[Smcwg-public] Proposed text for handling transition of existing S/MIME subCAs

[Stephen Davidson]

Hello:



At the face-to-face it was agreed that the SMCWG would propose a ballot to lay out parameters for Certificate Issuers to step from old S/MIME SubCAs to SubCAs that are fully-compliant with the S/MIME BR (SBR).



The following proposal does several things:



1.      It provides a new definition of "Extant S/MIME CA" for SubCAs that can be used during the transition phase.  This makes an easy reference for external requirements that may wish to pick up the definition; it also avoids the word "legacy" which is already used in the SBR.
2.      It adds a new Appendix B which allows "Extant" SubCAs to be used to issue otherwise compliant leafs following the Effective Date this Sept.  However, all S/MIME CAs would need to meet the SBR reqs by Sept 15, 2024.



The text does not require the revocation of the Extant S/MIME CAs; merely that they cease issuance before September 15, 2024.



This will be on our Agenda for next week.  I am also seeking endorsers, assuming this text finds support in the SMCWG.



Regards, Stephen



New definition

**Extant S/MIME CA**: A Subordinate CA that:

1.      Is a Publicly-Trusted CA Certificate with end entity S/MIME Certificates that are valid as of June 15, 2023;
2.      Is audited and has appeared on the CA's latest audit report which is acceptable to the relevant program for Publicly-Trusted Certificates;
3.      The CA Certificate includes no Extended Key Usage extension, contains anyExtendedKeyUsage in the EKU extension, or contains id-kp-emailProtection in the EKU extension;
4.      The CA Certificate complies with the profile defined in RFC 5280. The following two deviations from the RFC 5280 profile are acceptable:

a. The CA Certificate contains a nameConstraints  extension that is not marked critical;

b. The CA Certificate contains a policy qualifier of type UserNotice which contains explicitText that uses an encoding that is not permitted by RFC 5280 (i.e., the DisplayText is encoded using BMPString or VisibleString); and

5.      The CA Certificate may contain the anyPolicy identifier (2.5.29.32.0). or specific OIDs in the certificatePolicies extension that do not include those defined in Section 7.1.6.1 of these Requirements.

7.1.2.2 Subordinate CA certificates

[Insert the following sentence to the intro.]

The issuance of end entity S/MIME Certificates by Extant S/MIME CAs is described in Appendix B.

Appendix B - Transition of Extant S/MIME CAs

Following the Effective Date for v 1.0.0 of these Requirements (September 1, 2023) an Extant S/MIME CA may continue to issue end entity S/MIME Certificates that are compliant with these Requirements.



On or after September 15, 2024, all newly-issued Publicly-Trusted end entity S/MIME Certificates must be issued from S/MIME Subordinate CAs that are compliant with these Requirements.







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230616/521d7f23/attachment.html>