CA/Browser Forum
Home » All CA/Browser Forum Posts » 2021-04-14 Minutes of the S/MIME Certificate Working Group

2021-04-14 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

April 14, 2021

These are the Approved Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.

Attendees

Adrian Mueller (SwissSign), Ali Gholami (Telia Company), Andreas Henschel (D-TRUST), Atsushi Inaba (GlobalSign), Ben Wilson (Mozilla), Bruce Morton (Entrust), Clint Wilson (Apple), Corey Bonnell (DigiCert), Curt Spann (Apple), Dimitris Zacharopoulos (HARICA), Don Sheehy (WebTrust), Hazhar Ismail (MSC Trustgate.com), Inigo Barreira (Sectigo), Janet Hines (SecureTrust), Jeff Ward (WebTrust), Klauss Voss (Zertificon), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Matthias Wiedenhorst (ACAB’c), Morad Abou Nasser (TeleTrust), Niko Carpenter (SecureTrust), Patrycja Tulinska (PSW), Pedro Fuentes (OISTE), Rebecca Kelley (Apple), Russ Housley (Vigil Security), Sebastian Schulz (GlobalSign), Stefan Selbitschka (rundQuadrat), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems), Thomas Connelly (Federal PKI), Tsung-Min Kuo (Chunghwa Telecom), Wendy Brown (Federal PKI)

1. Roll Call

The Roll Call was taken.

2. Read Antitrust Statement

The Antitrust/Compliance Statement was read.

3. Review Agenda

4. Approval of minutes from last teleconference

The minutes of the March 31 teleconference were approved.

5. Discussion of certificate profile

A review was made of the current state of the draft S/MIME Baseline Requirements (SBR), which have now been pulled into the CABF Repository at: https://github.com/cabforum/smime/ in the pre-SBR branch.

A discussion took place on proposed language for 8. Compliance audit and other assessments. See https://github.com/cabforum/smime/blob/preSBR/SBR.md#8-compliance-audit-and-other-assessments

Following discussion it was agreed that, for example in the case of WebTrust seals, the S/MIME Baseline Requirements (SBR) audit would be a standalone set of criteria audit. Bruce Morton raised possible complications in the case of the NetSec which may be referenced by the SBR. Although this is a standalone document from the perspective of the CABF, its coverage is integrated with the WebTrust TLS BR audit criteria. However, it was indicated that the NetSec criteria were a separate section of WebTrust TLS BR – and that this issue already exists for the Code Signing BR.

Dimitris Zacharopoulos reminded the group that previous discussions had occurred in the CABF before the formation of the SMCWG in which it had been suggested that NetSec be forked into this WG, or deviations from the Server WG’s NetSec specifically noted. It was noted that NetSec will require a separate future discussion in the SMCWG.

It was questioned whether some of the “inherited” language in section 8 was necessary. For example, is it necessary in an S/MIME technical standard to require CAs to adhere to their local laws and licensing requirements? Stephen Davidson noted that this language may have more relevance in S/MIME, for example where countries may have laws relating to key escrow. In addition he noted the lack of definition for “licensed as a CA in each jurisdiction where it operates”: does that mean from where it is incorporated or from where its services may be sold or used? Dimitris indicated that ISO 17065 would define this as the CA place of business.

There were questions regarding the continuing applicability of the references to internal audit schemes for Government CAs in section 8.4 (item 3 and onwards related to non-core controls) as this related to legacy TLS schemes and may no longer be relevant. It was suggested to seek feedback from the Certificate Consumer trust store operators.

It was proposed that additional comments from members on this Section 8 should be shared the SMCWG public list. As the audit discussion had been so active, the intended discussion on the Mailbox-validation profile was deferred until a later call.

It was noted that proposed text for algorithms has been added to the draft in https://github.com/cabforum/smime/blob/preSBR/SBR.md#713-algorithm-object-identifiers

6. Any Other Business

None

7. Next call

Next call: Wednesday, April 28, 2021 at 11:00 am Eastern Time

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).