Home » Proceedings » Minutes » 2020-11-25 Minutes of the S/MIME Certificate Working Group

2020-11-25 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

November 25, 2020

These are the Approved Minutes of the Teleconference described in the subject of this message.

Attendees

Adrian Mueller (SwissSign), Ahmad Syafiq Md Zaini (MSC Trustgate.com), Ali Gholami (Telia Company), Andreas Henschel (D-TRUST), Atsushi Inaba (GlobalSign), Ben Wilson (Mozilla), Burkhard Wiegel (Zertificon), Chris Kemmerer (SSL.com), Corey Bonnell (DigiCert), David Kluge (Google), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Don Sheehy (WebTrust), Doug Beattie (GlobalSign), Enrico Entschew (D-TRUST), Hazhar Ismail (MSC Trustgate.com), Hongquan Yin (Microsoft), India Donald (Federal PKI), James Knapp (Federal PKI), Janet Hines (SecureTrust), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Matthias Wiedenhorst (ACAB’c), Nazmi Abd Hadi (MSC Trustgate.com), Neil Dunbar (TrustCor), Patrycja Tulinska (PSW), Pedro Fuentes (OISTE), Russ Housley (Vigil Security), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems), Thomas Connelly (Federal PKI), Tim Crawford (WebTrust), Tim Hollebeek (DigiCert), Tsung-Min Kuo (Chunghwa Telecom), Wendy Brown (Federal PKI)

1. Roll Call

The Roll Call was taken.

2. Read Antitrust Statement

The Antitrust/Compliance Statement was read.

3. Review Agenda

The Chair proposed deferring the discussion of new membership, and adding a new agenda item relating to certificate policy OIDs.

4. Approval of minutes from last teleconference

The minutes of the November 11 teleconference were approved. 

5. Discussion of certificate profile

Stephen shared a preview of the S/MIME Baseline Requirements section 7 in markdown format, currently in a private GitHub Repository.  The draft uses the table format agreed upon in earlier meetings.  With the help of the Infrastructure WG, the plan is to move towards using the cabf-smcwg-br repository in early 2021 including for commenting and tracking of issues.

In part based upon Doug Beattie’s comment on the public list, a discussion was held on certificate-policy OIDs.  The OID arc 2.23.140.1.5 has been reserved for the S/MIME Baseline Requirements (SBR). The proposal is to adopt familiar validation levels (DV, OV, IV) as found in TLS – with an additional level for personal certs that include organizational details.  Dimitris Zacharopoulos suggested this should be linked to OV; Corey Bonnell subsequently suggested the term “Sponsored Validation” (SV) to describe this level.

{joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-policies(1) smime-baseline(5) domain-validation (1)} (2.23.140.1.5.1)

{joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-policies(1) smime-baseline(5) organization-validation (2)} (2.23.140.1.5.2)

{joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-policies(1) smime-baseline(5) sponsored-validation (3)} (2.23.140.1.5.3)

{joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-policies(1) smime-baseline(5) individual-validation (4)} (2.23.140.1.5.4)

If required, extensions may be defined under the CABF certificate-extensions arc 2.23.140.2.  Examples might include identifiers for keys generated or stored on cryptotokens etc.

Stephen Davidson proposed that certain Subject attributes be restricted, mandatory or optional depending on the certificate policy. Tim Hollebeek suggested that initial versions of the standard should be inclusive of common Issuer practice.  Wendy Brown indicated that the L and S fields might be considered optional except if required to disambiguate the Subject.

A discussion was held regarding the Subject attributes described in RFC 3739 Section 3.1.2:

domainComponent

countryName

commonName

surname

givenName

pseudonym

serialNumber

title

organizationName

organizationalUnitName

stateOrProvinceName

localityName

A particular focus involved attributes such as title and in particular pseudonym, which may be beyond the ability of the CA to verify. It was agreed that some might make sense in a “Sponsored Validation” context.  It was indicated that pseudonym may reasonably be used for profile names or English adopted names for international names.

It was agreed that at this stage we will focus on which fields might be allowed for the various certificate-policy levels – knowing that we must return to the required verification steps later in the process.

Certificate Issuers were requested to identify if they used Subject attributes not identified here.  Wendy Brown mentioned the use of dnQualifier to disambiguate Subjects, and indicated the range of uses of the CommonName field, such as “Stephen Davidson (contractor)”.  Dimitris Zacharopoulos raised the use of the organizationIdentifier attribute in OV certificates.

It was pointed out that the Subject email field was deprecated albeit still in common use.  A discussion began regarding rfc822name and the extent to which the SBR should seek to define an email address. Lacking time, the remaining agenda items were deferred to a future meeting.

6. Any Other Business

It was agreed that the December 23, 2020 meeting would be cancelled.

7. Next call

The next call will take place on December 9, 2020 at 11:00am Eastern Time. 

Adjourned