CA/Browser Forum
Home » All CA/Browser Forum Posts » 2021-06-23 Minutes of the S/MIME Certificate Working Group

2021-06-23 Minutes of the S/MIME Certificate Working Group

June 23, 2021

These are the Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.

Attendees

Adrian Mueller (SwissSign), Ali Gholami (Telia Company), Andrea Holland (SecureTrust), Andreas Henschel (D-TRUST), Atsushi Inaba (GlobalSign), Ben Wilson (Mozilla), Bruce Morton (Entrust), Clint Wilson (Apple), Corey Bonnell (DigiCert), Curt Spann (Apple), Don Sheehy (WebTrust), Enrico Entschew (D-TRUST), Eusebio Herrera (Camerfirma), Hazhar Ismail (MSC Trustgate.com), Hongquan Yin (Microsoft), Inigo Barreira (Sectigo), Janet Hines (SecureTrust), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Matthias Wiedenhorst (ACAB’c), Mauricio Fernandez (TeleTrust), Morad Abou Nasser (TeleTrust), Niko Carpenter (SecureTrust), Patrycja Tulinska (PSW), Paul van Brouwershaven (Entrust), Rachel McPherson (TrustCor), Rebecca Kelley (Apple), Renne Rodriguez (Apple), Russ Housley (Vigil Security), Sebastian Schulz (GlobalSign), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems), Thomas Zermeno (SSL.com), Tim Callan (Sectigo), Tim Crawford (WebTrust), Wendy Brown (Federal PKI)

1. Roll Call

The Roll Call was taken.

2. Read Antitrust Statement

The Antitrust/Compliance Statement was read.

3. Review Agenda

4. Approval of minutes from last teleconference

The minutes of the May 26 teleconference were approved.

5. Discussion of certificate profile

Discussion of the Mailbox-validation profile has concluded with a few exceptions, including validity period, use of LDAP, and additional extensions.

Stephen noted that changes have been made to the draft S/MIME BR in GitHub to reflect the use of Edwards Curve, as previously discussed. Corey Bonnell has also provided there the scripts that he used to derive the hex-encoded bytes. https://github.com/cabforum/smime/commit/03ea4d19370cb01ea8aeb0d4c1a7fba97542f25c

The WG began to discuss contents of the Organisation-validation Legacy profile. This profile is intended for use where the Subject information describes a Legal Person/Legal Entity.

Although at this stage, the WG is simply laying out certificate profiles, a decision must be made whether verification will follow the OV-type requirements or EV. If EV were chosen, would the EV fields be required or optional? Roughly described OV may verify that the holder is named Organisation X, while EV verifies the holder is a specific Organisation X in the identified jurisdiction.

A lengthy discussion occurred regarding the possible fields. Clint Wilson and Curt Spann indicated that a preference for the well-described verification processes in EV, but did not necessarily see the value of including all the EV fields in the certificates, and asked if user agents made decisions based on information included in S/MIME certificates.

Ben Wilson pointed out that similar verification would be used for the O information included in the Sponsored-validation profile (to be discussed later); and that the delegated Enterprise RA would only vary the mailbox-holder information.

Mads Henriksveen pointed out that the charter says “Methods for validating identities in TLS certificates also exist and should be leveraged where possible, as well as other identity validation standards common in the industry.”

It was pointed out that the VMC (Verified Mark Certificates) may have addressed the same topic. It was agreed to get additional information.

Paul van Brouwershaven noted that the ETSI standards defied semantics identifiers for Natural Person and Legal Person.

Wendy Brown raised the organisationUnit field may be relevant in S/MIME certificates, particularly for large Government entities. After considerable discussion it was agreed that this could only happen if the OU could be verified with similar procedures as used for the O, and linking the OU to the O. Wendy and Ben Wilson agreed to propose a verification

6. Any Other Business

None

7. Next call

Next call: Wednesday, July 7, 2021 at 11:00 am Eastern Time

Adjourned

Latest releases
Server Certificate Requirements
BRs/2.1.2 SC-080 V3: Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods - Dec 16, 2024

Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contact… (https://github.com/cabforum/servercert/pull/560) Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods” (https://github.com/cabforum/servercert/pull/555)

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.8 - Ballot SMC010 - Dec 23, 2024

This ballot adopts Multi-Perspective Issuance Corroboration (MPIC) for CAs when conducting Email Domain Control Validation (DCV) and Certification Authority Authorization (CAA) checks for S/MIME Certificates. The Ballot adopts the MPIC implementation consistent with the TLS Baseline Requirements. Acknowledging that some S/MIME CAs with no TLS operations may require additional time to deploy MPIC, the Ballot has a Compliance Date of May 15, 2025. Following that date the implementation timeline described in TLS BR section 3.2.2.9 applies. This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Ashish Dhiman (GlobalSign) and Nicolas Lidzborski (Google).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).