[Smcwg-public] FW: MRSP 2.9: S/MIME BRs Transition Timeline

Ben Wilson bwilson at mozilla.com
Fri Jul 28 18:56:27 UTC 2023 

I have posted this on our Mozilla CA wiki page for additional guidance
during this S/MIME BRs transition -
https://wiki.mozilla.org/CA/Transition_SMIME_BRs#Audit_Migration_Plan.
Ben

On Tue, Jun 20, 2023 at 6:21 PM Stephen Davidson via Smcwg-public <
smcwg-public at cabforum.org> wrote:

> FYI, for thoroughness:  MDSP announcement re S/MIME BR.
>
> Regards, Stephen
>
>
>
>
>
>
>
> *From:* dev-security-policy at mozilla.org <dev-security-policy at mozilla.org> *On
> Behalf Of *Ben Wilson
> *Sent:* Friday, June 16, 2023 1:37 PM
> *To:* dev-secur... at mozilla.org <dev-security-policy at mozilla.org>
> *Subject:* MRSP 2.9: S/MIME BRs Transition Timeline
>
>
>
> Greetings,
>
> Our proposal for a migration plan towards having Certification Authorities
> (CAs) follow the CA/Browser Forum’s Baseline Requirements for S/MIME
> Certificates (S/MIME BRs) is as follows, keeping in mind that the Effective
> Date for version 1.0.0 of the S/MIME BRs is September 1, 2023, and assuming
> that ETSI and WebTrust audit criteria are in place for S/MIME BR audits by
> September 1, 2023.
>
> Any root CA certificate being considered for inclusion after September 1,
> 2023, must be audited according to the S/MIME BRs if the email trust bit is
> to be enabled, and the CA operator’s CP or CPS must state that they follow
> the current version of the S/MIME BRs. Note that the CA operator’s first
> S/MIME BR audit may be a Point-in-Time audit if the audit period will be
> less than 60 days, and the audit statement may list non-compliances to be
> resolved within the next annual audit period.
>
> CA root certificates and subordinate CA certificates that are technically
> capable of issuing S/MIME certificates that chain up (either directly or
> transitively) to a root certificate that has the email (S/MIME) trust bit
> enabled in Mozilla's CA Certificate Program shall be audited with a
> Period-of-Time audit according to the S/MIME BRs between September 1, 2023,
> and August 31, 2024, and annually thereafter. For CA operators to maintain
> their current annual audit cycles, the new S/MIME BR audit should be
> provided along with the other audits that the CA operator provides annually.
>
>    - The audit period start date for the first S/MIME BR audit will be
>    September 1, 2023, or earlier.
>
>
>    - At the CA operator’s option, the first S/MIME BR audit may cover the
>       entire audit period.
>       - The initial audit period start date for the first S/MIME BR audit
>       cannot be before the effective date of a CA operator’s CP or CPS that
>       confirms the CA operator’s compliance with the current version of the
>       S/MIME BRs.
>
>
>    - If the CA operator’s existing regular audit period for other audit
>    types ends after October 30, 2023, then we will expect to receive an S/MIME
>    BR audit that covers September 1, 2023, through the end of that audit
>    period (i.e. a Period-of-Time audit).
>
>
>    - If the CA operator’s first S/MIME BR audit period would be less than
>       60 days (e.g. audit period being September 1, 2023, to October 30, 2023),
>       then a Point-in-Time audit may be performed.
>
>
>    - The first S/MIME BR audit for each CA root certificate and
>    subordinate CA certificate may include a reasonable list of non-compliances
>    that the CA operator (or subordinate CA operator) is not yet in compliance
>    with.
>
>
>    - Only one Incident Bug needs to be filed containing the list of the
>       non-compliances in a CA operator’s first S/MIME BR audit.
>
>
>    - Submission of the second S/MIME BR audit report is expected to
>    confirm that the issues that were listed in the first S/MIME BR audit
>    report have been resolved.
>
> We look forward to your constructive feedback on the proposed transition
> timeline.
>
>
>
> Regards,
>
>
>
> Ben and Kathleen
>
> --
> You received this message because you are subscribed to the Google Groups "
> dev-security-policy at mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to dev-security-policy+unsubscribe at mozilla.org.
> To view this discussion on the web visit
> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabGSZqHeAF1BkaepgYXh73-c12%3DrxfChiUfPcC10TaH0Q%40mail.gmail.com
> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabGSZqHeAF1BkaepgYXh73-c12%3DrxfChiUfPcC10TaH0Q%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230728/1302519f/attachment.html>

More information about the Smcwg-public mailing list