CA/Browser Forum
Home » All CA/Browser Forum Posts » 2020-10-14 Minutes of the S/MIME Certificate Working Group

2020-10-14 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

October 14, 2020

These are the Approved Minutes of the Teleconference described in the subject of this message.

Attendees

Adrian Mueller (SwissSign), Ahmad Syafiq Md Zaini (MSC Trustgate.com), Andreas Henschel (D-TRUST), Ben Wilson (Mozilla), Bruce Morton (Entrust DataCard), Burkhard Wiegel (Zertificon), Chris Kemmerer (SSL.com), Dean Coclin (DigiCert), Enrico Entschew (D-TRUST), Hazhar Ismail (MSC Trustgate.com), Hongquan Yin (Microsoft), India Donald (Federal PKI), James Knapp (Federal PKI), Janet Hines (SecureTrust), Jeff Ward (WebTrust), Li-Chun Chen (Chunghwa Telecom), Morad Abou Nasser (TeleTrust), Patrycja Tulinska (PSW), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE), Rich Smith (Sectigo), Rufus Buschart (TeleTrust), Russ Housley (Vigil Security), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems), Thomas Zermeno (SSL.com), Tim Crawford (WebTrust), Tsung-Min Kuo (Chunghwa Telecom), Wendy Brown (Federal PKI)

1. Roll Call

The Roll Call was taken.

2. Read Antitrust Statement

The Antitrust/Compliance Statement was read.

3. Review Agenda

4. Approval of minutes from last teleconference

The minutes of the September 30 teleconference were approved.

5. Discussion of approach and deliverables

The discussion continued regarding the fields in S/MIME leaf certificates.

https://docs.google.com/spreadsheets/d/1gEq-o4jU1FWvKBeMoncfmhAUemAgGuvVRSLQb7PedLU/edit?usp=sharing

keyUsage: there was discussion relating to the encipherOnly and decipherOnly keyUsages that may accompany keyAgreement for ECDH, which were noted as being part of a key escrow scheme that is not known to be in common use. Following discussion, it was proposed these might be marked as “MAY but not recommended”. It was agreed that there is great variety in deployment for split vs dual use keys: settings will need to be specified for split vs dual use keys.

extendedKeyUsage: It was agreed that emailProtection MUST be present and serverAuth, codesigning, timestamping, anyExtendedKeyUsage, and ocspSigning MUST NOT be present.

It was agreed that MAY should include clientAuth, Adobe Authentic Documents Trust, Microsoft Document Signing. There was a discussion regarding default deny versus providing flexibility and future innovation. Settings will need to be specified for split vs dual use keys.

basicConstraints: If present, cA field MUST NOT be set true and pathLenConstraint field MUST NOT be present.

SKI: pick up from BR.

AKI: Identical to SKI in the issuing CA cert. authorityCertIssuer and authorityCertSerialNumber must not be populated.

certificatePolices: Define a CABF certificate policy OID asserting compliance with the SMCWG Baseline, and allow CA specific certificate policy OIDs. There was discussion regarding the use of expanding the OIDs to include a baseline email-verified versus a subject-verified OID, and the potential interest of Relying Parties in information such as the use of key escrow or cryptographic tokens.

MAY be present: cps (if present, MUST contain a valid HTTP or HTTPS link to the CPS) and user notice.

Discussion returned to the subject of key escrow; it was argued that keys with a digitalSignature MUST not be escrowed.

It was decided that a strawman would be further discussed on OID option, at least for marking out a roadmap, but that it was likely that for the initial version a single OID for the SMCWG Baseline would be adopted.

AIA: OPTIONAL use of caIssuers and ocsp (latter if present MUST contain at least one publicly accessible HTTP URI). AccessDescription MUST NOT contain any labels or parameters that are specific to an individual certificate. There was discussion relating to the use of LDAP, noting that it should be allowed but if included must be publicly available.

6. Any Other Business

No other business.

7. Next call

The next call will take place on October 28, 2020 at 11:00am Eastern Time.

Adjourned

Latest releases
Server Certificate Requirements
BRs/2.1.2 SC-080 V3: Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods - Dec 16, 2024

Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contact… (https://github.com/cabforum/servercert/pull/560) Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods” (https://github.com/cabforum/servercert/pull/555)

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.8 - Ballot SMC010 - Dec 23, 2024

This ballot adopts Multi-Perspective Issuance Corroboration (MPIC) for CAs when conducting Email Domain Control Validation (DCV) and Certification Authority Authorization (CAA) checks for S/MIME Certificates. The Ballot adopts the MPIC implementation consistent with the TLS Baseline Requirements. Acknowledging that some S/MIME CAs with no TLS operations may require additional time to deploy MPIC, the Ballot has a Compliance Date of May 15, 2025. Following that date the implementation timeline described in TLS BR section 3.2.2.9 applies. This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Ashish Dhiman (GlobalSign) and Nicolas Lidzborski (Google).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Related posts
Tags
Minutes S/MIME
Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).