CA/Browser Forum
Home » All CA/Browser Forum Posts » 2020-09-30 Minutes of the S/MIME Certificate Working Group

2020-09-30 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

September 30, 2020

These are the Approved Minutes of the Teleconference described in the subject of this message.

Attendees

Adrian Mueller (SwissSign), Ahmad Syafiq Md Zaini (MSC Trustgate.com), Andreas Henschel (D-TRUST), Atsushi Inaba (GlobalSign), Ben Wilson (Mozilla), Bruce Morton (Entrust DataCard), Burkhard Wiegel (Zertificon), Dean Coclin (DigiCert), Don Sheehy (WebTrust), Doug Beattie (GlobalSign), Dr. Holger Muehlbauer (TeleTrust), Hazhar Ismail (MSC Trustgate.com), Hugh Mercer (GlobalSign), India Donald (Federal PKI), James Knapp (Federal PKI), Janet Hines (Trustwave), Jeff Ward (WebTrust), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Mike Guenther (SwissSign), Morad Abou Nasser (TeleTrust), Rufus Buschart (TeleTrust), Russ Housley (Vigil Security, LLC), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems), Tim Crawford (WebTrust), Tim Hollebeek (DigiCert), Wendy Brown (Federal PKI)

1. Roll Call

The Roll Call was taken.

2. Read Antitrust Statement

The Antitrust/Compliance Statement was read.

3. Review Agenda

4. Approval of minutes from last teleconference

The minutes of the September 16 teleconference were approved.

5. Discussion of approach and deliverables

The discussion continued regarding the fields in S/MIME leaf certificates.

https://docs.google.com/spreadsheets/d/1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU/edit?usp=sharing

Validity period: confirming that initial version will seek a maximum validity SHOULD of 27 months and a MUST of 5 years rather than seek to vary by use of tokens or other variables.

Subject DN: will be addressed later in our work, with the exception of noting that all email addresses in an S/MIME certificate must be verified whether in Subject DN or SAN. There was a preference towards adopting the BR and Gmail requirement for an email address in the Subject to be repeated in the SAN).

Subject Public Key Information: There was discussion at length regarding allowed algorithms. The Mozilla policy and BR focus on webpki preferences. However, there may be interest from Certificate Issuers and their customers in alternative algorithms. These include Curve25519 and Curve 448 (RFC 7748), BrainPool (recommended by German Government standard from BSI TR-03116), Gost (RFC 7901), SM2 (IETF draft-shen-sm2-ecdsa-02).

Currently the Mozilla root store agreement states that “Root certificates in our root program, and any certificate which chains up to them, MUST use only algorithms and key sizes from the following set”. Mozilla stated openness to adapt that text should there be demand amongst S/MIME Certificate Issuers or Certificate Consumers. A decision was made to gather more information and revisit the subject in a later meeting.

Key Usage: There was discussion relating to dual use versus split use certificates (and the latter applicability when key escrow is provided). It was pointed out that the Gmail policy would seem to exclude split keys (as MUST for digitalSignature and/or nonrepudiation). There is significant variation in practice.

There was discussion regarding key escrow: only allowing for encryption keys. There may be interest in marking keys where the CA generates keys, but may be deceptive as key escrow could be occurring outside the CA (such as using an enterprise key management system).

6. Any Other Business

No other business.

7. Next call

The next call will take place on October 14, 2020 at 11:00am Eastern Time.

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).