CA/Browser Forum
Home » All CA/Browser Forum Posts » 2023-09-27 Minutes of the S/MIME Certificate Working Group

2023-09-27 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

September 27, 2023

These are the Approved Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.

Attendees

Abhishek Bhat – (eMudhra), Andrea Holland – (VikingCloud), Andreas Henschel – (D-TRUST), Ashish Dhiman – (GlobalSign), Ben Wilson – (Mozilla), Bilal Ashraf – (SSL.com), Cade Cairns – (Google), Clint Wilson – (Apple), Hazhar Ismail – (MSC Trustgate Sdn Bhd), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Judith Spencer – (CertiPath), Keshava Nagaraju – (eMudhra), Li-Chun Chen – (Chunghwa Telecom), Mrugesh Chandarana – (IdenTrust), Nome Huang – (TrustAsia Technologies, Inc.), Paul van Brouwershaven – (Entrust), Pekka Lahtiharju – (Telia Company), Rebecca Kelley – (Apple), Renne Rodriguez – (Apple), Rollin Yu – (TrustAsia Technologies, Inc.), Russ Housley – (Vigil Security LLC), Scott Rea – (eMudhra), Stefan Selbitschka – (rundQuadrat), Stephen Davidson – (DigiCert), Tadahiko Ito – (SECOM Trust Systems), Thomas Zermeno – (SSL.com), Tim Crawford – (CPA Canada/WebTrust), Tsung-Min Kuo – (Chunghwa Telecom), Wendy Brown – (US Federal PKI Management Authority), Yashwanth TM – (eMudhra)

1. Roll Call

The Roll Call was taken.

2. Read Antitrust Statement

The statement was read concerning the antitrust policy, code of conduct, and intellectual property rights agreement.

3. Review Agenda

Minutes were prepared by Stephen Davidson.

4. Approval of minutes from last teleconference

The minutes were approved from the following teleconferences:

  • September 13

5. Discussion

Russ Housley noted that the draft RFC for CAA for S/MIME was approaching conclusion and publication. Stephen Davidson said that, once the RFC was published, the SMCWG would move to introduce a ballot requiring CAA for S/MIME with a long implementation window.

Russ also noted that a new RFC was underway that would replace the one referenced for otherName of type id-on-SmtpUTF8Mailbox.

Stephen again noted the issues list is being actively updated at GitHub issues list and encouraged SMCWG members to comment there. He is working on a draft SM04 ballot of further corrections which may be seen at Ballot SM04 draft.

The WG discussed proposed text to incorporate intermediate CAs in the definition of Extant S/MIME CA.

Stephen noted an email sent to the list by Martijn Katerbarg describing that backdating of revocations was now permitted in both the Code Signing and TLS BR, but is not described in the S/MIME BR. Clint Wilson said he had no strong objection to adding this allowance, as it would not block a user from accessing old emails. Russ noted that the CS and TLS BR vary in their description of invalidityDate versus revocationDate. Scott Rea said is unknown if email software is generally aware of the invalidityDate extension but clear standards might make it more attractive.

Wendy Brown said that email software UI is often not specific about “problems relating the certificate” including expiry and revocation and wondered if such a requirement should be expressed as a MAY rather than a SHOULD.

Paul van Brouwershaven and Stefan Selbitschka said that email software treated time stamps loosely so the effectiveness of revocation times was reduced. Stephen asked if the WG had any sway to affect those industry standards, other than to ensure that revocation times were as accurate as possible.

Stephen described proposed text in the draft SMC04 which requires “the proper stacking” of address fields (for example, only allowing streetAddress if locality or state was present). No objections were raised.

Stephen described proposed text in the draft SMC04 to reference the new ETSI TS 119 411-6 in sections 8.4 and 8.6. He said he would also share it with ACAB’c, and no objections were raised.

Stephen described proposed text in the draft SMC04 to clarify the keyUsage table. No objections were raised.

The WG discussed the agenda for the CABF #60 meeting. Topics included Pseudonym, organisationIdentifier and jurisdiction level setting, CAA for S/MIME. Other possible topics raised included extensions showing ERA involvement, attestation of keys, and whether to adopt a table format such as recently introduced to the TLS BR in ballot SC62. Clint noted that he would like the deprecation timeline for the Legacy generation to be discussed.

Ben Wilson noted that he welcomed suggestions from Certificate Issuers that might be considered for the roadmap of email client software.

6. Any Other Business

None

7. Next call

Next call: Thursday, October 5, 2023 at the CABF#60, see wiki for details.

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).