CA/Browser Forum
Home » All CA/Browser Forum Posts » 2023-12-20 Minutes of the S/MIME Certificate Working Group

2023-12-20 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

December 20, 2023

These are the Approved Minutes of the meeting described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.

Attendees

Ashish Dhiman – (GlobalSign), Ben Wilson – (Mozilla), Bruce Morton – (Entrust), Cade Cairns – (Google), Corey Bonnell – (DigiCert), Dimitris Zacharopoulos – (HARICA), Don Sheehy – (CPA Canada/WebTrust), Enrico Entschew – (D-TRUST), Eva Vansteenberge – (GlobalSign), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Judith Spencer – (CertiPath), Marco Schambach – (IdenTrust), Martijn Katerbarg – (Sectigo), Paul van Brouwershaven – (Entrust), Pekka Lahtiharju – (Telia Company), Rebecca Kelley – (Apple), Renne Rodriguez – (Apple), Scott Rea – (eMudhra), Stefan Selbitschka – (rundQuadrat), Stephen Davidson – (DigiCert), Tadahiko Ito – (SECOM Trust Systems), Thomas Zermeno – (SSL.com), Tim Crawford – (CPA Canada/WebTrust), Tsung-Min Kuo – (Chunghwa Telecom)

1. Roll Call

The Roll Call was taken.

2. Read Antitrust Statement

The statement was read concerning the antitrust policy, code of conduct, and intellectual property rights agreement.

3. Review Agenda

Minutes were prepared by Stephen Davidson.

4. Approval of minutes from last teleconference

The minutes for the teleconference of December 6 were approved.

5. Discussion

Stephen Davidson confirmed that Ballot SMC04 was published as S/MIME BR 1.0.2 on December 8. See https://cabforum.org/smime-br/ for more details.

Stephen said there had been extensive consultation and feedback on regarding the addition of CAA for S/MIME to the S/MIME BR, and the intent was to go to ballot at the start of January 2024, proposed by Corey Bonnell (DigiCert) and endorsed by Dimitris Zacharopoulos (HARICA) and Ben Wilson (Mozilla).

Stephen described the ballot text (seen in updated form) at https://github.com/cabforum/smime/compare/5fb2a7ee94d1c5684d5f32af11572e8c10cd2f8c…1fbbdc8f908e6eba779b4ea0de1cbfd20e156c3a

Dimitris requested that the references to RFC 8659 be removed as they were incorporated as a normative reference within RFC 9495. Stephen preferred to maintain the text in 4.2.2.1 that ruled out the TLS property tags for S/MIME but it was agreed that RFC 4945 covered this in sufficient detail. Stephen also agreed to drop the RFC 8659 references.

Bruce Morton queried the language in 4.2.2.1 that required a contract provision for the CA to skip CAA for technically constrained subCAs as it seemed that might require communication with leaf cert holders. Stephen agreed to clarify the language that the contract was with the subCA not the leaf holders. It was suggested that this change also be made in the TLS BR.

Stephen noted that CAA was one of the areas where coordination was required between the different CABF BR such that requirements are consistent and specified for the same CPS subsections. Paul van Brouwershaven noted the consolidation analysis underway at https://vanbroup.github.io/documents/#3224-caa-records.

Dimitris asked whether additional language needed to be added to the S/MIME BR concerning how the DNS verification of CAA should occur, noting the recent bug at https://bugzilla.mozilla.org/show_bug.cgi?id=1839305. Stephen noted that there was already detail on this in RFC 8659.

In cases where DNSSEC is not deployed for a corresponding FQDN, an Issuer SHOULD attempt to mitigate this risk by employing appropriate DNS security controls. For example, all portions of the DNS lookup process SHOULD be performed against the authoritative nameserver. Data cached by third parties MUST NOT be relied on as the sole source of DNS CAA information but MAY be used to support additional anti‑spoofing or anti-suppression controls.

Corey was not aware of anything in the standards that prevented delegation of such a service, but thought it would be difficult to get an audit in such circumstances. Stephen asked if members had proposals for language to deal with this and questioned whether the topic belonged in the S/MIME BR or rather a higher level requirement like NetSec. Dimitris said that earlier discussions in the ServerCert WG had related to Whois.

Stephen noted that in January the WG would work to finalise another clarifications ballot found at https://github.com/srdavidson/smime/blob/Ballot-SMC06/SBR.md

Stephen thanked members of the WG for their participation and support in 2023, having undertaken the significant task of creating the first standard for an existing and diverse certificate use. He said it was a good sign of the standard’s clarity that it appeared to have been adopted around the world with few major incidents.

6. Any Other Business

None

7. Next call

Next call: Wednesday, January 3, 2024 at 11:00 am Eastern Time

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).