My intention is not to prevent CAs from issuing S/MIME certificates containing identity information. It's really what Ryan said and Rufus reiterated.
There is a tremendous amount of work to do and the core of all of it is cert profiles and email validation practices. I expect that it will take a few years to get the core work published, and the complexity of identity validation could easily extend that by a year or more. I am particularly concerned (could just be my ignorance) about all the government-issued identity certificates that are valid for S/MIME. Our identity validation rules will need to support those use cases. Given how long S/MIME standards have already waited behind governance reform, I prefer a narrower initial scope that produces guidelines faster. On Tue, Jan 29, 2019 at 2:18 PM Buschart, Rufus <[email protected]> wrote: > Hello! > > > > I would support the approach of Ryan (if I understood his approach > correctly): Let’s start with the absolute minimal core and this is the > validation of the email address and the definition of acceptable practices > regarding key generation, key distribution and key escrow. I remember some > discussions from last fall with Wayne about this issue when the new Mozilla > Root Store Policies were drafted and it turned out that SMIME seems to be > significantly different to TLS since the business needs are very much > different. So there will be a lot to do with this issues. > > > > With best regards, > Rufus Buschart > > Siemens AG > Information Technology > Human Resources > PKI / Trustcenter > GS IT HR 7 4 > Hugo-Junkers-Str. 9 > 90411 Nuernberg, Germany > Tel.: +49 1522 2894134 > mailto:[email protected] <[email protected]> > www.twitter.com/siemens > www.siemens.com/ingenuityforlife <https://siemens.com/ingenuityforlife> > [image: www.siemens.com/ingenuityforlife] > Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim > Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief > Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, > Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and > Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, > Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 > > *Von:* Public <[email protected]> *Im Auftrag von *Bruce Morton > via Public > *Gesendet:* Dienstag, 29. Januar 2019 21:50 > *An:* Wayne Thayer <[email protected]>; CA/Browser Forum Public > Discussion List <[email protected]> > *Betreff:* Re: [cabfpub] [EXTERNAL]Re: Draft SMIME Working Group Charter > > > > Hi Wayne, > > > > Can you elaborate on why we should exclude identity validation from the > initial scope? > > > > My thinking is that many CAs which are currently issuing S/MIME > certificates are also including identity. I assume that most use similar > methods that are defined in the BRs to validate identity. It would seem > that it should be included in the scope to cover current practice. > > > > Thanks, Bruce. > > > > *From:* Public [mailto:[email protected] > <[email protected]>] *On Behalf Of *Wayne Thayer via Public > *Sent:* January 25, 2019 1:37 PM > *To:* Ryan Sleevi <[email protected]>; CA/Browser Forum Public Discussion > List <[email protected]> > *Subject:* [EXTERNAL]Re: [cabfpub] Draft SMIME Working Group Charter > > > > *WARNING:* This email originated outside of Entrust Datacard. > *DO NOT CLICK* links or attachments unless you trust the sender and know > the content is safe. > ------------------------------ > > I agree that we should exclude identity validation from the initial scope > of this working group. > > > > On Fri, Jan 25, 2019 at 10:04 AM Ryan Sleevi via Public < > [email protected]> wrote: > > > > Finally, regarding membership criteria, I'm curious whether it's necessary > to consider WebTrust for CAs / ETSI at all. For work like this, would it > make sense to merely specify the requirements for a CA as one that is > trusted for and actively issues S/MIME certificates that are accepted by a > Certificate Consumer. This seems to be widely inclusive and can be iterated > upon if/when improved criteria are developed, if appropriate. > > > > This would allow a CA that is not eligible for full Forum membership to > join this WG as a full member. How would that work? Would we require such > an organization to join the Forum as an Interested Party? If the idea is > that such an organization wouldn't be required to join the Forum, then I > don't believe that was anticipated or intended in the design of the current > structure. It's not clear to me that we should permit membership in a CWG > without Forum membership. For instance, allowing this may create loopholes > in the IPR obligations that are defined and administered at the Forum level. > > > > There's also a bootstrapping issue for membership, in that until we know > who the accepted Certificate Consumers are, no CA can join as a Certificate > Issuer. I'm curious whether it makes sense to explicitly bootstrap this in > the charter or how we'd like to tackle this. > > > >
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
