04
Start of Review Period: November 8, 2023
End of Review Period: 1700 UTC on December 8, 2023

Please forward a written notice to exclude Essential Claims by email to 
smcwg-public@cabforum.org and a copy to the 
CA/B Forum public mailing list pub...@cabforum.org 
before the end of the Review Period.

See current version of CA/Browser Forum Intellectual Property Rights Policy for 
details. See also 
https://cabforum.org/ipr-policy/.
  An optional format for an Exclusion Notice is available at 
https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf.





ATT99466
Description: ATT99466
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] RESULTS OF BALLOT - SMC04: Addition of ETSI TS 119 411-6 to audit standards

[Stephen Davidson via Smcwg-public]

Results of Ballot SMC04: Addition of ETSI TS 119 411-6 to audit standards

The voting period for Ballot SMC04 (Addition of ETSI TS 119 411-6 to audit 
standards) has completed, and the ballot has passed.



Voting Results

Certificate Issuers

15 votes total, with no abstentions:

*   15 Issuers voting YES: Actalis, Buypass Chunghwa Telecom, DigiCert, 
D-Trust, eMudhra, Entrust, GlobalSign, HARICA, OISTE Foundation, SECOM, 
Sectigo, SSL.com, SwissSign, Telia
*   0 Issuers voting NO
*   0 Issuers ABSTAIN

Certificate Consumers

2 votes total, with no abstentions:

*   2 Consumers voting YES: Mozilla, rundQuadrat
*   0 Consumers voting NO
*   0 Consumers ABSTAIN

Bylaws Requirements

1.  Bylaw 2.3(f) requires:

   0.   A "yes" vote by two-thirds of Certificate Issuer votes and by 
50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted 
for this purpose. This requirement was MET for Certificate Issuers and MET for 
Certificate Consumers.
   1.   At least one Certificate Issuer and one Certificate Consumer Member 
must vote in favor of a ballot for the ballot to be adopted. This requirement 
was MET.

2.  Bylaw 2.3(g) requires that a ballot result only be considered valid 
when "more than half of the number of currently active Members has 
participated". The number of currently active Voting Members is the average 
number of Voting Member organizations that have participated in the previous 
three meetings. Votes to abstain are counted in determining quorum. The quorum 
was 10 for this ballot. This requirement was MET.

This ballot now enters the 30-day IP Rights Review Period to permit members to 
review the ballot for relevant IP rights issues.  The IP Rights Review Period 
ends at 1700 UTC on December 8, 2023.









___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] VOTE FOR APPROVAL Ballot SMC04: Addition of ETSI TS 119 411-6 to audit standards

[Stephen Davidson via Smcwg-public]

Hello:



The voting period for Ballot SMC04 has started. Votes must be cast on the SMCWG 
public list and in accordance with the Charter and By-Laws.

Voting on SMC04 concludes on 08 November 2023 at 17:00 UTC.



Regards, Stephen





Ballot SMC04: Addition of ETSI TS 119 411-6 to audit standards



Purpose of Ballot:



The ballot proposes changes to the S/MIME Baseline Requirements, and in others 
to make corrections.  The affected sections include:



*   Clarify the Revisions table in section 1.2.1 to more clearly 
differentiate the effective date (publication of the version) from additional 
compliance dates; and
*   Add ETSI TS 119 411-6 as an audit criteria in Sections 1.6.3, 8.4, and 
8.6.



The following motion has been proposed by Stephen Davidson of DigiCert and 
endorsed by Dimitris Zacharopoulos of HARICA and Paul van Brouwershaven of 
Entrust.



- MOTION BEGINS -



This ballot modifies the "Baseline Requirements for the Issuance and Management 
of Publicly-Trusted S/MIME Certificates" ("S/MIME Baseline Requirements") 
resulting in Version 1.0.2.



The proposed modifications to the S/MIME Baseline Requirements may be found at

https://github.com/cabforum/smime/compare/241e92cde85c25d7e0d4a5c70118ecadacd4d72b...c6916c7156a711b59f8e6790ff0ee0fedb7bd270.



The SMCWG Chair or Vice-Chair is permitted to update the Relevant Dates and 
Version Number of the S/MIME Baseline Requirements to reflect final dates.



- MOTION ENDS -



This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:



Discussion (7 days)

Start Time: October 25, 2023 17:00 UTC

End Time: November 1, 2023 17:00 UTC



Vote for approval (7 days)

Start Time: November 1, 2023 17:00 UTC

End Time: November 8, 2023 17:00 UTC





___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

Re: [Smcwg-public] Considering CAA for the S/MIME Baseline Requirements

[Stephen Davidson via Smcwg-public]

Hi Bruce - that's correct.  I was linking to the current SBR for those who
aren't familiar with it.

We'll soon be looking at the draft CAA text (which is a WIP at
https://github.com/srdavidson/smime/blob/CAA/SBR.md)

Best, Stephen

 

 

 

From: Bruce Morton  
Sent: Monday, October 30, 2023 3:48 PM
To: Stephen Davidson ; SMIME Certificate
Working Group 
Subject: RE: Considering CAA for the S/MIME Baseline Requirements

 

Hi Stephen,

 

I think the wrong link was provided as the link below does not show a new
plan for CAA.

 

Thanks, Bruce.

 

From: Smcwg-public mailto:smcwg-public-boun...@cabforum.org> > On Behalf Of Stephen Davidson
via Smcwg-public
Sent: Monday, October 30, 2023 2:28 PM
To: smcwg-public@cabforum.org <mailto:smcwg-public@cabforum.org> 
Subject: [EXTERNAL] [Smcwg-public] Considering CAA for the S/MIME Baseline
Requirements

 

Hello: The S/MIME Certificate Working Group (SMCWG) of the CA/Browser Forum
proposes to add a requirement for CAs issuing publicly-trusted S/MIME
certificates to implement Certificate Authority Authorization (CAA)
checking. Public-trust CAs 

 

Hello:

 

The S/MIME Certificate Working Group (SMCWG) of the CA/Browser Forum
proposes to add a requirement for CAs issuing publicly-trusted S/MIME
certificates to implement Certificate Authority Authorization (CAA)
checking.  Public-trust CAs have used CAA for some time when issuing TLS
certificates, and the new RFC 9495
<https://urldefense.com/v3/__https:/www.rfc-editor.org/rfc/rfc9495.html__;!!
FJ-Y8qCqXTj2!cxBboQwU7IpUNEaKjUUpJaea6MkJIm9dLTq7n_1lsnGZmwywk-cyTq4vn9KXkp5
We--bzxjtfx0Y5bkcpfxPavcRU1yA$>  extends CAA with a new property tag for
"issuemail". 

 

The benefit is that domain holders will be able to specify CAs they
authorize to issue certificates on their behalf separately for TLE and for
S/MIME.

 

The current plan is to allow up to 12 months for CAs to implement CAA
following publication of the amending ballot to the S/MIME Baseline
Requirements
<https://urldefense.com/v3/__https:/github.com/cabforum/smime/blob/main/SBR.
md__;!!FJ-Y8qCqXTj2!cxBboQwU7IpUNEaKjUUpJaea6MkJIm9dLTq7n_1lsnGZmwywk-cyTq4v
n9KXkp5We--bzxjtfx0Y5bkcpfxPanQGMIBF$> . 

 

The SMCWG is now starting work on that amending ballot.  We encourage both
Certificate Issuers as well as PKI application software providers involved
in issuing S/MIME certificates to become familiar with RFC 9495, and welcome
feedback on the pending requirement and implementation timeframe.

 

With kind regards,

Stephen Davidson

Chair, S/MIME Certificate Working Group

 

Any email and files/attachments transmitted with it are intended solely for
the use of the individual or entity to whom they are addressed. If this
message has been sent to you in error, you must not copy, distribute or
disclose of the information it contains. Please notify Entrust immediately
and delete the message from your system. 



smime.p7s
Description: S/MIME cryptographic signature
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Considering CAA for the S/MIME Baseline Requirements

[Stephen Davidson via Smcwg-public]

Hello:



The S/MIME Certificate Working Group (SMCWG) of the CA/Browser Forum proposes 
to add a requirement for CAs issuing publicly-trusted S/MIME certificates to 
implement Certificate Authority Authorization (CAA) checking.  Public-trust CAs 
have used CAA for some time when issuing TLS certificates, and the new RFC 
9495 extends CAA with a new 
property tag for "issuemail".



The benefit is that domain holders will be able to specify CAs they authorize 
to issue certificates on their behalf separately for TLE and for S/MIME.



The current plan is to allow up to 12 months for CAs to implement CAA following 
publication of the amending ballot to the S/MIME Baseline 
Requirements.



The SMCWG is now starting work on that amending ballot.  We encourage both 
Certificate Issuers as well as PKI application software providers involved in 
issuing S/MIME certificates to become familiar with RFC 9495, and welcome 
feedback on the pending requirement and implementation timeframe.



With kind regards,

Stephen Davidson

Chair, S/MIME Certificate Working Group



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] November Schedule Changes for SMCWG

[Stephen Davidson via Smcwg-public]

Hello:



Just a reminder that at the recent SMCWG teleconference, the following schedule 
changes were agreed:



Nov 8 - Cancelled due to conflicts with IETF and PQC conference

Nov 15 - Add a catchup teleconference

Nov 22 - Cancelled due to US holiday



You should see some calendar invite/changes coming through.



Regards, Stephen



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Ballot SMC04: Addition of ETSI TS 119 411-6 to audit standards - discussion period begins

[Stephen Davidson via Smcwg-public]

Ballot SMC04: Addition of ETSI TS 119 411-6 to audit standards



Purpose of Ballot:



The ballot proposes changes to the S/MIME Baseline Requirements, and in others 
to make corrections.  The affected sections include:



*   Clarify the Revisions table in section 1.2.1 to more clearly 
differentiate the effective date (publication of the version) from additional 
compliance dates; and
*   Add ETSI TS 119 411-6 as an audit criteria in Sections 1.6.3, 8.4, and 
8.6.



The following motion has been proposed by Stephen Davidson of DigiCert and 
endorsed by Dimitris Zacharopoulos of HARICA and Paul van Brouwershaven of 
Entrust.



- MOTION BEGINS -



This ballot modifies the "Baseline Requirements for the Issuance and Management 
of Publicly-Trusted S/MIME Certificates" ("S/MIME Baseline Requirements") 
resulting in Version 1.0.2.



The proposed modifications to the S/MIME Baseline Requirements may be found at

https://github.com/cabforum/smime/compare/241e92cde85c25d7e0d4a5c70118ecadacd4d72b...c6916c7156a711b59f8e6790ff0ee0fedb7bd270.



The SMCWG Chair or Vice-Chair is permitted to update the Relevant Dates and 
Version Number of the S/MIME Baseline Requirements to reflect final dates.



- MOTION ENDS -



This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:



Discussion (7 days)

Start Time: October 25, 2023 17:00 UTC

End Time: November 1, 2023 17:00 UTC



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Draft SMCWG agenda - Wednesday, October 25, 2023

[Stephen Davidson via Smcwg-public]

SMCWG Agenda


Draft SMCWG agenda - Wednesday, October 25, 2023 at 11:00 am Eastern Time

 

Here is a draft agenda for the teleconference described in the subject of
this message. Please review and propose changes if necessary.

 

1.Roll Call 

2.Note well:  Antitrust / Compliance Statement

3.Review Agenda

4.Approval of past minutes

*   F2F CABF#60 minutes still pending



5.Discussion 

*   Note: Upcoming Ballot SMC04 on ETSI TS 119 411-6
*   Note: CAA for SMIME RFC  
https://rfc-editor.org/rfc/rfc9495.html 
*   Discussion of naming in Sponsor- versus Organization-validated
*   Possible implementation survey via CCADB
*   Call schedule confirmation
*   Note: Github issues review

https://github.com/cabforum/smime/issues 

 

6.Any other business 

 

7.Next meeting:  Wednesday, November 8, 2023 at 11:00 am Eastern
Time

Adjourn

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Approved Minutes of SMCWG September 27, 2023

[Stephen Davidson via Smcwg-public]

Minutes of SMCWG


September 27, 2023

 

These are the Approved Minutes of the Teleconference described in the
subject of this message. Corrections and clarifications where needed are
encouraged by reply.


Attendees 


Abhishek Bhat - (eMudhra), Andrea Holland - (VikingCloud), Andreas Henschel
- (D-TRUST), Ashish Dhiman - (GlobalSign), Ben Wilson - (Mozilla), Bilal
Ashraf - (SSL.com), Cade Cairns - (Google), Clint Wilson - (Apple), Hazhar
Ismail - (MSC Trustgate Sdn Bhd), Inaba Atsushi - (GlobalSign), Inigo
Barreira - (Sectigo), Judith Spencer - (CertiPath), Keshava Nagaraju -
(eMudhra), Li-Chun Chen - (Chunghwa Telecom), Mrugesh Chandarana -
(IdenTrust), Nome Huang - (TrustAsia Technologies, Inc.), Paul van
Brouwershaven - (Entrust), Pekka Lahtiharju - (Telia Company), Rebecca
Kelley - (Apple), Renne Rodriguez - (Apple), Rollin Yu - (TrustAsia
Technologies, Inc.), Russ Housley - (Vigil Security LLC), Scott Rea -
(eMudhra), Stefan Selbitschka - (rundQuadrat), Stephen Davidson -
(DigiCert), Tadahiko Ito - (SECOM Trust Systems), Thomas Zermeno -
(SSL.com), Tim Crawford - (CPA Canada/WebTrust), Tsung-Min Kuo - (Chunghwa
Telecom), Wendy Brown - (US Federal PKI Management Authority), Yashwanth TM
- (eMudhra)


1. Roll Call


The Roll Call was taken.


2. Read Antitrust Statement


The statement was read concerning the antitrust policy, code of conduct, and
intellectual property rights agreement.


3. Review Agenda


Minutes were prepared by Stephen Davidson.


4. Approval of minutes from last teleconference


The minutes were approved from the following teleconferences:

.  September 13


5. Discussion 


Russ Housley noted that the draft RFC for CAA for S/MIME was approaching
conclusion and publication.  Stephen Davidson said that, once the RFC was
published, the SMCWG would move to introduce a ballot requiring CAA for
S/MIME with a long implementation window.

 

Russ also noted that a new RFC was underway that would replace the one
referenced for otherName of type id-on-SmtpUTF8Mailbox.

 

Stephen again noted the issues list is being actively updated at
 https://github.com/cabforum/smime/issues and encouraged
SMCWG members to comment there.  He is working on a draft SM04 ballot of
further corrections which may be seen at

https://github.com/srdavidson/smime/blob/Ballot-SMC04/SBR.md.

 

The WG discussed proposed text to incorporate intermediate CAs in the
definition of Extant S/MIME CA.  

 

Stephen noted an email sent to the list by Martijn Katerbarg describing that
backdating of revocations was now permitted in both the Code Signing and TLS
BR, but is not described in the S/MIME BR.  Clint Wilson said he had no
strong objection to adding this allowance, as it would not block a user from
accessing old emails. Russ noted that the CS and TLS BR vary in their
description of invalidityDate versus revocationDate.  Scott Rea said is
unknown if email software is generally aware of the invalidityDate extension
but clear standards might make it more attractive.  

 

Wendy Brown said that email software UI is often not specific about
"problems relating the certificate" including expiry and revocation and
wondered if such a requirement should be expressed as a MAY rather than a
SHOULD.  

 

Paul van Brouwershaven and Stefan Selbitschka said that email software
treated time stamps loosely so the effectiveness of revocation times was
reduced. Stephen asked if the WG had any sway to affect those industry
standards, other than to ensure that revocation times were as accurate as
possible.

 

Stephen described proposed text in the draft SMC04 which requires "the
proper stacking" of address fields (for example, only allowing streetAddress
if locality or state was present).  No objections were raised.

 

Stephen described proposed text in the draft SMC04 to reference the new ETSI
TS 119 411-6 in sections 8.4 and 8.6.  He said he would also share it with
ACAB'c, and no objections were raised.

 

Stephen described proposed text in the draft SMC04 to clarify the keyUsage
table.  No objections were raised.

 

The WG discussed the agenda for the CABF #60 meeting.  Topics included
Pseudonym, organisationIdentifier and jurisdiction level setting, CAA for
S/MIME.  Other possible topics raised included extensions showing ERA
involvement, attestation of keys, and whether to adopt a table format such
as recently introduced to the TLS BR in ballot SC62.  Clint noted that he
would like the deprecation timeline for

[Smcwg-public] SMCWG at the F2F CABF Meeting #60 next Thursday

[Stephen Davidson via Smcwg-public]

Hello all:



Details and teleconference details for the F2F are in the wiki.



The SMCWG session will be on Thursday at 11:15-noon EST and then from 
13:00-14:30 EST.  EST is UTC-4.



As discussed on the call, the agenda will include (in unsorted order):



*   OrgID jurisdiction rule (including potential use of the EUID)
*   Pseudonyms

*   Discussion of SBR implementation/Roadmap for Legacy
*   Future work possibilities:

   *SMC04
   *Revocation backdate
   *CAA for SMIME
   *Other topics such as ERA extension, attestations, etc



   If others have topics they would like to propose for the agenda, please 
contact Martijn or me.



   Regards, Stephen

___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Approved Minutes of SMCWG September 13, 2023

[Stephen Davidson via Smcwg-public]

Minutes of SMCWG


September 13, 2023

 

These are the Approved Minutes of the Teleconference described in the subject 
of this message. Corrections and clarifications where needed are encouraged by 
reply.


Attendees 


Abhishek Bhat - (eMudhra), Adrian Mueller - (SwissSign), Andrea Holland - 
(VikingCloud), Andreas Henschel - (D-TRUST), Ashish Dhiman - (GlobalSign), Ben 
Wilson - (Mozilla), Bruce Morton - (Entrust), Clint Wilson - (Apple), Corey 
Bonnell - (DigiCert), Dave Chin - (CPA Canada/WebTrust), Dimitris Zacharopoulos 
- (HARICA), Eva Vansteenberge - (GlobalSign), Inaba Atsushi - (GlobalSign), 
Inigo Barreira - (Sectigo), Jochem van den Berge - (Logius PKIoverheid), Judith 
Spencer - (CertiPath), Keshava Nagaraju - (eMudhra), Li-Chun Chen - (Chunghwa 
Telecom), Martijn Katerbarg - (Sectigo), Morad Abou Nasser - (TeleTrust), 
Mrugesh Chandarana - (IdenTrust), Nome Huang - (TrustAsia Technologies, Inc.), 
Paul van Brouwershaven - (Entrust), Pedro Fuentes - (OISTE Foundation), Rebecca 
Kelley - (Apple), Renne Rodriguez - (Apple), Rollin Yu - (TrustAsia 
Technologies, Inc.), Scott Rea - (eMudhra), Stefan Selbitschka - (rundQuadrat), 
Stephen Davidson - (DigiCert), Tadahiko Ito - (SECOM Trust Systems), Thoma
 s Zermeno - (SSL.com), Tim Crawford - (CPA Canada/WebTrust), Tim Hollebeek - 
(DigiCert), Wendy Brown - (US Federal PKI Management Authority) 


1. Roll Call


The Roll Call was taken.


2. Read Antitrust Statement


The statement was read concerning the antitrust policy, code of conduct, and 
intellectual property rights agreement.


3. Review Agenda


Minutes were prepared by Stephen Davidson.


4. Approval of minutes from last teleconference


The minutes were approved from the following teleconferences:

* August 30


5. Discussion 


A question was raised if the definition of "Extant S/MIME CA" extended to 
intermediate CAs that may sit between the Root CA and the Issuing CA (as the 
current definition refers to a SubCA that "has issued end entity S/MIME 
Certificates". Following discussion, the QG agreed that such intermediate CAs 
may fit the definition of "Extant S/MIME CA".  It was agreed that the 
definition may be clarified in a future ballot.

 

The question was raised whether cross-signed CAs fit the definition.  Stephen 
Davidson asked for examples.

 

Stephen began a conversation about questions that had been raised by 
Certificate Issuers during the S/MIME BR implementation.  The first was related 
to the Pseudonym as described in Section 3.1.3, which says:

 

"If present, the subject:pseudonym attribute SHALL be:

 

1.  either a unique identifier selected by the CA for the Subject of the 
Certificate; or

2.  an identifier selected by the Enterprise RA which uniquely identifies 
the Subject of the Certificate within the Organization included in the 
subject:organizationName attribute."

 

It was discussed that in the Sponsor-validated category, ERAs might assign 
certificates with differing personal email addresses but a common CN showing a 
role.

 

The question was raised why the Pseudonym was required to be unique.  Stephen 
verified that ETSI EN 319 412-2 does not require uniqueness of the Pseudonym.  
Judith Spencer noted that standards generally require uniqueness only at the 
Subject DN level, and Stephen noted this might not require explicit uniqueness 
at the pseudonym level.  Martijn Katerbarg suggested that item 1 could be 
amended to "either an identifier selected by the CA which uniquely identifies 
the Subject of the Certificate; or" and it was then discussed if the unique 
stipulation is required at all, or if additional rules needed to be defined for 
pseudonyms.  Stephen asked that Certificate Issuers review this case, 
particularly related to ERAs.

 

Stephen proposed that the group consider an anonymous poll of Certificate 
Issuers regarding which CPs from the S/MIME BR had been implemented.

 

A previous discussion of OrganizationIdentifiers was continued.  It was pointed 
out that the provided example of "NTRUS+CA" described state-level registration 
for the United States but that there was no formal list of what other countries 
required such treatment.  Stephen noted that there was variation in the similar 
JOI treatment for the EVG, and proposed that the S/MIME BR either include a 
list of countries registering at the state or province level, or that it define 
a rule for determining such a list.

 

Eva van Steenberge noted that one method was to look at whether the identifier 
number was unique at the level that proceeds it (this could mean that 
registration could be at state level but numbers are unique at the country 
level).  The group agreed this was a valid approach.

 

However exceptions may still exist in some EU countries like Germany.  Stephen 
noted that under ETSI treatment it seemed this was ignored - and Eva noted that 
CAs might avoid that by using a different orgID prefix or LEI. Stephen noted 
the 

Re: [Smcwg-public] [Smcwg-management] OrganizationIdentifier & German public registers

[Stephen Davidson via Smcwg-public]

Thank you Adrian:



The topic of OrgID (and jurisdiction level setting) will be on our Agenda for 
the F2F next week.  I hope that you and your colleagues can join us, even if 
online, to discuss this.



Best, Stephen







From: Smcwg-public  On Behalf Of Adrian 
Mueller via Smcwg-public
Sent: Wednesday, September 27, 2023 4:45 AM
To: Dimitris Zacharopoulos (HARICA) ; 
smcwg-public@cabforum.org
Subject: Re: [Smcwg-public] [Smcwg-management] OrganizationIdentifier & German 
public registers



Dear Dimitris,

Dear all,



My apologies, I just saw your email now. Of course I am happy to re-send the 
message to the public mailing list of the SMCWG as you requested, see below.





Best regards



Adrian



Adrian M. Mueller

Product Manager Certificate Services



+41 43 811 05 97

adrian.muel...@swisssign.com



From: Smcwg-management 
mailto:smcwg-management-boun...@cabforum.org>>
 On Behalf Of Dimitris Zacharopoulos (HARICA) via Smcwg-management
Sent: Thursday, September 21, 2023 11:59 AM
To: smcwg-managem...@cabforum.org
Subject: Re: [Smcwg-management] OrganizationIdentifier & German public registers



On 13/9/2023 7:17 μ.μ., Adrian Mueller via Smcwg-management wrote:

   Dear Stephen,

   Dear all,



   Upon your request I re-send my email from 22 May this year about uniqueness 
of German register numbers again to the list (see below). In addition, I attach 
my short presentation about the topic shown at the last F2F SMIME BR WG meeting 
in Redmond.



   In a nutshell it is like this: The “EUID” is an identifier scheme regulated 
on EU level and is especially handy within Germany as it provides a unique 
identifier for registered organizations. Therefore, the organizationIdentifier 
“NTRDE-” is worldwide unique.



   For any questions please don’t hesitate to ask.


   Hi Adrian,

   Would you please re-post this to the public mailing list? The content 
doesn't seem to match the scope of the Member's mailing list as stated in 
section 5.1. of the Bylaws.


   Thanks,
   Dimitris.







   Best regards



   Adrian





   Adrian M. Mueller

   Product Manager Certificate Services



   +41 43 811 05 97

   adrian.muel...@swisssign.com



   From: Adrian Mueller
   Sent: Monday, May 22, 2023 9:29 AM
   To: smcwg-managem...@cabforum.org; 
Entschew, Enrico ; 
Henschel, Andreas ; 
Wichmann, Markus Peter 
; 
stefan.ki...@telekom.de; 
arnold.ess...@telekom.de; 
jan.voel...@telekom.de
   Subject: OrganizationIdentifier & German public registers



   Dear members of the S/MIME certificate working group,



   We (D-Trust, Siemens, Telekom Security & SwissSign) have discussed a 
specific issue regarding the new attribute “OrganizationIdentifier” (OrgID) 
when containing a German register number. We would like to share the results 
and discuss it further within the S/MIME mailing group.



   Background:

   The OrganizationIdentifier attribute and its use with trade/commercial 
register identifiers is specified and explained in the chapters 7.1.4.2.2 d. 
and A.1 of the S/MIME Baseline Requirements. The standard defines the 
composition of such an identifier as follows (for trade registers):

   1.   Prefix NTR (for “National Trade Register”) followed by the ISO-3166 
alpha-2 country code, a dash ‘-‘ and the register ID itself.
   Example: NTRFR-123456789 for a French register ID (“SIREN” number)

   2.   For the US and for Canada the state is included in the prefix as 
well. The reason is that the trade registers are maintained on the state level 
and the register IDs are unique at this level only.
   Example: NTRUS+CA-12345678 (State of California)



   Germany:

   Within Germany we face the problem that trade registers and the numbers they 
assign are not kept on a Germany-wide level and not even on the state level 
either. The commercial registers are maintained by district courts 
(“Amtsgerichte”). Therefore, the according numbering schemes are only unique on 
a district level; neither the (fictional) OrganizationIdentifer NTRDE-HRA123456 
nor NTRDE+NW-HRA123456 guarantee uniqueness. The register ID “HRA123456” can be 
assigned several times not only within Germany but even within the “Bundesland” 
(state) North Rhine-Westphalia (NW).



   EUID:

   Therefore, in order to provide uniqueness on a Germany-wide level the 
register provider needs to be uniquely identified as well and a unique ID 
assigned to the register should be included in the OrganizationIdentifier. This 
is where the “EUID” comes into play. The EUID is a common format for commercial 
register IDs within the European Union / European Economic Area (EU/EEA). It is 
based upon EU legisl

Re: [Smcwg-public] Fields for S/MIME CSRs

[Stephen Davidson via Smcwg-public]

Hello all:

 

If widely supported, should we consider documenting this in the S/MIME BR?

 

Best, Stephen

 

 

From: Smcwg-public  On Behalf Of Clint 
Wilson via Smcwg-public
Sent: Friday, September 29, 2023 12:52 PM
To: Ben Wilson ; SMIME Certificate Working Group 

Subject: Re: [Smcwg-public] Fields for S/MIME CSRs

 

Hi all,

 

In my opinion, CSRs should really be limited to conveying the public key and a 
proof of possession of the private key; the fields included therein may act as 
confirmatory signals for a CA, but shouldn’t be directly relied upon e.g. to 
generate a tbsCertificate. Rather, the values placed in fields of a 
tbsCertificate should originate from the CA’s validated data store to ensure 
that the only paths for data to become part of a signed certificate are through 
static configurations (e.g. signatureAlgorithm) or known-validated data.

 

There’s plenty of nuance we can discuss as well, but generally speaking I 
believe it’s bad practice to rely on fields in the CSR.

 

Cheers,

-Clint





On Sep 29, 2023, at 8:27 AM, Ben Wilson via Smcwg-public 
mailto:smcwg-public@cabforum.org> > wrote:

 

All,

I'm interested in gathering information from Certificate Issuers about the kind 
of information that they would like to collect/extract from the CSRs they 
receive from S/MIME certificate applicants. This information could be used to 
refine a system to generate CSRs that result in certificates compliant with the 
various profiles defined in the S/MIME BRs. Alternatively, what is the minimum 
amount of information that CAs might expect to obtain from CSRs? In other 
words, which fields should a CSR generator integrated with a Certificate 
Consumer's software support?

Thanks,

Ben

___
Smcwg-public mailing list
Smcwg-public@cabforum.org  
https://url.avanan.click/v2/___https://lists.cabforum.org/mailman/listinfo/smcwg-public___.YXAzOmRpZ2ljZXJ0OmE6bzo0ODEzZjE5MTQ3NmQzMzBiY2EzZTg1MTAwNWYzODA0NTo2OjgzYjE6YjY4YzcwZWIwNTgwZmY3MmVlMjljNzM5Yzg0YmE4OWMyYTUwMDJmODE3NWY5ZTBjOWI5NzFiZjllODc2YjMwMjp0OkY
 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Draft SMCWG agenda - Wednesday, September 27, 2023

[Stephen Davidson via Smcwg-public]

SMCWG Agenda


Draft SMCWG agenda - Wednesday, September 27, 2023 at 11:00 am Eastern Time



Here is a draft agenda for the teleconference described in the subject of this 
message. Please review and propose changes if necessary.



1.Roll Call

2.Note well:  Antitrust / Compliance Statement

3.Review Agenda

4.Approval of past minutes

*   September 13



5.Discussion

*   Intermediates as Extant SMIME CAs
*   Backdating of revocations
*   Github issues review https://github.com/cabforum/smime/issues
*   Planning for F2F #60



6.Any other business



7.Next meeting:  F2F #60, see wiki

Adjourn





___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] ETSI announcement re: TS 119 411-6

[Stephen Davidson via Smcwg-public]

 

Re: "ETSI requirements for trust service providers issuing publicly trusted
S/MIME certificates"

https://www.etsi.org/newsroom/news/2275-etsi-standard-for-it-solution-provid
ers-comply-euregulation-on-electronic-signatures-emails

 

best regards, Stephen



smime.p7s
Description: S/MIME cryptographic signature
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Draft SMCWG agenda - Wednesday, September 13, 2023

[Stephen Davidson via Smcwg-public]

SMCWG Agenda


Draft SMCWG agenda - Wednesday, September 13, 2023 at 11:00 am Eastern Time



Here is a draft agenda for the teleconference described in the subject of this 
message. Please review and propose changes if necessary.



1.Roll Call

2.Note well:  Antitrust / Compliance Statement

3.Review Agenda

4.Approval of past minutes

*   August 30



5.Discussion

*   Extant CA definition in cases with multiple "subCA layers"
*   Uniqueness of Pseudonym
*   Possible survey of SBR "generation" uses
*   Continuation of OrganizationIdentifier discussion
*   Github issues review https://github.com/cabforum/smime/issues



6.Any other business



7.Next call:  Wednesday, September 27, 2023 at 11:00 am Eastern Time

Upcoming: F2F Meeting 60 (see wiki for agenda)



Adjourn



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

Re: [Smcwg-public] Definition of extant CA

[Stephen Davidson via Smcwg-public]

Thank you Jochem:

We will add this to the agenda of our next SMCWG meeting.

With kind regards, Stephen

 

 

 

From: Smcwg-public  On Behalf Of Berge,
Jochem Van den via Smcwg-public
Sent: Tuesday, September 12, 2023 6:01 AM
To: smcwg-public@cabforum.org
Cc: Berg, Patrick van den ; Weissenberg, David

Subject: [Smcwg-public] Definition of extant CA

 

Hi all,

 

Ballot SMC03 introduced the term "extant CA" as follows:

 

1.  Is a Publicly-Trusted Subordinate CA Certificate whose `notBefore`
field is before September 1, 2023 and has issued end entity S/MIME
Certificates;
2.  The CA Certificate includes no Extended Key Usage extension,
contains `anyExtendedKeyUsage` in the EKU extension, or contains
`id-kp-emailProtection` in the EKU extension; 
3.   The CA Certificate complies with the profile defined in [RFC 5280](
 http://tools.ietf.org/html/rfc5280). The following two deviations
from the [RFC 5280](
 http://tools.ietf.org/html/rfc5280) profile are acceptable: 

a.  The CA Certificate contains a `nameConstraints` extension that is
not marked critical; 
b.  The CA Certificate contains a policy qualifier of type UserNotice
which contains `explicitText` that uses an encoding that is not permitted by
[RFC 5280](
 http://tools.ietf.org/html/rfc5280) (i.e., the `DisplayText` is
encoded using BMPString or VisibleString); and 

4.  The CA Certificate contains the `anyPolicy` identifier (2.5.29.32.0)
or specific OIDs in the `certificatePolicies` extension that do not include
those defined in [Section
7.1.6.1](#7161-reserved-certificate-policy-identifiers) of these
Requirements.

 

Now it might seem like nit-picking but we had a question specifically about
the first line. If a CA is S/MIME capable but only issues other CA
certificates which in turn issue end-user S/MIME certificates is that still
be covered by this definition?  

 

PKIoverheid operates a 4-layer hierarchy in which the level 2 CAs only issue
CA certificates to Trust Service providers who actually issue end-user
(S/MIME and qualified) certificates. We're asking this question because
we're currently planning (re)issuance of existing PKIoverheid level 3 CAs to
remain compliant with the SBRGs (or move them off S/MIME completely when it
is no longer needed) per the timelines stated in Appendix B. 

 

Reading the text verbatim would indicate that the level 2 CAs are not
included in the definition of the "extant CA" since it never has and never
will issue end-user certificates of any kind but we have our doubts if that
is a valid interpretation.

 

What take do other CAs (or browsers) have on this? 

 

Kind Regards,

 

Jochem van den Berge

Compliance officer PKIoverheid

 

Logius

 

Digital Government Service

Ministry of the Interior and Kingdom Relations



 

M (+31) (0)6 - 21 16 26 89

T  (+31) (0)70 - 888 76 91

  jochem.vanden.be...@logius.nl
 

www.logius.nl

 

workdays Mo-Tue & Thu-Fri



 

 

  _  

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u
niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden,
wordt u verzocht dat aan de afzender te melden en het bericht te
verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van
welke aard ook, die verband houdt met risico's verbonden aan het
elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you
are not the addressee or if this message was sent to you by mistake, you are
requested to inform the sender and delete the message. The State accepts no
liability for damage of any kind resulting from the risks inherent in the
electronic transmission of messages. 



smime.p7s
Description: S/MIME cryptographic signature
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/m

[Smcwg-public] Approved Minutes of SMCWG August 2, 2023

[Stephen Davidson via Smcwg-public]

Minutes of SMCWG


August 2, 2023



These are the Approved Minutes of the Teleconference described in the subject 
of this message. Corrections and clarifications where needed are encouraged by 
reply.


Attendees


Adrian Mueller - (SwissSign), Andrea Holland - (VikingCloud), Ashish Dhiman - 
(GlobalSign), Bruce Morton - (Entrust), Cade Cairns - (Google), Clint Wilson - 
(Apple), Corey Bonnell - (DigiCert), Don Sheehy - (CPA Canada/WebTrust), Enrico 
Entschew - (D-TRUST), Inaba Atsushi - (GlobalSign), Inigo Barreira - (Sectigo), 
Janet Hines - (VikingCloud), Judith Spencer - (CertiPath), Li-Chun Chen - 
(Chunghwa Telecom), Marco Schambach - (IdenTrust), Morad Abou Nasser - 
(TeleTrust), Nome Huang - (TrustAsia Technologies, Inc.), Pedro Fuentes - 
(OISTE Foundation), Pekka Lahtiharju - (Telia Company), Renne Rodriguez - 
(Apple), Russ Housley - (Vigil Security LLC), Scott Rea - (eMudhra), Stefan 
Selbitschka - (rundQuadrat), Stephen Davidson - (DigiCert), Tadahiko Ito - 
(SECOM Trust Systems), Tsung-Min Kuo - (Chunghwa Telecom)


1. Roll Call


The Roll Call was taken.


2. Read Antitrust Statement


The statement was read concerning the antitrust policy, code of conduct, and 
intellectual property rights agreement.


3. Review Agenda


Minutes were prepared by Stephen Davidson.


4. Approval of minutes from last teleconference


Stephen Davidson noted that the minutes for the June 9 F2F and the July 21 
teleconference were distributed today so would be approved on a future call.


5. Discussion


Stephen Davidson that Ballot SMC03 was now in IPR, scheduled to conclude on 
1700 UTC on August 11.  He noted that there was an issue with the tooling that 
was complicating the production of redlines (showing unexpected changes to 
styles and numbering in addition to the expected text changes).



Stephen opened the floor for discussion of implementation issues.  Enrico 
Entschew asked if a user had multiple given names (see 7.1.4.2.2 e) should they 
all be listed in the givenName or should/could there be multiple givenName 
attributes.  It was agreed that under section 3, the user could chose which 
name(s) is used.



Renne Rodriguez asked about cert attribute ordering and questioned whether the 
SBR should consider moving towards the table format recently adopted in the TL 
BR Ballot SC62.  Stephen said this could be added to the Fall F2F agenda where 
the WG will discuss our next priorities.



Stephen reviewed the issues list on GitHub at 
https://github.com/cabforum/smime/issues
 (noting that some items currently on the list will be closed off due to 
SMC03).  He encouraged members to make use of the list as it was a useful input 
for the WG priorities.



Stephen asked members to consider in particular if the Section 3.2.2 methods 
for email domain/mailbox control were sufficient, and if it would be desirable 
to define additional automation friendly methods.  It was likely that 
additional development might be desired in the area of Enterprise RAs.



Stephen noted that ETSI TS 119 411-6 (overlaying the SBR on ETSI requirements) 
had cleared remote consensus and was going through final edits/review at ETSI.  
Reference to this in the SBR will be a future ballot.



It was decided to cancel the August 15 teleconference.




6. Any Other Business




None


7. Next call


Next call: tentative Wednesday, August 30, 2023 at 11:00 am Eastern Time


Adjourned




___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Approved Minutes of SMCWG July 19, 2023

[Stephen Davidson via Smcwg-public]

Minutes of SMCWG


July 19, 2023



These are the Approved Minutes of the Teleconference described in the subject 
of this message. Corrections and clarifications where needed are encouraged by 
reply.


Attendees


Adrian Mueller - (SwissSign), Andreas Henschel - (D-TRUST), Ashish Dhiman - 
(GlobalSign), Ben Wilson - (Mozilla), Bruce Morton - (Entrust), Chad Ehlers - 
(IdenTrust), Clint Wilson - (Apple), Corey Bonnell - (DigiCert), Dimitris 
Zacharopoulos - (HARICA), Don Sheehy - (CPA Canada/WebTrust), Eva Vansteenberge 
- (GlobalSign), Inaba Atsushi - (GlobalSign), Inigo Barreira - (Sectigo), 
Judith Spencer - (CertiPath), Li-Chun Chen - (Chunghwa Telecom), Marco 
Schambach - (IdenTrust), Morad Abou Nasser - (TeleTrust), Mrugesh Chandarana - 
(IdenTrust), Nome Huang - (TrustAsia Technologies, Inc.), Pedro Fuentes - 
(OISTE Foundation), Renne Rodriguez - (Apple), Rollin Yu - (TrustAsia 
Technologies, Inc.), Scott Rea - (eMudhra), Stephen Davidson - (DigiCert), 
Tadahiko Ito - (SECOM Trust Systems), Tim Crawford - (CPA Canada/WebTrust), Tim 
Hollebeek - (DigiCert), Wendy Brown - (US Federal PKI Management Authority)


1. Roll Call


The Roll Call was taken.


2. Read Antitrust Statement


The statement was read concerning the antitrust policy, code of conduct, and 
intellectual property rights agreement.


3. Review Agenda


Minutes were prepared by Stephen Davidson.


4. Approval of minutes from last teleconference


The minutes were approved from the following SMCWG meetings:  June 21.


5. Discussion


Stephen Davidson noted that the minutes from the F2F were still outstanding.



Stephen noted that Ballot SMC03 passed and was now in IPR, scheduled to 
conclude on August 11.  Bruce Morton said that full redlines (as opposed to the 
github diff) would be helpful.



Stephen opened the floor for discussion of issues that may have arisen during 
implementation of the SBR.

Dimitris Zacharopoulos asked for confirmation that existing CAs that used 
anyPolicy (and are otherwise compliant) could be used going forward. Stephen 
confirmed and said that updates would only be required when explicit CP OIDs 
were used.



Tim Hollebeek requested that the CABF host a high level discussion on the use 
of anyPolicy versus explicit CP OIDs in CAs. Dimitris said that policy chaining 
was desirable, and that such a discussion would be useful particularly given 
the move towards dedicate "use case" hierarchies.



Stephen noted that questions had arisen relating to finding phone numbers, 
which may not always be provided in government data sources. He said he 
believed that the existing text allowed the use of "QIIS" type resources for 
phone numbers but that this may be an area that the WG may wish to improve.  
Bruce and Tim supported this. Stephen noted that even the phone book would be a 
QIIS. Tim asked if any Cert Consumers had issues with this: no issues were 
raised.



Ben Wilson noted that Mozilla had distributed guidance points on the lists and 
at 
https://wiki.mozilla.org/CA/Transition_SMIME_BRs.
  This includes some guardrails for the acceptable reissuance of Issuing CAs.



Stephen asked if Certificate Issuers were having issues with finding 
organizationIdentifiers for Orgs.  None were raised.  He noted that the SBR 
text included the prefix "GOV" which at the time of writing was in a draft 
being discussed at ETSI for 319 412-1 but appears to not have moved ahead.



Tim provided an update on the CAA RFC at the IETF.  It has cleared final call 
and the expert review phases in the IETF process, so will become an operation 
RFC once it clears the final edit.  Stephen said that CAA is targeted for 
discussion in the SMCWG this autumn, with a lengthy implementation window.


Stephen commented that ETSI TS 119 411-6 (overlaying the SBR on ETSI 
requirements) was going through remote consensus and was expected to become 
final around the time of the SBRv1.  In the meantime, the text in SMC03 is 
adequate for Certificate Issuers who use ETSI audits.



Stephen asked if any Certificate Issuers would be interested in working on a 
ballot to include a signature scheme (such as eIDAS) as a vetting option.  See 
https://github.com/cabforum/smime/blob/main/SBR.md#3241-attribute-collection-of-individual-identity
 item 4.



Stephen encouraged members to use the issues list on GitHub at 
https://github.com/cabforum/smime/issues

[Smcwg-public] Approved Minutes of SMCWG F2F Meeting 59 June 7, 2023

[Stephen Davidson via Smcwg-public]

Minutes of SMCWG


June 7, 2023

 

These are the Approved Minutes of the F2F meeting described in the subject of 
this message. Corrections and clarifications where needed are encouraged by 
reply.


Attendees 


Overall attendance: Aaron Poulsen - (Amazon), Abhishek Bhat - (eMudhra), Adam 
Jones - (Microsoft), Adrian Mueller - (SwissSign), An Yin - (iTrusChina), 
Andreas Henschel - (D-TRUST), Aaron Poulsen - (Amazon), Aneta Wojtczak-Iwanicka 
- (Microsoft), Antti Backman - (Telia Company), Arno Fiedler - (ETSI), Ben 
Dewberry - (Keyfactor), Ben Wilson - (Mozilla), Brianca Martin - (Amazon), 
Bruce Morton - (Entrust), Chris Clements - (Google), Christophe Bonjean - 
(GlobalSign), Clint Wilson - (Apple), Corey Bonnell - (DigiCert), Corey 
Rasmussen - (OATI), Daryn Wright - (GoDaddy), Dave Chin - (CPA 
Canada/WebTrust), David Kluge - (Google), Dean Coclin - (DigiCert), Dimitris 
Zacharopoulos - (HARICA), Don Sheehy - (CPA Canada/WebTrust), Doug Beattie - 
(GlobalSign), Dustin Hollenback - (Microsoft), Ellie Lu - (TrustAsia 
Technologies, Inc.), Enrico Entschew - (D-TRUST), Eva van Steenberge - 
(GlobalSign), Fumi Yoneda - (Japan Registry Services), Georgy Sebastian - 
(Amazon Trust Services), Glaucia Young 
 - (Microsoft), Hannah Sokol - (Microsoft), Hogeun Yoo - (NAVER Cloud), Hubert 
Chao - (Google), Ian McMillan - (Microsoft), Inaba Atsushi - (GlobalSign), 
Inigo Barreira - (Sectigo), J.P. Hamilton - (Cisco), Jamie Mackey - (US Federal 
PKI Management Authority), Janet Hines - (VikingCloud), Jeremy Rowley - 
(DigiCert), Joanna Fox - (TrustCor Systems), John Sarapata - (Google), Jonathan 
Kozolchyk - (Amazon Trust Services), Jos Purvis - (Fastly), Joseph Ramm - 
(OATI), JP Hamilton - (Cisco Systems), Karina Sirota - (Microsoft), Keshava 
Nagaraju - (eMudhra), Kiran Tummala - (Microsoft), Lakshmi Ramalingam - 
(Microsoft), Leo Grove - (SSL.com), Li-Chun Chen - (Chunghwa Telecom), Mads 
Henriksveen - (Buypass AS), Mahua Chaudrhi - (Microsoft), Marco Schambach - 
(IdenTrust), Mark Nelson - (IdenTrust), Martijn Katerbarg - (Sectigo), Matthias 
Wiedenhorst - (ACAB Council), Michael Guenther - (SwissSign), Michael Slaughter 
- (Amazon), Michelle Coon - (OATI), Mohit Kumar - (GlobalSign), Nargis Mannan 
 - (VikingCloud), Nate Smith - (GoDaddy), Naveen Kumar - (eMudhra), Nick France 
- (Sectigo), Nicol So - (CommScope), Nitesh Bakliwal - (Microsoft), Pankaj 
Chawla - (eMudhra), Paul van Brouwershaven - (Entrust), Pekka Lahtiharju - 
(Telia Company), Peter Miskovic - (Disig), Raffaela Achermann - (SwissSign), 
Rebecca Kelley - (Apple), Roberto Quinones - (Intel), Rollin Yu - (TrustAsia 
Technologies, Inc.), Romain DELVAL - (Certigna), Ryan Dickson - (Google), Scott 
Rea - (eMudhra), Sissel Hoel - (Buypass AS), Stefan Kirch - (Telekom Security), 
Stephen Davidson - (DigiCert), Sven Rajala - (Keyfactor), Tadahiko Ito - (SECOM 
Trust Systems), Tahmina Ahmad - (Microsoft), Thomas Zermeno - (SSL.com), Tim 
Callan - (Sectigo), Tim Crawford - (CPA Canada/WebTrust), Tim Hollebeek - 
(DigiCert), Tobias Josefowitz - (Opera Software AS), Trevoli Ponds-White - 
(Amazon), Tsung-Min Kuo - (Chunghwa Telecom), Vijayakumar (Vijay) Manjunatha - 
(eMudhra), Vikas Khanna - (Microsoft), Wayne Thayer - (Fastly), Wendy
  Brown - (US Federal PKI Management Authority), Xiao Qiang - (GDCA), Xiu Lei - 
(GDCA), Yashwanth TM - (eMudhra), Yoshihiko Matsuo - (Japan Registry Services), 
Yoshiro Yoneya - (Japan Registry Services).


1. Roll Call


The Roll Call was taken.


2. Read Antitrust Statement


The statement was read concerning the antitrust policy, code of conduct, and 
intellectual property rights agreement.


3. Review Agenda


Minutes were prepared by Ben Wilson.


4. Discussion 


*   New Certificate Issuer member: Logius PKIoverheid
*   Primary focus has been on answering questions arising from CAs 
implementing the S/MIME BRs.
*   Clarification-and-correction ballot SMC03 is pending. The group 
discussed the major changes covered in the ballot.

*   Clarification of Enterprise RA capabilities
*   Clarification of Mailbox Address definition
*   Clarification of Pseudonym references
*   Correction of some numbering and typo issues
*   Correction of missing keyUsages for EdDSA Certificates
*   Correction of LEI roles
*   Correction of ISO code in organizationIdentifier
*   Clarification of ETSI audit requirements to include 411-2
*   Extant CA transition

*   Release by DigiCert of PKILINT as OSS.  Includes lints for the S/MIME 
BRs. https://github.com/digicert/pkilint 
*   Externally: working with ETSI on TS 119 411-6 on implementation 
standard-mapping ETSI's CPs with the S/MIME BRs. Draft will be available within 
2 weeks. There is a formal liaison between ETSI and the CABF inviting input 
from SMCWG members.
*   Discussion of ICA transition -- existing or new ICA creation before 
effective date in "Extant SMIME CA" draft at 
https://github.com/srdavidson/smime/tree/Bal

[Smcwg-public] Draft SMCWG agenda - Wednesday, August 30, 2023

[Stephen Davidson via Smcwg-public]

SMCWG Agenda


Draft SMCWG agenda - Wednesday, August 30, 2023 at 11:00 am Eastern Time



Here is a draft agenda for the teleconference described in the subject of this 
message. Please review and propose changes if necessary.



1.   Roll Call

2.   Note well:  Antitrust / Compliance Statement

3.   Review Agenda

4.   Approval of past minutes

*   June 7 F2F
*   July 19
*   August 2



5.   Discussion

*   Effective Date for S/MIME BR and SMC03 is September 1
*   Availability of ETSI TS 119 411-6
https://www.etsi.org/deliver/etsi_ts/119400_119499/11941106/01.01.01_60/ts_11941106v010101p.pdf
*   Open discussion on questions raised re: organisationIdentifier
*   Github issues review
https://github.com/cabforum/smime/issues



6.   Any other business



7.   Next call:  Wednesday, September 13, 2023 at 11:00 am Eastern Time

  Adjourn



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

Re: [Smcwg-public] ADOPTION: Ballot SMC03 (Corrections and clarifications for “S/MIME Baseline Requirements”)

[Stephen Davidson via Smcwg-public]

There appears to be an issue with the listserv sending PDFs.

Here is a downloadable redline: 
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-SMIMEBR-1.0.1redline.pdf

Regards, Stephen



From: Smcwg-public  On Behalf Of Stephen 
Davidson via Smcwg-public
Sent: Monday, August 21, 2023 2:58 PM
To: Dimitris Zacharopoulos (HARICA) ; SMIME Certificate 
Working Group 
Subject: Re: [Smcwg-public] ADOPTION: Ballot SMC03 (Corrections and 
clarifications for “S/MIME Baseline Requirements”)



Redline is attached as PDF.

Best, Stephen





From: Smcwg-public 
mailto:smcwg-public-boun...@cabforum.org>> 
On Behalf Of Dimitris Zacharopoulos (HARICA) via Smcwg-public
Sent: Monday, August 14, 2023 12:00 PM
To: smcwg-public@cabforum.org<mailto:smcwg-public@cabforum.org>
Subject: Re: [Smcwg-public] ADOPTION: Ballot SMC03 (Corrections and 
clarifications for “S/MIME Baseline Requirements”)



Hi Stephen,

Will you be able to also provide a redline between versions 
inhttps://url.avanan.click/v2/___https://cabforum.org/smime-br/___.YXAzOmRpZ2ljZXJ0OmE6bzo0OTQ1ZDE0NmI2Yjk1NTEzODJiZWU0NjY5OTQ5OWQ4MTo2OjM4OTk6NjIwOTA3ZmU4ZGYwNzMzNTEwMWFmNzVjYTU4YTViYTlhYjcxODQxNzRhMzRlNGFiNTM0YTRjNGRkODA3NmRiYjp0OkY
 as we do with other WGs?


Thanks,
Dimitris.

On 11/8/2023 9:20 μ.μ., Stephen Davidson via Smcwg-public wrote:

   The Intellectual Property Review (IPR) period for Ballot SMC03 (Corrections 
and clarifications for “S/MIME Baseline Requirements”) has completed. No IPR 
Exclusion Notices were filed, and the ballot is adopted as of August 11, 2023. 
SMC03 becomes effective at the same time as the S/MIME BR on September 01, 2023.

   The S/MIME Baseline Requirements version 1.0.1 is attached in PDF form.  The 
new S/MIME BR have also been published to the CABF public 
website<https://url.avanan.click/v2/___https:/cabforum.org/smime-br/___.YXAzOmRpZ2ljZXJ0OmE6bzo0OTQ1ZDE0NmI2Yjk1NTEzODJiZWU0NjY5OTQ5OWQ4MTo2OmRlY2M6ZTM5MWUxYmMwZjFhOGZlZWM5Yzk0NDFmMjA2NmFhOGYyMmQ4YTc2MmJlMzYyMTg1N2Y5OTkyMDc4OTJjNjRlNzpoOkY>
 in accordance with the Bylaws.

   Best regards,
   Stephen Davidson, Chair
   CA/Browser Forum S/MIME Certificate Working 
Group<https://url.avanan.click/v2/___https:/cabforum.org/working-groups/smime-certificate-wg/___.YXAzOmRpZ2ljZXJ0OmE6bzo0OTQ1ZDE0NmI2Yjk1NTEzODJiZWU0NjY5OTQ5OWQ4MTo2OjkxMDM6MDc2NTAwNzMwNjJmY2JjMDFjMGRkZWJhOTA4YjczOTQ2MWNiZGM5NjRjMGRkYTQzM2JjMWMxNjljN2NmZTQ5MTpoOkY>





   ___
   Smcwg-public mailing list
   Smcwg-public@cabforum.org<mailto:Smcwg-public@cabforum.org>
   
https://lists.cabforum.org/mailman/listinfo/smcwg-public<https://url.avanan.click/v2/___https:/lists.cabforum.org/mailman/listinfo/smcwg-public___.YXAzOmRpZ2ljZXJ0OmE6bzo0OTQ1ZDE0NmI2Yjk1NTEzODJiZWU0NjY5OTQ5OWQ4MTo2OmQ4MzI6MmQwYjhlNjMxNjFlZDMzODI3Y2E3MjM1MDE5MGI3NDQ0ZDQzNjRkZDI4NTNmYzFjNmQ3MmJmN2YzZWUyNzBlMDpoOkY>



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

Re: [Smcwg-public] ADOPTION: Ballot SMC03 (Corrections and clarifications for “S/MIME Baseline Requirements”)

[Stephen Davidson via Smcwg-public]

Redline is attached as PDF.

Best, Stephen





From: Smcwg-public  On Behalf Of Dimitris 
Zacharopoulos (HARICA) via Smcwg-public
Sent: Monday, August 14, 2023 12:00 PM
To: smcwg-public@cabforum.org
Subject: Re: [Smcwg-public] ADOPTION: Ballot SMC03 (Corrections and 
clarifications for “S/MIME Baseline Requirements”)



Hi Stephen,

Will you be able to also provide a redline between versions 
inhttps://url.avanan.click/v2/___https://cabforum.org/smime-br/___.YXAzOmRpZ2ljZXJ0OmE6bzo0OTQ1ZDE0NmI2Yjk1NTEzODJiZWU0NjY5OTQ5OWQ4MTo2OjM4OTk6NjIwOTA3ZmU4ZGYwNzMzNTEwMWFmNzVjYTU4YTViYTlhYjcxODQxNzRhMzRlNGFiNTM0YTRjNGRkODA3NmRiYjp0OkY
 as we do with other WGs?


Thanks,
Dimitris.

On 11/8/2023 9:20 μ.μ., Stephen Davidson via Smcwg-public wrote:

   The Intellectual Property Review (IPR) period for Ballot SMC03 (Corrections 
and clarifications for “S/MIME Baseline Requirements”) has completed. No IPR 
Exclusion Notices were filed, and the ballot is adopted as of August 11, 2023. 
SMC03 becomes effective at the same time as the S/MIME BR on September 01, 2023.

   The S/MIME Baseline Requirements version 1.0.1 is attached in PDF form.  The 
new S/MIME BR have also been published to the CABF public 
website<https://url.avanan.click/v2/___https:/cabforum.org/smime-br/___.YXAzOmRpZ2ljZXJ0OmE6bzo0OTQ1ZDE0NmI2Yjk1NTEzODJiZWU0NjY5OTQ5OWQ4MTo2OmRlY2M6ZTM5MWUxYmMwZjFhOGZlZWM5Yzk0NDFmMjA2NmFhOGYyMmQ4YTc2MmJlMzYyMTg1N2Y5OTkyMDc4OTJjNjRlNzpoOkY>
 in accordance with the Bylaws.

   Best regards,
   Stephen Davidson, Chair
   CA/Browser Forum S/MIME Certificate Working 
Group<https://url.avanan.click/v2/___https:/cabforum.org/working-groups/smime-certificate-wg/___.YXAzOmRpZ2ljZXJ0OmE6bzo0OTQ1ZDE0NmI2Yjk1NTEzODJiZWU0NjY5OTQ5OWQ4MTo2OjkxMDM6MDc2NTAwNzMwNjJmY2JjMDFjMGRkZWJhOTA4YjczOTQ2MWNiZGM5NjRjMGRkYTQzM2JjMWMxNjljN2NmZTQ5MTpoOkY>







   ___
   Smcwg-public mailing list
   Smcwg-public@cabforum.org<mailto:Smcwg-public@cabforum.org>
   
https://lists.cabforum.org/mailman/listinfo/smcwg-public<https://url.avanan.click/v2/___https:/lists.cabforum.org/mailman/listinfo/smcwg-public___.YXAzOmRpZ2ljZXJ0OmE6bzo0OTQ1ZDE0NmI2Yjk1NTEzODJiZWU0NjY5OTQ5OWQ4MTo2OmQ4MzI6MmQwYjhlNjMxNjFlZDMzODI3Y2E3MjM1MDE5MGI3NDQ0ZDQzNjRkZDI4NTNmYzFjNmQ3MmJmN2YzZWUyNzBlMDpoOkY>





ATT02547
Description: ATT02547
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] ADOPTION: Ballot SMC03 (Corrections and clarifications for “S/MIME Baseline Requirements”)

[Stephen Davidson via Smcwg-public]

The Intellectual Property Review (IPR) period for Ballot SMC03 (Corrections and 
clarifications for “S/MIME Baseline Requirements”) has completed. No IPR 
Exclusion Notices were filed, and the ballot is adopted as of August 11, 2023. 
SMC03 becomes effective at the same time as the S/MIME BR on September 01, 2023.

The S/MIME Baseline Requirements version 1.0.1 is attached in PDF form.  The 
new S/MIME BR have also been published to the CABF public 
website in accordance with the Bylaws.

Best regards,
Stephen Davidson, Chair
CA/Browser Forum S/MIME Certificate Working 
Group





ATT15277
Description: ATT15277
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

Re: [Smcwg-public] Validation of Information for Name-Constrained SubCAs

[Stephen Davidson via Smcwg-public]

Hi Ben:


The reference to Section 3.2.2.3 goes with the "or has been authorized by the 
domain registrant to act on the registrant's behalf" part only.  The typical 
verification of the domain under active control of the registrant would be done 
via Section 3.2.2.1.



A possible clarification might be phrased as:



"The CA SHALL confirm that the Applicant has registered the FQDN contained in 
the rfc822Name in line with the verification practices of Section 3.2.2.1, or 
has been authorized by the domain registrant to act on the registrant’s behalf 
in line with the verification practices of Section 3.2.2.3."



Best, Stephen





From: Smcwg-public  On Behalf Of Ben Wilson 
via Smcwg-public
Sent: Tuesday, August 8, 2023 4:56 PM
To: SMIME Certificate Working Group 
Subject: [Smcwg-public] Validation of Information for Name-Constrained SubCAs



Does anyone recall offhand why section 7.1.5 doesn't also refer to section 
3.2.2.1?



Section 7.1.5 says, "The CA SHALL confirm that the Applicant has registered the 
FQDN contained in the rfc822Name or has authorized by the domain registrant to 
act on the registrant’s behalf in line with the verification practices of 
Section 3.2.2.3."   Section 3.2.2.3 is "Validating applicant as operator of 
associated mail server(s)", and section 3.2.2.1 is "Validating authority over 
mailbox via domain."  Was there a concern that 3.2.2.1 was too broad and that 
validation had to be done pursuant to section 3.2.2.3?  And what about section 
3.2.2.2 (validating control over mailbox via email).



Thanks,



Ben

___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Redline of S/MIME BR v1.0.1

[Stephen Davidson via Smcwg-public]

The diff for v1.0.1 may be found at 
https://github.com/srdavidson/smime/compare/ba234cef9a443716e09d2fd2dcb715b8b709dd61...a6a1e287c3511f40c86d6cd2a1596889413e73d8



A traditional redline is also attached. Many thanks to @Corey 
Bonnell for helping sort this out!



Regards, Stephen





ATT47612
Description: ATT47612
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Approved Minutes of SMCWG June 21, 2023

[Stephen Davidson via Smcwg-public]

Minutes of SMCWG


June 21, 2023



These are the Approved Minutes of the Teleconference described in the subject 
of this message. Corrections and clarifications where needed are encouraged by 
reply.


Attendees


Abhishek Bhat - (eMudhra), Adrian Mueller - (SwissSign), Andrea Holland - 
(VikingCloud), Andreas Henschel - (D-TRUST), Ashish Dhiman - (GlobalSign), Ben 
Wilson - (Mozilla), Bruce Morton - (Entrust), Chad Ehlers - (IdenTrust), Clint 
Wilson - (Apple), Corey Bonnell - (DigiCert), Dave Chin - (CPA 
Canada/WebTrust), Dimitris Zacharopoulos - (HARICA), Don Sheehy - (CPA 
Canada/WebTrust), Doug Beattie - (GlobalSign), Enrico Entschew - (D-TRUST), Eva 
Vansteenberge - (GlobalSign), Inaba Atsushi - (GlobalSign), Inigo Barreira - 
(Sectigo), Janet Hines - (VikingCloud), Judith Spencer - (CertiPath), Keshava 
Nagaraju - (eMudhra), Marco Schambach - (IdenTrust), Martijn Katerbarg - 
(Sectigo), Rebecca Kelley - (Apple), Renne Rodriguez - (Apple), Rollin Yu - 
(TrustAsia Technologies, Inc.), Scott Rea - (eMudhra), Stefan Selbitschka - 
(rundQuadrat), Stephen Davidson - (DigiCert), Taavi Eomäe - (Zone Media), 
Tadahiko Ito - (SECOM Trust Systems), Thomas Zermeno - (SSL.com), Wendy Brown - 
(US Federal PKI Management Authority), Yashwanth TM - (eMudhra)


1. Roll Call


The Roll Call was taken.


2. Read Antitrust Statement


The statement was read concerning the antitrust policy, code of conduct, and 
intellectual property rights agreement.


3. Review Agenda


Minutes were prepared by Stephen Davidson.


4. Approval of minutes from last teleconference


The minutes were approved from the following SMCWG meetings:  May 24.


5. Discussion


 Stephen Davidson noted that the group would move ahead with Ballot SMC03 in 
order to have it cleanly in place in time for the overall effective date of the 
S/MIME BR.



He noted that the text and redlines had been covered at some length in the 
preceding months.  He noted that new section of text had been added to create a 
clear transition arrangement for existing Issuing CAs into the new arrangement. 
 Clint Wilson recently suggested that when CABF standards shift requirements, 
that it would typically be best that the same standard suggest transition 
arrangements as well as the new standard.



As such a new section dealing with "Extant S/MIME CAs" has been added to the 
S/MIME BR.  The changes consist of a new Definition of what CAs are eligible 
for the transition arrangement, as well as an Appendix B describing that these 
CAs may be used to issue otherwise compliant EE certificates but must be 
replaced by fully-compliant ICAs before September 15, 2024.



Extant CAs that are replaced (in other words, cease issuance) or reissued to 
become compliant are not required to be revoked. Ben Wilson asked why and 
Stephen noted that this is to avoid unknown impact in client S/MIME software on 
previously signed or encrypted emails. Wendy Brown agreed. Ben noted that if 
there were an actual revocation reason "for cause" then those CAs would still 
need to be revoked.



Andreas Henschel noted that this does not affect previously created ICAs that 
are already compliant with the S/MIME BR.



Eva van Steenberge and Clint Wilson noted that some of the audit language in 
the proposed definition was not required as it repeated a root program 
requirement.  Stephen agreed to remove it.  Don Sheehy commented that this did 
not seem to conflict with what was known regarding the root program audit 
reporting requirements for S/MIME BR.



There were no objections to the approach. Stephen noted that he would 
distribute the discussed changes and if there were no objections, then the 
ballot would commence. There was discussion on the discussion (10 days) and 
ballot (7 day) period.



Dimitris Zacharopoulos noted that ETSI had extended a liaison to the SMCWG for 
the draft of ETSI TS 119 411-6 which maps the S/MIME BR against the CPs 
described in ETSI standards to facilitate ETSI audits.



It was agreed to drop the July 5 teleconference due to US holidays.





6. Any Other Business




None


7. Next call


Next call: tentative Wednesday, July 19, 2023 at 11:00 am Eastern Time


Adjourned




___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Draft SMCWG agenda - Wednesday, August 2, 2023

[Stephen Davidson via Smcwg-public]

SMCWG Agenda


Draft SMCWG agenda - Wednesday, August 2, 2023 at 11:00 am Eastern Time



Here is a draft agenda for the teleconference described in the subject of this 
message. Please review and propose changes if necessary.



For information on time, please review the Agenda for Meeting 59 on the wiki.



1.Roll Call

2.Note well:  Antitrust / Compliance Statement

3.Review Agenda

4.Approval of past minutes

None today.  Still to be distributed:

F2F, July 19



5.Discussion

*   IPR for SMC03 closes August 11
*   Implementation questions relating to SBR?
*   Review of issues listed on GitHub
*   Summer meetings: Aug 16, Aug 30



6.Any other business



7.Next call:  TBD

Adjourn



___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Draft SMCWG agenda - Wednesday, July 19, 2023

[Stephen Davidson via Smcwg-public]

SMCWG Agenda


Draft SMCWG agenda - Wednesday, July 19, 2023 at 11:00 am Eastern Time



Here is a draft agenda for the teleconference described in the subject of this 
message. Please review and propose changes if necessary.



1.Roll Call

2.Note well:  Antitrust / Compliance Statement

3.Review Agenda

4.Approval of past minutes

- June 21



5.Discussion

*   IPR for SMC03
*   Open discussion: Implementation questions relating to SBR v1
*   What next?



6.Any other business



7.Next call:  TBD

Adjourn





___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

Re: [Smcwg-public] CommonNames, Pseudonyms, GivenNames and Surnames

[Stephen Davidson via Smcwg-public]

Yes, thank you Rob and Clint.

Please add it to the issues list in Github, so we can add track it for the next 
ballot.

As it happens, I think that Psuedonyms have been an area of interest in the 
Sponsor-validated type during the implementation of the SBR, so a “revisit” 
based on that experience may be in order after September.

 

 

From: Smcwg-public  On Behalf Of Clint 
Wilson via Smcwg-public
Sent: Monday, July 17, 2023 3:16 PM
To: Robert Lee ; SMIME Certificate Working Group 

Subject: Re: [Smcwg-public] CommonNames, Pseudonyms, GivenNames and Surnames

 

Hi Rob,

 

I think minimally filing an issue in https://github.com/cabforum/smime/issues 

  would be a good thing to do to track this potential conflict.

FWIW, I also think the issue identified is indeed an issue (though probably not 
major) and your proposed updates seem reasonable to me as well.

 

Cheers,

-Clint





On Jul 13, 2023, at 6:52 AM, Robert Lee via Smcwg-public 
mailto:smcwg-public@cabforum.org> > wrote:

 

Dear all,

 

I’m emailing because I think some further clarification may be needed in 
section 7.1.4.2.2(a) around commonNames as Personal Names or Pseudonyms 
(capital ‘P’ based on SMC03 changes).

 

What I think is needed is to align some of the uses of commonNames with the 
existing rules around if subject:pseudonym is present then 
subject:givenName/subject:surname SHALL NOT be present and the vice versa rule. 
 My understanding/assumption is that the pseudonym/givenName/surname rules are 
in place to make an SMIME certificate a Pseudonym cert or a Personal Name cert 
and not to be both at the same time (especially as putting one’s name into the 
cert would dramatically reduce any privacy afforded by using a Pseudonym).

 

However, the options for commonName in sponsor and individual validated 
certificates don't entirely work with the above as currently you _could_ have a 
subject:pseudonym and then put your Personal Name in the commonName which 
doesn't track with my understanding/assumption of what the 
pseudonym/givenName/surname rules are supposed to achieve.

 

I don’t think it’s a difficult thing to fix though.  Adding the following lines 
to 7.1.4.2.2(a) should close this hole effectively enough:

 

“If the subject:commonName contains a Pseudonym, then the subject:givenName 
and/or subject:surname attributes SHALL NOT be present.”

 

“If the subject:commonName contains a Personal Name, then the subject:pseudonym 
attribute SHALL NOT be present.”

 

If people broadly agree with my suggestion then I’m happy to make a PR into the 
BRs or somewhere else if, like SMC03, there’ll be a branch collecting changes 
in someone’s fork of the document.

 

Best Regards,

Rob

 

Dr. Robert Lee MEng PhD

Senior Software Engineer with Cryptography SME

 

 www.globalsign.co.uk| 

 www.globalsign.eu

 

___
Smcwg-public mailing list
  Smcwg-public@cabforum.org
 

 https://lists.cabforum.org/mailman/listinfo/smcwg-public

 



smime.p7s
Description: S/MIME cryptographic signature
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Smcwg-public] Results of SMC03: Corrections and clarifications for “S/MIME Baseline Requirements”

[Stephen Davidson via Smcwg-public]

Results of SMC03: Corrections and clarifications for “S/MIME Baseline 
Requirements”



The voting period for Ballot SMC03 (Corrections and clarifications for “S/MIME 
Baseline Requirements”) has completed, and the ballot has passed.



Voting Results

Certificate Issuers

21 votes total, with no abstentions:

*   21 Issuers voting YES: Actalis S.p.A., Asseco Data Systems SA (Certum), 
Buypass AS, Chunghwa Telecom, DigiCert, D-TRUST, eMudhra, Entrust, GDCA, 
GlobalSign, HARICA, IdenTrust, MSC Trustgate Sdn Bhd, OISTE Foundation, SECOM 
Trust Systems, Sectigo, SSL.com, SwissSign, TWCA, VikingCloud, Visa
*   0 Issuers voting NO
*   0 Issuers ABSTAIN

Certificate Consumers

2 votes total, with no abstentions:

*   2 Consumers voting YES: Mozilla, rundQuadrat
*   0 Consumers voting NO
*   0 Consumers ABSTAIN

Bylaws Requirements

1.  Bylaw 2.3(f) requires:

   0.   A "yes" vote by two-thirds of Certificate Issuer votes and by 
50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted 
for this purpose. This requirement was MET for Certificate Issuers and MET for 
Certificate Consumers.
   1.   At least one Certificate Issuer and one Certificate Consumer Member 
must vote in favor of a ballot for the ballot to be adopted. This requirement 
was MET.

2.  Bylaw 2.3(g) requires that a ballot result only be considered valid 
when “more than half of the number of currently active Members has 
participated”. The number of currently active Voting Members is the average 
number of Voting Member organizations that have participated in the previous 
three meetings. Votes to abstain are counted in determining quorum. The quorum 
was 7 for this ballot. This requirement was MET.

This ballot now enters the 30-day IP Rights Review Period to permit members to 
review the ballot for relevant IP rights issues.  The IP Rights Review Period 
ends at 1700 UTC on August 11, 2023.





___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public