CA/Browser Forum
Home » All CA/Browser Forum Posts » 2021-10-27 Minutes of the S/MIME Certificate Working Group

2021-10-27 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

October 27, 2021

These are the Approved Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.

Attendees

Adrian Mueller (SwissSign), Adriano Santoni (Actalis), Ali Gholami (Telia Company), Andreas Henschel (D-TRUST), Atsushi Inaba (GlobalSign), Ben Wilson (Mozilla), Bruce Morton (Entrust), Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (DigiCert), Daniel Zens (GlobalTrust), Don Sheehy (WebTrust), Enrico Entschew (D-TRUST), Eusebio Herrera (Camerfirma), Hazhar Ismail (MSC Trustgate.com), India Donald (Federal PKI), Inigo Barreira (Sectigo), Janet Hines (SecureTrust), Joanna Fox (TrustCor), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Markus Wichmann (TeleTrust), Matthias Wiedenhorst (ACAB’c), Martijn Katerbarg (Sectigo), Mauricio Fernandez (TeleTrust), Morad Abou Nasser (TeleTrust), Mrugesh Chandarana (IdenTrust), Patrycja Tulinska (PSW), Pedro Fuentes (OISTE), Rebecca Kelley (Apple), Renne Rodriguez (Apple), Russ Housley (Vigil Security), Sebastian Schulz (GlobalSign), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems), Thomas Connelly (Federal PKI), Wendy Brown (Federal PKI)

1. Roll Call

The Roll Call was taken.

2. Read Antitrust Statement

The Antitrust/Compliance Statement was read.

3. Review Agenda

4. Approval of minutes from last teleconference

The minutes of the October 14 teleconference were approved.

5. Discussion

Discussion continued on the maximum validity period in light of the Apple programme and the gmail guidelines stipulating 825 day maximum validity. Based on feedback from the CAs and elsewhere, Ben Wilson of Mozilla suggested that this period may be short, at least in the initial version of the S/MIME BR that could be stepped down in future versions. He suggested that S/MIME has a different threat model from TLS.

Wendy Brown noted that a short profile might push enterprises away from public trust S/MIME. It was also noted that equally the shorter life may encourage those enterprises to move forward with automation. Tadahiko Ito noted that automation for S/MIME was not necessarily widely deployed today.

Clint Wilson suggested that another approach would be to allow a longer validity for the Legacy profile – in return for stating a future deprecation date for that profile. Clint noted that Apple had not received much feed back on the updated CA policy, including the 825 day validity period. Stephen Davidson noted there may be a tradeoff of having the flexible Legacy profile at 825 days for an extended period, versus having the Legacy profile for 1095 days with a fixed sunset for its use.

It was discussed whether S/MIME validity was best dealt with as a policy issue or should be a matter of technical enforcement by application software. It was generally agreed that a common policy standard was preferred. It was agreed that the WG should seek affirmation from the Cert Consumers/ root stores that they intend to accept the S/MIME BR as the minimum requirement for S/MIME.

It was raised that the S/MIME ecosystem will be simpler to standardize when some of the overlaps, such as document signing, are clarified (such as by the IETF proposal for a dedicated EKU for doc signing).

Discussion was held the contents of the primary deliverable as described in the SMCWG charter, and whether the WG was adequately on track:

Verification of control over email addresses

  • Certificate profiles for S/MIME certificates and Issuing CA certificates
  • Key management and certificate lifecycle
  • CA operational practices, physical/logical security, etc.

Stephen Davidson emphasized that drafting was underway on the S/MIME BR and encouraged WG members to review the text as coverage for some topics that have not been specifically discussed in the WG have been carried over from the TLS BR.

Comments and contributions are welcomed, particularly on methods relating to mailbox verification. We are generally taking the approach of “incorporating in” relevant text from other CABF documents rather than “referring out”. Future discussion will focus on:

  • Identity validation for natural persons and legal entities

Clint Wilson raised that he would like to add focused discussion on the requirements surrounding the ‘problematic practice’ of the operation of external Sub CAs to the agenda of a future meeting. Stephen noted this would be done alongside discussion of delegated RAs.

6. Any Other Business

None

7. Next call

Next call: Wednesday, November 10, 2021 at 11 a.m. US Eastern.

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).