S/MIME Certificate Working Group

About

The CA/Browser Forum’s S/MIME Certificate Working Group (SMCWG) was chartered to work on requirements applicable to Certification Authorities that issue S/MIME digital certificates used to sign, verify, encrypt, and decrypt email.  A primary deliverable will address:

• Verification of control over email addresses
• Key management and certificate lifecycle
• Certificate profiles for S/MIME certificates and Issuing CA certificates
• CA operational practices, physical/logical security, etc.

In addition, the SMCWG may also address identity validation for natural persons and legal entities in the context of S/MIME certificates. 

The goal of the SMCWG is to provide a framework where “reasonable assurance” may be provided to senders and recipients of email messages that the party identified in an S/MIME Certificate has control of the domain or email address being asserted. A variation of this use case is where an individual or organization digitally signs email to establish its authenticity and source of origin. 

Officers

Chair: Stephen Davidson (DigiCert)
Vice Chair: Martijn Katerbarg (Sectigo)
Past officers: Mads Egil Henriksveen (Buypass, Vice Chair 2020-2022)

Charter

S/MIME Certificate Working Group Charter

Ballots

SMC WG Ballots

Membership Requirements

There are four membership categories in the S/MIME Certificate Working Group:

  • Certificate Issuers: Certification Authorities that issue publicly trusted S/MIME certificates treated as valid by a Certificate Consumer Member. This group can attend all meetings and vote in the working group.
  • Certificate Consumers: Entities that produce and maintain a mail user agent (web-based or application based) or operate an email service provider that processes S/MIME certificates. This group can attend all meetings and vote in the working group.
  • Interested Parties: Anyone that has an interest in participating in the working group. This group can attend all telephone meetings but cannot vote. They may be invited to face to face meetings by the Chair.
  • Associate Members: Organizations that add value to the working group as determined by the group. Traditionally these have been organizations such as WebTrust, ETSI, Federal PKI, and ICANN (see: https://cabforum.org/liaisons/). This category also includes organizations that intend to be in categories 1 or 2 but have not completed all the required steps. This group can attend all meetings but cannot vote.

In all categories, the CA/Browser Forum by-laws require members to execute and submit the IPR Agreement (See: https://cabforum.org/ipr-policy/).

How to Join the SMCWG

The CA/Browser Forum welcomes new applicants with an interest in S/MIME for membership in the SMCWG.  There is no cost to join.  New applicants should provide the following information by email to questions@cabforum.org:

  1. Category under which the applicant wishes to apply to the SMCWG
  2. Organization name
  3. URL of the applicant’s main Web site
  4. Completed IPR Agreement
  5. Names and email addresses of designated representatives who will participate (identifying a voting representative)
  6. Emergency contact information for security issues related to certificate trust
  7. Certificate Issuers must supply the following additional information:
    • URL of the current qualifying audit report
    • Links or references to issued end-entity certificates that demonstrate them being treated as valid by a Certificate Consumer Member

Mailing List

In addition, the S/MIME Certificate Working Group provides a public mailing list.  To subscribe, see: https://cabforum.org/mailman/listinfo/smcwg-public

Members

Certificate Issuers:
AC Camerfirma SA
AC Firmaprofessional SA
Actalis S.p.A.
Asseco Data Systems SA (Certum)
Buypass AS
CFCA
Chunghwa Telecom
Comsign
DigiCert
D-TRUST
eMudhra
Entrust
GDCA
GlobalSign
GlobalTrust
HARICA
IdenTrust
iTrusChina
Logius PKIoverheid 
MSC Trustgate Sdn Bhd
OISTE Foundation
SECOM Trust Systems
Sectigo
SecureTrust
SHECA
SSC
SSL.com
SwissSign
Telia Company
TWCA
Visa

Certificate Consumer:
Apple
Google
Microsoft
Mozilla/Thunderbird
runQuadrat
Zertificon

Interested Parties:
Arno Fiedler
KPMG Korea
PrimeKey
PSW
TeleTrusT
Vigil Security
Nathalie Weiler

Associate Members:
ACAB Council
CertiPath
CPA Canada/WebTrust
TrustAsia
tScheme
US Federal PKI Management Authority
Zone Media OÜ