CA/Browser Forum
Home » All CA/Browser Forum Posts » 2020-09-16 Minutes of the S/MIME Certificate Working Group

2020-09-16 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

September 16, 2020

These are the Approved Minutes of the Teleconference described in the subject of this message.

Attendees

Li-Chun Chen (Chunghwa Telecom), Tsung-Min Kuo (Chunghwa Telecom), Andreas Henschel (D-TRUST), Dean Coclin (DigiCert), Stephen Davidson (DigiCert), Bruce Morton (Entrust DataCard), Thomas Connelly (Federal PKI), Doug Beattie (GlobalSign), Hugh Mercer (GlobalSign), Atsushi Inaba (GlobalSign), Hongquan Yin (Microsoft), Ben Wilson (Mozilla), Hazhar Ismail (MSC Trustgate.com), Ahmad Syafiq Md Zaini (MSC Trustgate.com), Pedro Fuentes (OISTE), Patrycja Tulinska (PSW), Tadahiko Ito (SECOM Trust Systems), Chris Kemmerer (SSL.com), Markus Wichmann (TeleTrust), Morad Abou Nasser (TeleTrust), Rufus Buschart (TeleTrust), Corey Bonnell (Trustwave), Russ Housley (Vigil Security, LLC), Jeff Ward (WebTrust), Don Sheehy (WebTrust), Tim Crawford (WebTrust), Burkhard Wiegel (Zertificon)

1. Roll Call

The Roll Call was taken.

2. Read Antitrust Statement

The Antitrust/Compliance Statement was read.

3. Review Agenda

4. Approval of minutes from last teleconference

The minutes of the September 2 teleconference were approved.

5. New Members

SECOM Trust Systems was accepted as a Certificate Issuer member of the SMCWG by a consensus vote.

6. Discussion of approach and deliverables

A discussion was held of major use cases for S/MIME certificates:

https://docs.google.com/spreadsheets/d/1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU/edit?usp=sharing

There was a continued discussion about suitable validity periods for S/MIME certificates. It was noted that S/MIME had more diverse use cases than TLS, and perhaps the best approach initially was to propose a SHOULD at a shorter span (such as 27 months) and a MUST at a maximum (such as 5 years). Gmail enforces a maximum of 27 months; Federal PKI PIV cards of 36 months; several CAs expressed 36 months. Greater variety may be seen in private trust S/MIME.

This lead to a discussion of the goals of setting validity period. Shorter validity periods may increase policy agility to allow reliable aging out the certificates in case of changes to policies or crypto standards. However, they may create challenges to other practices like the use of cryptotokens, and frequent certificate rotation may place a burden on users to maintain an archive of past keys/certificates in order to access past emails.

It was discussed that signing certificates may merit a different validity period from those used for encryption, or vary depending the amount of information in the Subject DN (for example driver’s licenses which frequently show a residential address have shorter validity than a passport which typically show only the holder’s details). It was noted that regimes like ETSI TR 119 300 for crypto suites also have a bearing.

There was discussion of who is the dominant Relying Party for S/MIME. Many S/MIME implementations are within a group of enterprises, whose consideration may be different from a “retail” standalone user or a government user. It was suggested that for issues like validity period that, when the SMCWG narrows a position, to seek wider feedback either from the CABF and/or other Relying Parties.

Again it was suggested setting up a separate sheet to gather different CA profiles for S/MIME.

6. Any Other Business

No other business.

7. Next call

The next call will take place on September 30, 2020 at 11:00am Eastern Time.

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).