<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:38819930;
mso-list-template-ids:-2050972438;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:590311546;
mso-list-type:hybrid;
mso-list-template-ids:-365659870 2099003340 134807555 134807557 134807553 134807555 134807557 134807553 134807555 134807557;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:1509908848;
mso-list-template-ids:-1290792152;}
@list l2:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3
{mso-list-id:1724478303;
mso-list-template-ids:-1290792152;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style></head><body lang=en-SE link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span lang=SV>Hi all,<o:p></o:p></span></p><p class=MsoNormal><span lang=SV><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>There’s been a request within the S/MIME working group to bring forward issues that have arisen since the adoption of the SBRs. While we’ve not seen a whole lot of issues, we believe we may have discovered one now.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>We offer support for Windows’s own auto-enrollment features. In the past we used to include the “Certificate Template Information” extension (OID </span>1.3.6.1.4.1.311.21.7<span lang=EN-US>) for this purpose. Since we started issuing SBR compliant certificates prior to September 1<sup>st</sup>, we removed support for this extension on publicly trusted S/MIME certificates.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>As we now have noticed, this has led to a partial breakdown of the auto-enrollment system. From what we understand, the auto-enrollment mechanism is specifically looking for this extension in certificates, if a certificate for a particular required Certificate Template (as specified through AD) is not found, auto-enrollment will “do its job”, and request a new certificate. This can lead to multiple new certificates being installed in a single day, all because the extension is missing.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>We’ve investigated bringing back support for the extension, and are led to the conclusion that no, this extension would not be allowed per the current language. A breakdown:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Section 7.1.2.4 (<a href="https://github.com/cabforum/smime/blob/main/SBR.md#7124-all-certificates">https://github.com/cabforum/smime/blob/main/SBR.md#7124-all-certificates</a> ) states:<o:p></o:p></span></p><p class=MsoNormal><i><span lang=EN-US>“</span>All fields and extensions SHALL be set in accordance with <a href="https://datatracker.ietf.org/doc/html/rfc5280">RFC 5280</a>. The CA SHALL NOT issue a Certificate that contains a </i><code><i><span style='font-size:10.0pt'>keyUsage</span></i></code><i> flag, </i><code><i><span style='font-size:10.0pt'>extKeyUsage</span></i></code><i> value, Certificate extension, or other data not specified in <a href="https://github.com/cabforum/smime/blob/main/SBR.md#7121-root-ca-certificates">Section 7.1.2.1</a>, <a href="https://github.com/cabforum/smime/blob/main/SBR.md#7122-subordinate-ca-certificates">Section 7.1.2.2</a>, or <a href="https://github.com/cabforum/smime/blob/main/SBR.md#7123-subscriber-certificates">Section 7.1.2.3</a> unless the CA is aware of a reason for including the data in the Certificate. If the CA includes fields or extensions in a Certificate that are not specified but are otherwise permitted by these Requirements, then the CA SHALL document the processes and procedures that the CA employs for the validation of information contained in such fields and extensions in its CP and/or CPS.</i><i><span lang=EN-US>”<o:p></o:p></span></i></p><p class=MsoNormal><i><span lang=EN-US><o:p> </o:p></span></i></p><p class=MsoNormal><span lang=EN-US>So far, we could see allowing the extension. We have “a reason for including the data in the Certificate”, and we could update our CPS. However, the language continues with an additional SHALL NOT:<o:p></o:p></span></p><p><i><span lang=EN-US>“</span>CAs SHALL NOT issue a Certificate with:<o:p></o:p></i></p><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo3'><i><span style='mso-ligatures:none;mso-fareast-language:EN-GB'>Extensions that do not apply in the context of the public Internet (such as an </span></i><i><span style='font-size:10.0pt;font-family:"Courier New";mso-ligatures:none;mso-fareast-language:EN-GB'>extKeyUsage</span></i><i><span style='mso-ligatures:none;mso-fareast-language:EN-GB'> value for a service that is only valid in the context of a privately managed network), unless:<br>i. such value falls within an OID arc for which the Applicant demonstrates ownership, or<br>ii. the Applicant can otherwise demonstrate the right to assert the data in a public context; or<o:p></o:p></span></i></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo3'><i><span style='mso-ligatures:none;mso-fareast-language:EN-GB'>Field or extension values which have not been validated according to the processes and procedures described in these Requirements or the CA's CP and/or CPS</span></i><i><span lang=EN-US style='mso-ligatures:none;mso-fareast-language:EN-GB'>.</span></i><span lang=EN-US>”</span><span style='mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></li></ol><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='mso-fareast-language:EN-GB'>So while the first section might allow us to incorporate the extension, it seems we also need to meet one of the statements in this block:<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='mso-fareast-language:EN-GB'>“</span><i><span style='mso-ligatures:none;mso-fareast-language:EN-GB'>Extensions that do not apply in the context of the public Internet (such as an </span></i><i><span style='font-size:10.0pt;font-family:"Courier New";mso-ligatures:none;mso-fareast-language:EN-GB'>extKeyUsage</span></i><i><span style='mso-ligatures:none;mso-fareast-language:EN-GB'> value for a service that is only valid in the context of a privately managed network), unless:</span></i><i><span lang=EN-US style='mso-ligatures:none;mso-fareast-language:EN-GB'>”<br></span></i><span lang=EN-US style='mso-ligatures:none;mso-fareast-language:EN-GB'>This extension indeed does not apply in the context of the public Internet. So, we move into the exception cases:<i><o:p></o:p></i></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><i><span lang=EN-US style='mso-ligatures:none;mso-fareast-language:EN-GB'>”</span></i><i><span style='mso-ligatures:none;mso-fareast-language:EN-GB'>i. such value falls within an OID arc for which the Applicant demonstrates ownership, or</span></i><i><span lang=EN-US style='mso-ligatures:none;mso-fareast-language:EN-GB'>”<br></span></i><span lang=EN-US style='mso-ligatures:none;mso-fareast-language:EN-GB'>No. Neither us, nor the Applicant owns the OID. It’s an OID under the Microsoft OID arc.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='mso-ligatures:none;mso-fareast-language:EN-GB'>”<i> </i></span><i><span style='mso-ligatures:none;mso-fareast-language:EN-GB'>ii. the Applicant can otherwise demonstrate the right to assert the data in a public context; or</span></i><i><span lang=EN-US style='mso-ligatures:none;mso-fareast-language:EN-GB'>”<br></span></i><span lang=EN-US style='mso-ligatures:none;mso-fareast-language:EN-GB'>Unless the Applicant gets a contract stating they were given the right by Microsoft, we don’t see how this requirement is met. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='mso-ligatures:none;mso-fareast-language:EN-GB'>Then we’re left with “</span><i>Field or extension values which have not been validated according to the processes and procedures described in these Requirements or the CA's CP and/or CPS.</i><i><span lang=EN-US>”<br></span></i><span lang=EN-US>This one is a bit odd. Does this suddenly suggest or imply that the CA may include any field or extension that has been validated according only to the CA’s CP and/or CPS? Item “(ii)” ends with an “or”. However, we believe this is an incorrect editorial bit that should be updated, since the list shifts back to a previous indentation.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>All in all, we’re left with the understanding that, no, this extension is not allowed (with the exception that if Microsoft were to be the Applicant, it would be allowed).<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>With this breakdown, we’re left with a few questions:<o:p></o:p></span></p><ul type=disc><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0cm;mso-list:l1 level1 lfo6'><span lang=EN-US>Have other CAs run into the same issue?<o:p></o:p></span></li><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0cm;mso-list:l1 level1 lfo6'><span lang=EN-US>Do other CAs share the same conclusion?<o:p></o:p></span></li><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0cm;mso-list:l1 level1 lfo6'><span lang=EN-US>If this does appear to be an issue, should an extension by the platform of one of our Certificate Consumers, be specifically added as an allowed extension?<o:p></o:p></span></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>Regards,<br><br>Martijn<br>Sectigo<o:p></o:p></span></p></div></body></html>