CA/Browser Forum
Home » All CA/Browser Forum Posts » 2022-07-20 Minutes of SMIME Certificate Working Group 

2022-07-20 Minutes of SMIME Certificate Working Group 

Minutes of SMCWG

July 20, 2022

These are the Draft Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.

Attendees

Adrian Mueller (SwissSign), Andrea Holland (SecureTrust), Ashish Dhiman (GlobalSign), Ben Wilson (Mozilla), Bruce Morton (Entrust), Clint Wilson (Apple), Corey Bonnell (Digicert), Dimitris Zacharopoulos (HARICA), Don Sheehy (CPA Canada/WebTrust), Doug Beattie (GlobalSign), Eva Vansteenberge (GlobalSign), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Judith Spencer (CertiPath), Morad Abou Nasser (TeleTrust), Mrugesh Chandarana (IdenTrust), Rebecca Kelley (Apple), Renne Rodriguez (Apple), Russ Housley (Russ Housley), Stephen Davidson (Digicert), Tadahiko Ito (SECOM Trust Systems), Tim Hollebeek (Digicert), Tsung-Min Kuo (Chunghwa Telecom)

1. Roll Call

The Roll Call was taken.

2. Read Antitrust Statement

The Antitrust/Compliance Statement was read.

3. Review Agenda

4. Approval of minutes from last teleconference

Changes were requested to the June 22 minutes by Dimitris Zacharopoulos relating to the discussion of the membership category for Bridge CAs (currently being adopted as Associate Member). The minutes will be updated and redistributed.

5. Discussion

The WG discussed the expression of interest of Visa to join the SMCWG. It was agreed to welcome Visa as a Certificate Issuer. It was agreed to distribute information about new membership requests to the Management listserv.

The WG returned to the discussion of the draft S/MIME Baseline Requirements available at https://github.com/cabforum/smime/blob/preSBR/SBR.md.

The WG discussed a concern raised by Eva Van Steenberge that the content described in section 3.2.41 subsection 4 relating to vetting based on a “certificate supporting a digital signature applied by the Applicant”. Eva noted that there were many national signature schemes similar to eIDAS that should be allowed, either by name or that a set of eligibility criteria should be described. Clint Wilson noted a preference to describe a set of criteria. Dimitris noted that having both the criteria and a list would be best. Stephen Davidson noted that this list could become quite long as many countries have regulatory regimes for certificate issuers enabling legally valid signatures, which include identity validation requirements.

Eva also noted that some signature schemes were technology neutral (ie not certificate-based). Stephen noted that he would prefer to defer that expanded use case to a later version of the SBR. It was agreed that Stephen would work with Ashish and Eva to propose suitable text.

The WG also discussed concerns raised by Ashish Dhiman relating to the universal application of the organisationIdentifers. Eva noted that in the course of development of EV it was found that it could be difficult to identify registration/identifier numbers for some organisation types, such as government entities or international organisations. Stephen noted that in his experience many of these organisations held LEI, although not necessarily a FULLY_CORROBORATED category. A discussion occurred questioning why CABF precedent restricted LEI use to FULLY_CORROBORATED, when other standards such as ETSI adopted a more expansive use of LEI. Dimitris pointed out that the United Nations had an LEI that was based on self-reported information (possibly for the reason that external verification was difficult). Clint asked if the goal of the identifier is to get to a government record, or to just provide a unique identifier. He said it was difficult to tell if the other-than-FULLY_CORROBORATED LEI pointed to accurate information. It was agreed that further investigation of the use of LEI might be considered in a future version.

Eva suggested that for those organisation types, where a registration number is not available, that a replacement tag be used as is the case in EV: “In circumstances where this information is not available, the CA MUST enter appropriate language to indicate that the Subject is a Government Entity/ International Organization Entity”. It was agreed that Stephen would work with Ashish and Eva to propose suitable text.

Stephen Davidson again noted that edits are being checked in with noncontroversial updates and corrections based upon feedback.

The call remains open for comments that members may have on the draft. Stephen noted that the goal remains to move to ballot at end of summer.

6. Any Other Business

None

7. Next call

Next call: Wednesday, August 3, 2022 at 11:00 am Eastern Time

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).