[Smcwg-public] Definition of extant CA

Stephen Davidson Stephen.Davidson at digicert.com
Tue Sep 12 11:13:29 UTC 2023 

Thank you Jochem:

We will add this to the agenda of our next SMCWG meeting.

With kind regards, Stephen

 

 

 

From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Berge,
Jochem Van den via Smcwg-public
Sent: Tuesday, September 12, 2023 6:01 AM
To: smcwg-public at cabforum.org
Cc: Berg, Patrick van den <Patrick.Berg at logius.nl>; Weissenberg, David
<david.weissenberg at logius.nl>
Subject: [Smcwg-public] Definition of extant CA

 

Hi all,

 

Ballot SMC03 introduced the term "extant CA" as follows:

 

1.	Is a Publicly-Trusted Subordinate CA Certificate whose `notBefore`
field is before September 1, 2023 and has issued end entity S/MIME
Certificates;
2.	The CA Certificate includes no Extended Key Usage extension,
contains `anyExtendedKeyUsage` in the EKU extension, or contains
`id-kp-emailProtection` in the EKU extension; 
3.	 The CA Certificate complies with the profile defined in [RFC 5280](
<https://url.avanan.click/v2/___http:/tools.ietf.org/html/rfc5280___.YXAzOmR
pZ2ljZXJ0OmE6bzplN2QzYmZjNDlhNGQ0MzM2M2MwYTFjZDIzODYyNmJhMDo2OmMxMzg6ZDg3NmE
0OGZiOWJmYWEyYmE2YmNiODRhYzE3NTZhOTBiYzk0NDgyNzg4N2U2NmI3MmExMDM1YWI1NTM4ZGR
lZjpoOkY> http://tools.ietf.org/html/rfc5280). The following two deviations
from the [RFC 5280](
<https://url.avanan.click/v2/___http:/tools.ietf.org/html/rfc5280___.YXAzOmR
pZ2ljZXJ0OmE6bzplN2QzYmZjNDlhNGQ0MzM2M2MwYTFjZDIzODYyNmJhMDo2OjlkNzc6NmIzZGV
jMmEzZTk5OTdlNjMzMTYwMzM4YmFiMzE3NmU5OWI1OGE4ZGVhYTIyMTBhMTRlNmI3ZGZmMWI4Y2N
hYzpoOkY> http://tools.ietf.org/html/rfc5280) profile are acceptable: 

a.	The CA Certificate contains a `nameConstraints` extension that is
not marked critical; 
b.	The CA Certificate contains a policy qualifier of type UserNotice
which contains `explicitText` that uses an encoding that is not permitted by
[RFC 5280](
<https://url.avanan.click/v2/___http:/tools.ietf.org/html/rfc5280___.YXAzOmR
pZ2ljZXJ0OmE6bzplN2QzYmZjNDlhNGQ0MzM2M2MwYTFjZDIzODYyNmJhMDo2OmQ1ZGU6OTYzY2F
kZWNiNWY4NDNhNTQ2MzM5M2ViZWI5OTg3ZDUxNzFiODFiMjljOTY3YTNhYzNlZTZlY2I2NmZjN2Z
iNTpoOkY> http://tools.ietf.org/html/rfc5280) (i.e., the `DisplayText` is
encoded using BMPString or VisibleString); and 

4.	The CA Certificate contains the `anyPolicy` identifier (2.5.29.32.0)
or specific OIDs in the `certificatePolicies` extension that do not include
those defined in [Section
7.1.6.1](#7161-reserved-certificate-policy-identifiers) of these
Requirements.

 

Now it might seem like nit-picking but we had a question specifically about
the first line. If a CA is S/MIME capable but only issues other CA
certificates which in turn issue end-user S/MIME certificates is that still
be covered by this definition?  

 

PKIoverheid operates a 4-layer hierarchy in which the level 2 CAs only issue
CA certificates to Trust Service providers who actually issue end-user
(S/MIME and qualified) certificates. We're asking this question because
we're currently planning (re)issuance of existing PKIoverheid level 3 CAs to
remain compliant with the SBRGs (or move them off S/MIME completely when it
is no longer needed) per the timelines stated in Appendix B. 

 

Reading the text verbatim would indicate that the level 2 CAs are not
included in the definition of the "extant CA" since it never has and never
will issue end-user certificates of any kind but we have our doubts if that
is a valid interpretation.

 

What take do other CAs (or browsers) have on this? 

 

Kind Regards,

 

Jochem van den Berge

Compliance officer PKIoverheid

 

Logius

 

Digital Government Service

Ministry of the Interior and Kingdom Relations

........................................................................

 

M (+31) (0)6 - 21 16 26 89

T  (+31) (0)70 - 888 76 91

 <mailto:jochem.vanden.berge at logius.nl> jochem.vanden.berge at logius.nl
 
<https://url.avanan.click/v2/___http:/www.logius.nl/___.YXAzOmRpZ2ljZXJ0OmE6
bzplN2QzYmZjNDlhNGQ0MzM2M2MwYTFjZDIzODYyNmJhMDo2OmE2YzY6YTQyMWU2Njk1ZDgyNWFi
NTI2N2E0ODdlYmU1YzA4NjQyMWU0NWM3N2FiNmZlODk4ZWEwNjg1ZDA5NmNlNWI5NTpoOkY>
www.logius.nl

 

workdays Mo-Tue & Thu-Fri

........................................................................

 

 

  _____  

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u
niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden,
wordt u verzocht dat aan de afzender te melden en het bericht te
verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van
welke aard ook, die verband houdt met risico's verbonden aan het
elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you
are not the addressee or if this message was sent to you by mistake, you are
requested to inform the sender and delete the message. The State accepts no
liability for damage of any kind resulting from the risks inherent in the
electronic transmission of messages. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230912/45917787/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5293 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230912/45917787/attachment-0001.p7s>

More information about the Smcwg-public mailing list