[Smcwg-public] FW: MRSP 2.9: S/MIME BRs Transition Timeline

Stephen Davidson Stephen.Davidson at digicert.com
Wed Jun 21 00:21:03 UTC 2023 

FYI, for thoroughness:  MDSP announcement re S/MIME BR.

Regards, Stephen







From: dev-security-policy at mozilla.org <dev-security-policy at mozilla.org> On Behalf Of Ben Wilson
Sent: Friday, June 16, 2023 1:37 PM
To: dev-secur... at mozilla.org <dev-security-policy at mozilla.org>
Subject: MRSP 2.9: S/MIME BRs Transition Timeline



Greetings,

Our proposal for a migration plan towards having Certification Authorities (CAs) follow the CA/Browser Forum’s Baseline Requirements for S/MIME Certificates (S/MIME BRs) is as follows, keeping in mind that the Effective Date for version 1.0.0 of the S/MIME BRs is September 1, 2023, and assuming that ETSI and WebTrust audit criteria are in place for S/MIME BR audits by September 1, 2023.

Any root CA certificate being considered for inclusion after September 1, 2023, must be audited according to the S/MIME BRs if the email trust bit is to be enabled, and the CA operator’s CP or CPS must state that they follow the current version of the S/MIME BRs. Note that the CA operator’s first S/MIME BR audit may be a Point-in-Time audit if the audit period will be less than 60 days, and the audit statement may list non-compliances to be resolved within the next annual audit period.

CA root certificates and subordinate CA certificates that are technically capable of issuing S/MIME certificates that chain up (either directly or transitively) to a root certificate that has the email (S/MIME) trust bit enabled in Mozilla's CA Certificate Program shall be audited with a Period-of-Time audit according to the S/MIME BRs between September 1, 2023, and August 31, 2024, and annually thereafter. For CA operators to maintain their current annual audit cycles, the new S/MIME BR audit should be provided along with the other audits that the CA operator provides annually.

*       The audit period start date for the first S/MIME BR audit will be September 1, 2023, or earlier.

   *    At the CA operator’s option, the first S/MIME BR audit may cover the entire audit period.
   *    The initial audit period start date for the first S/MIME BR audit cannot be before the effective date of a CA operator’s CP or CPS that confirms the CA operator’s compliance with the current version of the S/MIME BRs.

*       If the CA operator’s existing regular audit period for other audit types ends after October 30, 2023, then we will expect to receive an S/MIME BR audit that covers September 1, 2023, through the end of that audit period (i.e. a Period-of-Time audit).

   *    If the CA operator’s first S/MIME BR audit period would be less than 60 days (e.g. audit period being September 1, 2023, to October 30, 2023), then a Point-in-Time audit may be performed.

*       The first S/MIME BR audit for each CA root certificate and subordinate CA certificate may include a reasonable list of non-compliances that the CA operator (or subordinate CA operator) is not yet in compliance with.

   *    Only one Incident Bug needs to be filed containing the list of the non-compliances in a CA operator’s first S/MIME BR audit.

*       Submission of the second S/MIME BR audit report is expected to confirm that the issues that were listed in the first S/MIME BR audit report have been resolved.

We look forward to your constructive feedback on the proposed transition timeline.



Regards,



Ben and Kathleen

--
You received this message because you are subscribed to the Google Groups "dev-security-policy at mozilla.org<mailto:dev-security-policy at mozilla.org>" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscribe at mozilla.org<mailto:dev-security-policy+unsubscribe at mozilla.org>.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabGSZqHeAF1BkaepgYXh73-c12%3DrxfChiUfPcC10TaH0Q%40mail.gmail.com<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabGSZqHeAF1BkaepgYXh73-c12%3DrxfChiUfPcC10TaH0Q%40mail.gmail.com?utm_medium=email&utm_source=footer>.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230621/912b2ec6/attachment-0001.html>

More information about the Smcwg-public mailing list