CA/Browser Forum
Home » All CA/Browser Forum Posts » 2023-11-15 Minutes of the S/MIME Certificate Working Group

2023-11-15 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

November 15, 2023

These are the Approved Minutes of the meeting described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.

Attendees

Adrian Mueller – (SwissSign), Andrea Holland – (VikingCloud), Ben Wilson – (Mozilla), Bruce Morton – (Entrust), Chad Ehlers – (IdenTrust), Christophe Bonjean – (GlobalSign), Clint Wilson – (Apple), Corey Bonnell – (DigiCert), Dimitris Zacharopoulos – (HARICA), Doug Beattie – (GlobalSign), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Judith Spencer – (CertiPath), Marco Schambach – (IdenTrust), Martijn Katerbarg – (Sectigo), Miguel Sanchez – (Google), Morad Abou Nasser – (TeleTrust), Paul van Brouwershaven – (Entrust), Rebecca Kelley – (Apple), Robert Lee – (GlobalSign), Russ Housley – (Vigil Security LLC), Scott Rea – (eMudhra), Stefan Selbitschka – (rundQuadrat), Stephen Davidson – (DigiCert), Tadahiko Ito – (SECOM Trust Systems), Wendy Brown – (US Federal PKI Management Authority)

1. Roll Call

The Roll Call was taken.

2. Read Antitrust Statement

The statement was read concerning the antitrust policy, code of conduct, and intellectual property rights agreement.

3. Review Agenda

Minutes were prepared by Stephen Davidson.

4. Approval of minutes from last teleconference

The minutes for the meeting at the F2F CABF#60 and the teleconference of October 25 were approved.

5. Discussion

Stephen Davidson confirmed that Ballot SMC04 has passed and was now in IP review, ending at 1700 UTC on December 8.

Stephen walked through the draft text of a ballot to introduce CAA for S/MIME, which may be seen at https://github.com/srdavidson/smime/compare/241e92cde85c25d7e0d4a5c70118ecadacd4d72b…29f73eb50573bf3e04cb417aaf67be1c209f066b, noting that it drew heavily on the text already found in the TLS BR. Clint Wilson noted that CAA should be applied to all email addresses in the certificate, and that mailbox addresses in the Subject should be repeated in the SAN.

Stephen noted that he had reached out to KeyFactor (EJBCA) regarding the topic, and strongly encouraged CAs that use commercial software to speak with their respective vendors on the implementation of CAA for S/MIME.

Stephen outlined the timeline previously discussed in the WG, which would call for a SHOULD after ~6 months and a SHALL after ~12 months (final dates to be determined at the time of ballot). He asked for feedback on the acceptability of those timeframes.

Stephen then reviewed the issues at https://github.com/cabforum/smime/issues noting those that are already implemented in the draft of a future cleanup ballot which can be found at https://github.com/srdavidson/smime/commits/Ballot-SMC05/SBR.md.

Stephen noted several new issues filed by Rob Lee and suggested to WG members that this was a good place to file questions that may be raised in the course of operating under the SBR.

The WG discussed the revocation backdating topic seen at https://github.com/cabforum/smime/issues/221. It was agreed to park the topic for now, given the doubts that backdating had a use in the S/MIME protocol as it stands. Stephen said the WG would return to the topic in future if it simplified implementations for CA operators.

The WG discussed the topic of the SV Legacy Subject which had arisen in several teleconferences; Stephen noted that the group would return to it in December. One consideration was whether to tweak the Legacy profile, or to focus on the date upon which the Legacy profiles might be reasonably retired. Stephen again asked CAs to consider if there were elements missing from the Multipurpose or Strict profiles that might complicate this migration.

6. Any Other Business

None

7. Next call

Next call: Wednesday, December 6, 2023 at 11:00 am Eastern Time

Adjourned

Latest releases
Server Certificate Requirements
BRs/2.1.2 SC-080 V3: Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods - Dec 16, 2024

Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contact… (https://github.com/cabforum/servercert/pull/560) Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods” (https://github.com/cabforum/servercert/pull/555)

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.8 - Ballot SMC010 - Dec 23, 2024

This ballot adopts Multi-Perspective Issuance Corroboration (MPIC) for CAs when conducting Email Domain Control Validation (DCV) and Certification Authority Authorization (CAA) checks for S/MIME Certificates. The Ballot adopts the MPIC implementation consistent with the TLS Baseline Requirements. Acknowledging that some S/MIME CAs with no TLS operations may require additional time to deploy MPIC, the Ballot has a Compliance Date of May 15, 2025. Following that date the implementation timeline described in TLS BR section 3.2.2.9 applies. This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Ashish Dhiman (GlobalSign) and Nicolas Lidzborski (Google).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Related posts
Tags
Minutes S/MIME
Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).