<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
code
{mso-style-priority:99;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:527182697;
mso-list-type:hybrid;
mso-list-template-ids:-1239766468 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1
{mso-list-id:1503009785;
mso-list-type:hybrid;
mso-list-template-ids:-1050271820 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hello:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">At the face-to-face it was agreed that the SMCWG would propose a ballot to
<span style="mso-ligatures:none">lay out parameters for Certificate Issuers to step from old S/MIME SubCAs to SubCAs that are fully-compliant with the S/MIME BR (SBR).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal">The following proposal <span style="mso-ligatures:none">does several things:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo1"><span style="mso-ligatures:none">It provides a new definition of “Extant S/MIME CA” for SubCAs that can be used during the transition phase. This makes an easy reference for external
requirements that may wish to pick up the definition; it also avoids the word “legacy” which is already used in the SBR.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo1"><span style="mso-ligatures:none">It adds a new Appendix B which allows “Extant” SubCAs to be used to issue otherwise compliant leafs following the Effective Date this Sept. However,
all S/MIME CAs would need to meet the SBR reqs by Sept 15, 2024.<o:p></o:p></span></li></ol>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">The text does not require the revocation of the Extant S/MIME CAs; merely that they cease issuance before September 15, 2024.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">This will be on our Agenda for next week. I am also seeking endorsers, assuming this text finds support in the SMCWG.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">Regards, Stephen<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:.25in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white">
<b><span style="font-family:"Segoe UI",sans-serif;color:#1F2328;mso-ligatures:none">New definition<o:p></o:p></span></b></p>
<p class="MsoNormal">**Extant S/MIME CA**: A Subordinate CA that:<o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph" style="margin-bottom:8.0pt;margin-top:0in;mso-margin-bottom-alt:0in;mso-margin-top-alt:0in;margin-left:0in;mso-add-space:auto;line-height:106%;mso-list:l0 level1 lfo2">
Is a Publicly-Trusted CA Certificate with end entity S/MIME Certificates that are valid as of June 15, 2023;<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-add-space:auto;line-height:106%;mso-list:l0 level1 lfo2">
Is audited and has appeared on the CA’s latest audit report which is acceptable to the relevant program for Publicly-Trusted Certificates;
<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-add-space:auto;line-height:106%;mso-list:l0 level1 lfo2">
The CA Certificate includes no Extended Key Usage extension, contains <code><span style="font-size:10.0pt;line-height:106%;font-family:Consolas;color:#1F2328">anyExtendedKeyUsage</span></code> in the EKU extension, or contains
<code><span style="font-size:10.0pt;line-height:106%;font-family:Consolas;color:#1F2328">id-kp-emailProtection</span></code> in the EKU extension;
<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-add-space:auto;line-height:106%;mso-list:l0 level1 lfo2">
The CA Certificate complies with the profile defined in RFC 5280. The following two deviations from the RFC 5280 profile are acceptable:<o:p></o:p></li></ol>
<p class="MsoListParagraph">a. The CA Certificate contains a <code><span style="font-size:10.0pt;font-family:Consolas;color:#1F2328">nameConstraints</span></code><span style="font-family:"Segoe UI",sans-serif;color:#1F2328;background:white"> </span> extension
that is not marked critical; <o:p></o:p></p>
<p class="MsoListParagraph">b. The CA Certificate contains a policy qualifier of type
<code><span style="font-size:10.0pt;font-family:Consolas;color:#1F2328">UserNotice</span></code> which contains
<code><span style="font-size:10.0pt;font-family:Consolas;color:#1F2328">explicitText</span></code> that uses an encoding that is not permitted by RFC 5280 (i.e., the
<code><span style="font-size:10.0pt;font-family:Consolas;color:#1F2328">DisplayText</span></code> is encoded using BMPString or VisibleString); and<o:p></o:p></p>
<ol style="margin-top:0in" start="5" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-add-space:auto;line-height:106%;mso-list:l0 level1 lfo2">
The CA Certificate may contain the <code><span style="font-size:10.0pt;line-height:106%;font-family:Consolas;color:#1F2328">anyPolicy</span></code><span style="font-family:"Segoe UI",sans-serif;color:#1F2328;background:white"> identifier (2.5.29.32.0).</span>
or specific OIDs in the <code><span style="font-size:10.0pt;line-height:106%;font-family:Consolas;color:#1F2328">certificatePolicies</span></code><span style="font-family:"Segoe UI",sans-serif;color:#1F2328;background:white"> </span>extension that do not include
those defined in Section 7.1.6.1 of these Requirements.<o:p></o:p></li></ol>
<p class="MsoNormal" style="mso-margin-top-alt:.25in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white">
<b><span style="font-family:"Segoe UI",sans-serif;color:#1F2328;mso-ligatures:none">7.1.2.2 Subordinate CA certificates<o:p></o:p></span></b></p>
<p class="MsoNormal"><i>[Insert the following sentence to the intro.]<o:p></o:p></i></p>
<p class="MsoNormal">The issuance of end entity S/MIME Certificates by Extant S/MIME CAs is described in Appendix B.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:.25in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white">
<b><span style="font-family:"Segoe UI",sans-serif;color:#1F2328;mso-ligatures:none">Appendix B - Transition of Extant S/MIME CAs<o:p></o:p></span></b></p>
<p class="MsoNormal">Following the Effective Date for v 1.0.0 of these Requirements (September 1, 2023) an Extant S/MIME CA may continue to issue end entity S/MIME Certificates that are compliant with these Requirements. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">On or after September 15, 2024, all newly-issued Publicly-Trusted end entity S/MIME Certificates must be issued from S/MIME Subordinate CAs that are compliant with these Requirements.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
</div>
</body>
</html>