2023-03-01 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

March 1, 2023

These are the Approved Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.

Attendees

Adam Jones – (Microsoft), Adrian Mueller – (SwissSign), Andrea Holland – (VikingCloud), Andreas Henschel – (D-TRUST), Aneta Wojtczak-Iwanicka – (Microsoft), Ben Dewberry – (Keyfactor), Ben Wilson – (Mozilla), Brittany Randall – (GoDaddy), Bruce Morton – (Entrust), Bruce Wei – (TrustAsia Technologies, Inc.), Chris Clements – (Google), Chris Kemmerer – (SSL.com), Christophe Bonjean – (GlobalSign), Clint Wilson – (Apple), Corey Bonnell – (DigiCert), Daryn Wright – (GoDaddy), Dave Chin – (CPA Canada/WebTrust), David Kluge – (Google), Dimitris Zacharopoulos – (HARICA), Don Sheehy – (CPA Canada/WebTrust), Doug Beattie – (GlobalSign), Dre Armeda – (GoDaddy), Elaine Bronsther – (Sectigo), Ellie Lu – (TrustAsia Technologies, Inc.), Enrico Entschew – (D-TRUST), Eva Vansteenberge – (GlobalSign), George Fergadis – (HARICA), Hazhar Ismail – (MSC Trustgate Sdn Bhd), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Jamie Mackey – (US Federal PKI Management Authority), Janet Hines – (VikingCloud), Jeremy Rowley – (DigiCert), Joanna Fox – (TrustCor Systems), Karina Sirota – (Microsoft), Kathleen Wilson – (Mozilla), Li-Chun Chen – (Chunghwa Telecom), Lynn Jeun – (Visa), Mads Henriksveen – (Buypass AS), Marcelo Silva – (Visa), Martijn Katerbarg – (Sectigo), Matthias Wiedenhorst – (ACAB Council), Michael Slaughter – (Amazon), Nargis Mannan – (VikingCloud), Nick France – (Sectigo), Paul van Brouwershaven – (Entrust), Pedro Fuentes – (OISTE Foundation), Pekka Lahtiharju – (Telia Company), Raffaela Achermann – (SwissSign), Rebecca Kelley – (Apple), Renne Rodriguez – (Apple), RIch Smith – (DigiCert), Rollin Yu – (TrustAsia Technologies, Inc.), Ryan Dickson – (Google), Sissel Hoel – (Buypass AS), Star Simmons – (GoDaddy), Stephen Davidson – (DigiCert), Steven Deitte – (GoDaddy), Tadahiko Ito – (SECOM Trust Systems), Thomas Zermeno – (SSL.com), Tim Callan – (Sectigo), Tim Crawford – (CPA Canada/WebTrust), Tim Hollebeek – (DigiCert), Tsung-Min Kuo – (Chunghwa Telecom)

1. Read Antitrust Statement

The Antitrust/Compliance Statement was read.

2. Review Agenda

Minutes are prepared by Martijn.

3. Approval of minutes from last teleconference

Don pointed out he was missing on the attendees list for the draft minutes. Besides that change, the minutes of the February 15 teleconference were approved.

4. Member Applications

TrustAsia has requested to become member of the SMCWG. They are an existing CABF Associate Member. Their eligibility was confirmed, and there were no objections to their membership request. TrustAsia was granted Associate Member status in SMCWG.

5. Discussion

• Timeline

  • Stephen ran through the S/MIME BR timeline, including the availability of audit criteria and the Sept 1 effective date.
  • Dimitris asked what root stores plan on changing in their policies regarding audits.
  • Ben responded that Mozilla plans on making changes to include the WebTrust and ETSI S/MIME audits. Mozilla does not expect early audit reports to be submitted.
  • Clint added that Apple would like to see initial audit reports covering the final months of 2023, by April 2024 for all CAs, and are looking for feedback. Apple will send out communication soon to all CAs and they are looking to receive feedback. There was discussion that a “short term, out of cycle” audit would be a considerable expense.

• S/MIME BR Linting

  • Corey gave a presentation on the current state of S/MIME certificate issuance. This presentation is attached to the minutes. There was discussion regarding the creating of linting software for the SMIME BR.

• Issuing CA

  • More than 700 issuing CAs currently exist capable of issuing S/MIME certificates. For clarify it is pointed out that any Subordinate CA issued prior to September 1st, 2023, but still used for S/MIME issuance on or after September 1st, 2023, will also need to be fully compliant with the SBRs.
  • Clint pointed out that Apple is indeed planning on requiring Subordinate CAs to be compliant if they still issue on or after September 1st, 2023. Earlier discussions of the SMCWG indicated an allowance for such CAs to be reissued if required.

• Erratum Ballot

  • There is ballot text available to address the keyUsage table which currently is missing items for EdDSA.
  • Clarification text is also available for Enterprise RA text in Section 1.3.2.1.
  • We will need to update the appropriate ETSI standard in Section 8.4 once it becomes available.
  • If anyone has more items to add, they are encouraged to bring this up, so we can start moving towards a ballot.
  • There’s a discussion on if an Enterprise RA can or cannot issue a Sponsor Validated certificate to for example a contractor, who are not technically an employee. There’s general agreement on that if the contactor’s identity is validated by the Enterprise RA, and the certificate is issued to an email domain under the control/authority of the Enterprise RA, this should already be allowed by the SBRs.
  • Bruce raised the item that has been circulated on the mailing list regarding the use of QIIS and QTIS. This will be raised again on the next call.

• CAA for S/MIME

  • There’s an internet-draft available at https://datatracker.ietf.org/doc/draft-bonnell-caa-issuemail/. The draft is up for discussion in the IETF lamps working group next month.
  • The proposal is the create a ballot and set an effective date in 2024. Questions were raised what the rush is with CAA for S/MIME. Stephen adds that this has been a wish from several Enterprises, and the desire is to provide long forward visibility of the change as some CAs may not have strong CAA experience. Clint adds that the Apple Root Program would also like to see this, potentially with an effective date later in 2024 to give CA’s enough time to implement.
  • Dimitris asks if we’re looking to adopt the same language as the TLS BRs use. Stephen confirms this so we align as much as possible.

• What’s Next

  • Stephen requests people to consider to think about what would be useful tasks for the S/MIME WG to proceed now that the initial goal of getting the first SBR version out. Ideas are given for:

  • Linting

    • ACME related automation for S/MIME
    • Additional methods for email domain verification
    • Separation of the documentSigning EKU
    • Special extensions for CA escrow, key generation, key storage
    • Recommended standards for keyUsage
    • Set a max time for private key reuse

1. Any Other Business

None

7. Next call

Next call: March 15, 2023

Adjourned