CA/Browser Forum
Home » All CA/Browser Forum Posts » 2024-04-24 Minutes of the S/MIME Certificate Working Group

2024-04-24 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

April 24, 2024

These are the Approved Minutes of the meeting described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.

Attendees

Abhishek Bhat - (eMudhra), Adriano Santoni - (Actalis S.p.A.), Aggie Wang - (TrustAsia), Andrea Holland - (VikingCloud), Ashish Dhiman - (GlobalSign), Clint Wilson - (Apple), Inaba Atsushi - (GlobalSign), Inigo Barreira - (Sectigo), Janet Hines - (VikingCloud), Jozef Nigut - (Disig), Judith Spencer - (CertiPath), Keshava Nagaraju - (eMudhra), Marco Schambach - (IdenTrust), Martijn Katerbarg - (Sectigo), Morad Abou Nasser - (TeleTrust), Naveen Kumar - (eMudhra), Nome Huang - (TrustAsia), Pedro Fuentes - (OISTE Foundation), Rollin Yu - (TrustAsia), Russ Housley - (Vigil Security LLC), Scott Rea - (eMudhra), Stephen Davidson - (DigiCert), Tadahiko Ito - (SECOM Trust Systems), Thomas Zermeno - (SSL.com), Tsung-Min Kuo - (Chunghwa Telecom), Wendy Brown - (US Federal PKI Management Authority)

1. Roll Call

The Roll Call was taken.

2. Read Antitrust Statement

The statement was read concerning the antitrust policy, code of conduct, and intellectual property rights agreement.

3. Review Agenda

Minutes were prepared by Stephen Davidson.

4. Approval of minutes from last teleconference

The minutes for the teleconference of April 10 were approved.

5. Discussion

Stephen Davidson noted that Ballot SMC06 was in IPR until May 11. See https://lists.cabforum.org/pipermail/smcwg-public/2024-April/000957.html. Stephen reviewed a proposed clarification from Tim Hollebeek, where section 1.1 defines applicability to leaf certificates only. A proposed change makes clear the applicability to subCAs as well. There were no objections. See https://github.com/cabforum/smime/issues/243. Among the allowed methods for individual vetting is the ability for the CA or RA to accept a certificate request that has been digitally signed using a certificate from approved frameworks, and to rely on validated certificate details.
Stephen noted that when the BR was published it laid out acceptance criteria in 3.2.4.1 (4) (b) – but purposefully did not name any approved frameworks in 3.2.4.1 (4) (a) following a decision by the working group that each such framework should be the subject of a separate ballot. The working group discussed a draft proposed by Stephen to introduce reliance of eIDAS Qualified certificates. He clarified that this was to rely upon attributes in the certificate as evidence of vetting. It did not affect the ability to rely upon electronically signed documents overall. Clint Wilson said the existing acceptance criteria could also be improved, for example, by requiring confirmation that this type of reliance was intended in the use case for the certificate. He said it was important to be clear on the allowed reliance period. For more see https://github.com/cabforum/smime/issues/244. Stephen noted that with the advent of eIDAS2 the text relating to eID would also need review (subsequently added as https://github.com/cabforum/smime/issues/245) Stephen noted that feedback was still welcomed from Certificate Issuers on improvements that would facilitate the transition to the Multipurpose and Strict profiles. He proposed a two stage approach to deprecating the Legacy profile. Stage one proposed a cease issuance approximately a year following the ballot, for example June 15 2025. The long window is advisable to allow Enterprise RAs with integrations to CAs with adequate time to prepare. Stage two would occur after that time, to remove the many Legacy references in the S/MIME BR. See more at https://github.com/cabforum/smime/issues/193. Wendy Brown raised the negative impact of shorter validity period on implementations that use smartcards. Stephen agreed to add the topic to a future agenda.

6. Any Other Business

The membership of TrustAsia as a Root CA was confirmed. It was confirmed that the teleconference scheduled for May 22 has been cancelled.

7. Next call

Next call: Wednesday, May 8, 2024 at 11:00 am Eastern Time

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).