CA/Browser Forum
Home » All CA/Browser Forum Posts » 2021-09-15 Minutes of the S/MIME Certificate Working Group

2021-09-15 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

September 15, 2021

These are the Approved Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.

Attendees

Ali Gholami (Telia Company), Andrea Holland (SecureTrust), Andreas Henschel (D-TRUST), Atsushi Inaba (GlobalSign), Ben Wilson (Mozilla), Bruce Morton (Entrust), Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (DigiCert), David Kluge (Google), Don Sheehy (WebTrust), Eusebio Herrera (Camerfirma), Inigo Barreira (Sectigo), Joanna Fox (TrustCor), Mads Henriksveen (BuyPass), Mauricio Fernandez (TeleTrust), Miguel Sanchez (Google), Morad Abou Nasser (TeleTrust), Mrugesh Chandarana (IdenTrust), Patrycja Tulinska (PSW), Rebecca Kelley (Apple), Renne Rodriguez (Apple), Sebastian Schulz (GlobalSign), Stefan Selbitschka (rundQuadrat), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems), Thomas Connelly (Federal PKI), Tim Crawford (WebTrust), Tsung-Min Kuo (Chunghwa Telecom), Wendy Brown (Federal PKI)

1. Roll Call

The Roll Call was taken.

2. Read Antitrust Statement

The Antitrust/Compliance Statement was read.

3. Review Agenda

4. Approval of minutes from last teleconference

The minutes of the September 1 teleconference were approved.

5. Discussion

Ben Wilson raised whether the Certificate Issuers could be informally polled regarding the current and planned usage of ECC in S/MIME certificates, which information would be useful for Certificate Consumers. Subsequently a survey has been sent to the Management list, seeking Certificate Issuer feedback by October 8. The aggregate information (not CA specific) will be shared later with the WG.

Stephen Davidson noted an issue that the WG had ruled out the use of dataEncipherment as a keyUsage as this was typically not relevant to the S/MIME use case. However, research has identified that key management certs do exist that include dataEncipherment, possible as some dual use scenario. After discussion it was agreed that dataEncipherment should be allowed for the Legacy and Multipurpose profiles but not the Strict.

Stephen raised that an alternative suggestion had been made for the certificate profile OIDs. The current proposal is that each certificate type (mailbox, org, etc) each of whose arcs would be expanded for the validation (strict, multipurpose, etc). This creates 12 OIDs at this time. Another approach would have two types of OIDs: one for certificate type (mailbox, org, etc) and one for validation (strict, multipurpose, etc). This would create 7 OIDs, and leaf certs would express the relevant two OIDs. Clint Wilson and Ben Wilson expressed support for the current “single OID” proposal, using a single OID in the cert. Stefan Selbitschka did not note any obvious benefit to software. Corey Bonnell noted that the “two OID” option might lead to confusion when defining policy qualifiers specific to OIDs.

Discussion moved to the Individual Personal-validation profile.

There was discussion relating to the commonName being programmatically created from givenName+surname versus email. Clint Wilson voiced support for there being one option rather than choices. Stephen noted that the WG had feedback that enterprise users in particular preferred having options for display name in the CN, and the proposal was already a significant reform of existing practice.

This led to a discussion whether Pseudonym might be allowed in CN, and an extended discussion regarding the use of Pseudonym attribute with input from Inigo Barreiro and Eusebio Herrera. Concrete guidance on the use of Pseudonym is difficult to find in standards. It was decided to retain Pseudonym in the Mailbox profiles but to drop it from the Personal profiles.

Title will tentatively be allowed subject to defining a verification regime later.

Wendy Brown questioned if we are leaving enough scope to ensure Subject uniqueness from a CA. Clint said that spoke in favor of requiring an email in the Subject while Stephen pointed out that serialNumber is also available to the CA.

Renne Rodriguez indicated that we move to verification we would be well advised to provide guidance for the insertion of multiple/hyphenated names or surname-firstname formats into certs.

6. Any Other Business

None

7. Next call

Next call: Wednesday, September 29, 2021 at 11:00 am Eastern Time

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).