CA/Browser Forum
Home » All CA/Browser Forum Posts » 2023-05-24 Minutes of the S/MIME Certificate Working Group

2023-05-24 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

May 24, 2023

These are the Approved Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.

Attendees

Adrian Mueller (SwissSign), Andreas Henschel (D-TRUST), Ashish Dhiman (GlobalSign), Ben Wilson (Mozilla), Bruce Morton (Entrust), Cade Cairns (Google), Chad Ehlers (IdenTrust), Clint Wilson (Apple), Corey Bonnell (DigiCert), Dave Chin (CPA Canada/WebTrust), Dimitris Zacharopoulos (HARICA), Don Sheehy (CPA Canada/WebTrust), Doug Beattie (GlobalSign), Eva Vansteenberge (GlobalSign), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Jamie Mackey (US Federal PKI Management Authority), Janet Hines (VikingCloud), Marco Schambach (IdenTrust), Morad Abou Nasser (TeleTrust), Mrugesh Chandarana (IdenTrust), Pekka Lahtiharju (Telia Company), Rebecca Kelley (Apple), Rollin Yu (TrustAsia Technologies, Inc.), Russ Housley (Vigil Security LLC), Scott Rea (eMudhra), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems), Tim Hollebeek (DigiCert), Tsung-Min Kuo (Chunghwa Telecom)

1. Roll Call

The Roll Call was taken.

2. Read Antitrust Statement

The statement was read concerning the antitrust policy, code of conduct, and intellectual property rights agreement.

3. Review Agenda

Clint has asked to add a topic on the the issue of legacy issuing CAs

Minute taker Martijn Katerbarg.

4. Approval of minutes from last teleconference

The minutes were approved from the following SMCWG meetings: May 10.

5. Discussion

Membership confirmation of Logius as Certificate Issuer

Logius / PKIOverheid were previously a ServerCert WG member. They have applied for a Certificate Issuer membership in the S/MIME WG.

Membership is granted by group consensus.

Rob Lee topic re: Mailbox Address https://github.com/cabforum/smime/issues/198

Stephen proposed to add a definition for Mailbox Address in the SBRs. Doug adds that we should make sure it’s clearly defined as an email address. Stephen will be proposing language.

Bruce Morton re: Enterprise RA https://github.com/cabforum/smime/issues/198

Bruce has pointed out that for clarification we should have language stating that “The CA, RA or Enterprise RA SHALL collect and retain evidence”. At current, the “Enterprise RA” bit is missing. It’s proposed to add the Enterprise RA into the same language. No objections are raised.

ETSI standard update re audit

The Erratum ballot proposes to update the language on which ETSI guidelines may be used, as well as a reference to the S/MIME BRs themselves. ETSI is preparing new audit requirements for which a draft has been created, TS 119411-6, and contains mapping against the S/MIME profiles and OIDs. The hope is to have this in place before September 1st.

Stephen mentioned he hopes to be able to share the draft within a few weeks.

Dimitris raises a question regarding ETSI certificate policy identifiers, in which it appears that Sponsor-validated can be done on the ETSI LCP requirements, where Individual requires NCP as minimum. Stephen confirms this is correct, for at least the first version of the ETSI audit criteria.

F2F topics – Legacy issuing CAs, erratum ballot, Enterprise RA topics

Legacy Issuing CAs

Clint has requested adding a topic regarding legacy issuing CAs. Clint explained reading the BRs that any ICA issued prior to the effective date, will need to be compliant if it wants to continue issuing certificates after the effective date. Apple has received multiple requests asking for exceptions and grandfathering. While being open for a discussion, it’s proposed that we should be adding appropriate language into the SBR, if we want to allow this.

Bruce raises the point that while we have an effective date, no root programs have as of yet added language to actually require adherence to it. Tim states his agreement to this statement, and clarifies that the SBRs state what the requirements are when a certificate is issued, including when an ICA is issued.

Ben added that they are with Apple’s view at this moment. If any audit finds an ICA does not comply, we will allow that for one year at maximum. A change to the SBRs is also preferred by Mozilla if we agree that we should allow this.

Dimitris points out that BR requirements have always been read as the requirements applicable when a certificate is issued, and not retroactively put on an already issued ICA.

Tim clarifies that it seems the SBRs don’t state anything regarding the use of existing ICAs. While allowing all existing ICAs may not be appropriate, it may be appropriate to allow, for example, existing ICAs with different OIDs if they were issued prior to the Effective Date

The discussion it to be continued during the F2F. Stephen asks for people to reach out in order to help deal with this and scope which exceptions we want to allow.

Erratum ballot

A last call for the erratum ballot will be done during the F2F.

Other topics during the F2F

  • orgIdentifier discussion
  • Root Store updates. A discussion broke out on where and when root store updates need to happen, during the Forum call or if each WG should get its own section of root store updates. Tim has asked for a discussion to be added to the Forum call during the F2F.

Current erratum text at https://github.com/srdavidson/smime/blob/Ballot-SMC03/SBR.md

6. Any Other Business

None

7. Next call

Next call: F2F, Redmond. June 7th

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).