May 11, 2022
These are the Draft Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.
Adrian Mueller (SwissSign), Andreas Henschel (D-TRUST), Ashish Dhiman (GlobalSign), Bruce Morton (Entrust), Christophe Bonjean (GlobalSign), Clint Wilson (Apple), Corey Bonnell (Digicert), Daniel Zens (GlobalTrust), Don Sheehy (CPA Canada/WebTrust), Doug Beattie (GlobalSign), Eusebio Herrera (AC Camerfirma SA), Eva Vansteenberge (GlobalSign), Hazhar Ismail (MSC Trustgate Sdn Bhd), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Joanna Fox (TrustCor Systems), Mads Henriksveen (Buypass AS), Martijn Katerbarg (Sectigo), Matthias Wiedenhorst (ACAB Council), Mrugesh Chandarana (IdenTrust), Patrycja Tulinska (PSW), Pekka Lahtiharju (Telia Company), Rebecca Kelley (Apple), Renne Rodriguez (Apple), Stefan Selbitschka (runQuadrat), Stephen Davidson (Digicert), Tadahiko Ito (SECOM Trust Systems), Thomas Connelly (US Federal PKI Management Authority), Tsung-Min Kuo (Chunghwa Telecom), Wendy Brown (US Federal PKI Management Authority)
The Roll Call was taken.
The Antitrust/Compliance Statement was read.
The minutes of the April 27 teleconference were approved.
Stephen Davidson noted that draft the S/MIME Baseline Requirements is available at https://github.com/cabforum/smime/blob/preSBR/SBR.md. This call is open for comments that members may have on the draft.
The group is in the midst of the previously agreed 30-day pre-ballot discussion period, with a goal to sorting out comments at the upcoming F2F meeting in Warsaw. The goal remains to move towards a formal ballot by the end of the summer, if possible.
Stephen noted a correction had been made to the minutes of the March 30 meeting relating to comments made by Dimitris Zacharopoulos.
Following questions raised in the last call by Clint Wilson, Stephen noted that the new draft included content in section 9.4 relating to data protection as the S/MIME BR dealt with personal data to a greater degree than most other CABF standards.
9.4.2 states that info that is not in a cert is private. Clint questioned if 9.4.3 should also state the assertive that information that is in a cert is public.
Wendy Brown commented that different countries and regions had divergent requirements for privacy and consent. Tadahiko Ito noted that CAs that deal with multiple countries will have to cover the varying requirements that apply to them in their public privacy policies.
Don Sheehy noted that this may require new audit criteria, particularly regarding consent and the language relating to “reasonable degree of care”.
Stephen also highlighted other changes that had been made to the draft based on feedback. These included changes to the certificate profiles in 188.8.131.52.5-6 which provide more flexible treatment in the Legacy generation of the commonName for individuals. Another change is in 184.108.40.206.1 where generalName entries of type dirName are now allowed to accommodate the use of verified names in alternate character sets. Stephen invited review and comment on this text.
Stephen also walked through the changes to section 3.2.3 following from past WG members which has shifted from a focus on the EV Guidelines towards a more flexible patten based on the TLS BR but with a verified organizationIdentifer based on government records.
Eva Van Steenberge asked if the S/MIME BR would allow the use of EV JOI fields. Stephen said that cert profiles did not allow EV JOI, only the organizationIdentifer. This was, in part, because of a colliding use of serialNumber in the EV scheme when that attribute is commonly used for other purposes in S/MIME.
Stephen noted that the draft has been adapted many times based on feedback from both Cert Consumers and Cert Issuers, and that he felt it was a fair representation of the WG’s wishes. He welcomed early comments, where needed, so that the WG can deal with issues in a forthright manner before moving towards the final ballot. He noted that he understood that WG members were actively discussing the draft within their organisations and thanked WG members for their involvment.
Christophe Bonjean noted that he’d be submitting some additional items for discussion. One of the issues related to the section 8.8 description of internal audit for Enterprise RAs. There was discussion within the group regarding this requirement, given the constrained powers of the ERA and the fact that ERA records were counted as authoritative for the individual content in Sponsored-validation certificates. It was agreed that “monitoring or assessment on at least (timeframe) basis” was a more appropriate description of the requirements imposed on a CA for oversight.
Stephen said that linting was likely for S/MIME as was done for TLS (despite their note being a CT central repo of certs), and Bruce Morton indicated that linting of names in S/MIME would be difficult. He noted that it was not believed there was an issue with ERA performance today but was wary of a standard that might be unevenly enforced across CAs and ERAs. Clint noted that there were many areas of discretion in CABF and other standards for CAs to chose how they assessed compliance. Stephen noted that the requirement was for CAs to make reasonable efforts to confirm that delegated RAs complied with the S/MIME BR. Stephen noted that the S/MIME BR will be a new standard for which there had to be enforcement mechanisms and invited members to propose suitable changes to the language.
Stephen noted the agenda of the May 25 call would also be an open conversation of the draft.
Next call: Wednesday, May 25, 2022 at 11 a.m. US Eastern.