CA/Browser Forum
Home » All CA/Browser Forum Posts » 2022-12-07 Minutes of the S/MIME Certificate Working Group

2022-12-07 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

December 07, 2022

These are the Approved Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.

Attendees

Adrian Mueller – (SwissSign), Ashish Dhiman – (GlobalSign), Ben Wilson – (Mozilla), Bruce Morton – (Entrust), Chad Ehlers – (IdenTrust), Clint Wilson – (Apple), Corey Bonnell – (DigiCert), Dimitris Zacharopoulos – (HARICA), Don Sheehy – (CPA Canada/WebTrust), Eusebio Herrera – (AC Camerfirma SA), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Marco Schambach – (IdenTrust), Patrycja Tulinska – (PSW), Paul van Brouwershaven – (Entrust), Pekka Lahtiharju – (Telia Company), Rebecca Kelley – (Apple), Renne Rodriguez – (Apple), Stephen Davidson – (DigiCert), Tadahiko Ito – (SECOM Trust Systems), Tim Crawford – (CPA Canada/WebTrust), Tim Hollebeek – (DigiCert)

1. Roll Call

The Roll Call was taken.

2. Read Antitrust Statement

The Antitrust/Compliance Statement was read.

3. Review Agenda

4. Approval of minutes from last teleconference

NA

5. Discussion

The WG agreed to drop the planned teleconference for December 21. The January 4 meeting will tentatively go ahead, if only to confirm the effective date of the SBR and the pending availability of audit criteria.

Stephen Davidson confirmed that the IP Review as underway until January 1 and at this time no essential claims had been filed.

Stephen questioned how the WG would like to handle future ballot dates, proposing a fixed schedule of dates which allowed for better planning by Certificate Issuers, and most importantly more orderly communication with certificate users. He proposed 6 possible effective dates (15th of every-other month, starting in January). Bruce Morton said he thought two dates were probably adequate for most routine SBR updates, March 15 and September 15.

Dimitris Zacharopoulos commented that the CABF itself was looking at the same question at a forum level. Urgent updates could still be made as needed. Clint Wilson said he’d prefer that such a system be tried informally before it became a formal policy of CABF. Don Sheehy said this would be helpful in aligning the WebTrust criteria annually, which is typically done at the end of year. Stephen summarized that there seemed to be support in SMCWG for the idea of routine effective dates.

Tim Hollebeek noted that there probably would be errata that come up in the early new year as people look at SBR implementation – we already know of an improvement for EdDSA – so hopes people speak up early if amendments should to be made.

One example was raised by Bruce Morton, noting that the SBR require that info in the cert must come from a government agency – and this was carried through to Section 3.2.6 as the source for contact details as a Reliable Method of Communication (RMOC). He noted that in the EVG there is an allowance for QIIS (third party databases) for address and phone info. Stephen noted that he was not opposed to using these for contact information to establish a RMOC, but not for attributes that would be included in the certificate. The address attributes, if included, must match the registered entity reflected in the OrgID attribute. Tim and Bruce agreed to confer on a possible proposal.

Noting that he believed there was support for the use of CAA in S/MIME by enterprises, Stephen introduced the subject of CAA for “issuemail”.

Tim encouraged parties who support the use of CAA for S/MIME to join the IETF discussion at https://mailarchive.ietf.org/arch/msg/spasm/chcrIZEit6HcdGyFGNzyiL7Dg6k/. He noted that we could also “go it alone” as was done for VMC but that the RFC approach allowed more detail to be provided on security considerations.

Stephen noted that CAA if adopted would most likely take effect after the September effective date of the SBR v1.0.0. Dimitris commented that there are CAs that issue S/MIME that do not issue TLS, and for whom CAA may be new, so any deadline should have adequate implementation time.

6. Any Other Business

None

7. Next call

Next call: tentative Wednesday, January 4, 2023 at 11:00 am Eastern Time

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).