CA/Browser Forum
Home » All CA/Browser Forum Posts » 2021-03-17 Minutes of the S/MIME Certificate Working Group

2021-03-17 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

March 17, 2021

These are the Approved Minutes of the Teleconference described in the subject of this message.

Attendees

Adrian Mueller (SwissSign), Andrea Holland (SecureTrust), Ali Gholami (Telia Company), Atsushi Inaba (GlobalSign), Burkhard Wiegel (Zertificon), Bruce Morton (Entrust), Ben Wilson (Mozilla), Christy Berghoff (Federal PKI), Clint Wilson (Apple), Corey Bonnell (DigiCert), Curt Spann (Apple), Dean Coclin (DigiCert), Enrico Entschew (D-TRUST), Hazhar Ismail (MSC Trustgate.com), Russ Housley (Vigil Security), James Knapp (Federal PKI), Janet Hines (SecureTrust), Klauss Voss (Zertificon), David Kluge (Google), Inigo Barreira (Sectigo), Juan Ángel Martin (Camerfirma), Morad Abou Nasser (TeleTrust), Niko Carpenter (SecureTrust), Pedro Fuentes (OISTE), Patrycja Tulinska (PSW), Li-Chun Chen (Chunghwa Telecom), Rebecca Kelley (Apple), Sebastian Schulz (GlobalSign), Stephen Davidson (DigiCert), Thomas Connelly (Federal PKI), Wendy Brown (Federal PKI)

1. Roll Call

The Roll Call was taken.

2. Read Antitrust Statement

The Antitrust/Compliance Statement was read.

3. Review Agenda

It was noted that the listserv may not have been distributing messages, including the agenda (which was redistributed offlist before the meeting). The listserv issues appear to now have been resolved.

4. Approval of minutes from last teleconference

The minutes of the February 17 teleconference were approved.

6. Discussion of certificate profile

A discussion commenced regarding the allowed fields in the Subject DN for the various S/MIME certificate types:

{joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-policies(1) smime-baseline(5) smime-type (X) smime-grade (y)}

  • Mailbox-validation (1)
  • Organizational-validation (2)
  • Sponsored-validation (3)
  • Individual-validation (4)

For each grade:

  • Strict (1)
  • Multipurpose (2)
  • Legacy (3)

Clint Wilson asked what minimum fields a Certificate Consumer (client software) might expect to see in an S/MIME certificate as this was relevant to any discussion of the Subject. Curt Spann expanded upon that to ask what is the absolute baseline for all cert fields. It was noted that in previous discussions the WG had worked through requirements known to us including those from Mozilla and gmail.

It was noted that following recent discussion in the IETF, https://tools.ietf.org/html/draft-rsalz-use-san-00 would likely not seek to ban the use of CN and Subject Email in S/MIME certs. Corey Bonnell noted that rfc822 SAN was required by RFC 5280 if Subject Email was used.

Wendy Brown raised that multiple emails should be allowed in SAN, assuming that the issuer has verified mailbox control/authorization for each address before issuance. All email addresses in the Subject should be in the SAN. Morad Abou Nasser questioned if encryption certificates should be allowed to have multiple mail boxes (vs aliases).

It was noted that Outlook has provided some information on S/MIME cert processing to the WG. Sebastien Schulz suggested that we more formally survey the Certificate Consumers. Ben and Clint offered to assist. In the absence of direct feedback, Ben Wilson suggested that test certificates might be created to verify behavior in different clients. Questions might include:

  • What are the minimum certificate requirements for processing an S/MIME message?
  • What certificate contents (or absence of contents) would cause S/MIME to fail?
  • Are there failure messages related to certificate configuration?
  • What certificate information is used for display to the mailbox owner by default?
    • In other words, in what order does the software look through cert contents for display?
    • Is this configurable?
  • Does the mail client software have issues processing certificates with more than one rfc822 in the SAN?
  • Does the email software have ability to act upon S/MIME messages based upon information in the certificate? (ie to trigger processing rules)
  • Are there S/MIME certificate current practices that are known to be problematic for mail clients?

6. Any Other Business

None

7. Next call

Next call: Wednesday, March 31, 2021 at 11:00 am Eastern Time

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).