CA/Browser Forum
Home » All CA/Browser Forum Posts » 2023-07-19 Minutes of the S/MIME Certificate Working Group

2023-07-19 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

July 19, 2023

These are the Approved Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.

Attendees

Adrian Mueller – (SwissSign), Andreas Henschel – (D-TRUST), Ashish Dhiman – (GlobalSign), Ben Wilson – (Mozilla), Bruce Morton – (Entrust), Chad Ehlers – (IdenTrust), Clint Wilson – (Apple), Corey Bonnell – (DigiCert), Dimitris Zacharopoulos – (HARICA), Don Sheehy – (CPA Canada/WebTrust), Eva Vansteenberge – (GlobalSign), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Judith Spencer – (CertiPath), Li-Chun Chen – (Chunghwa Telecom), Marco Schambach – (IdenTrust), Morad Abou Nasser – (TeleTrust), Mrugesh Chandarana – (IdenTrust), Nome Huang – (TrustAsia Technologies, Inc.), Pedro Fuentes – (OISTE Foundation), Renne Rodriguez – (Apple), Rollin Yu – (TrustAsia Technologies, Inc.), Scott Rea – (eMudhra), Stephen Davidson – (DigiCert), Tadahiko Ito – (SECOM Trust Systems), Tim Crawford – (CPA Canada/WebTrust), Tim Hollebeek – (DigiCert), Wendy Brown – (US Federal PKI Management Authority)

1. Roll Call

The Roll Call was taken.

2. Read Antitrust Statement

The statement was read concerning the antitrust policy, code of conduct, and intellectual property rights agreement.

3. Review Agenda

Minutes were prepared by Stephen Davidson.

4. Approval of minutes from last teleconference

The minutes were approved from the following SMCWG meetings: June 21.

5. Discussion

Stephen Davidson noted that the minutes from the F2F were still outstanding.

Stephen noted that Ballot SMC03 passed and was now in IPR, scheduled to conclude on August 11. Bruce Morton said that full redlines (as opposed to the github diff) would be helpful.

Stephen opened the floor for discussion of issues that may have arisen during implementation of the SBR.

Dimitris Zacharopoulos asked for confirmation that existing CAs that used anyPolicy (and are otherwise compliant) could be used going forward. Stephen confirmed and said that updates would only be required when explicit CP OIDs were used.

Tim Hollebeek requested that the CABF host a high level discussion on the use of anyPolicy versus explicit CP OIDs in CAs. Dimitris said that policy chaining was desirable, and that such a discussion would be useful particularly given the move towards dedicate “use case” hierarchies.

Stephen noted that questions had arisen relating to finding phone numbers, which may not always be provided in government data sources. He said he believed that the existing text allowed the use of “QIIS” type resources for phone numbers but that this may be an area that the WG may wish to improve. Bruce and Tim supported this. Stephen noted that even the phone book would be a QIIS. Tim asked if any Cert Consumers had issues with this: no issues were raised.

Ben Wilson noted that Mozilla had distributed guidance points on the lists and at wiki.mozilla.org. This includes some guardrails for the acceptable reissuance of Issuing CAs.

Stephen asked if Certificate Issuers were having issues with finding organizationIdentifiers for Orgs. None were raised. He noted that the SBR text included the prefix “GOV” which at the time of writing was in a draft being discussed at ETSI for 319 412-1 but appears to not have moved ahead.

Tim provided an update on the CAA RFC at the IETF. It has cleared final call and the expert review phases in the IETF process, so will become an operation RFC once it clears the final edit. Stephen said that CAA is targeted for discussion in the SMCWG this autumn, with a lengthy implementation window.

Stephen commented that ETSI TS 119 411-6 (overlaying the SBR on ETSI requirements) was going through remote consensus and was expected to become final around the time of the SBRv1. In the meantime, the text in SMC03 is adequate for Certificate Issuers who use ETSI audits.

Stephen asked if any Certificate Issuers would be interested in working on a ballot to include a signature scheme (such as eIDAS) as a vetting option. See the relevant section in the SBR cabforum/smime item 4.

Stephen encouraged members to use the issues list on GitHub at cabforum/smime. Pedro Fuentes asked if the group could do a routine review of those issues in a call.

6. Any Other Business

None

7. Next call

Next call: tentative Wednesday, August 2, 2023 at 11:00 am Eastern Time

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).