[Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

Corey Bonnell Corey.Bonnell at digicert.com
Tue Sep 13 13:40:50 UTC 2022

I agree with Bruce.

The WebTrust SSL Baseline Criteria [1] explicitly reference the NCSSRs as
applicable to the operations of CAs regardless of certificate type. In
particular, the "Engagement Scoping" section says:

"The Network Security Requirements apply to all CAs within a publicly
trusted PKI
hierarchy, even if those certificates are designed for other uses (i.e.,
code signing, client
authentication, secure email, document signing etc.)"


Given this guidance, I would be rather surprised if there are conflicts.
Perhaps one of the WebTrust TF folks here on the list can provide their




5B9FB78DD1FD7> &hash=D96D591D9422E73871B83488D275B9FB78DD1FD7


From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Bruce
Morton via Smcwg-public
Sent: Tuesday, September 13, 2022 9:28 AM
To: Hongquan Yin <Hongquan.Yin at microsoft.com>; SMIME Certificate Working
Group <smcwg-public at cabforum.org>; Stephen Davidson
<Stephen.Davidson at digicert.com>
Subject: Re: [Smcwg-public] Ballot SMC01: Final Guideline for "S/MIME
Baseline Requirements"


Since the NCSSRs apply to TLS, Code Signing and soon to be S/MIME
certificates, I would suggest the NCSSRs should take precedence over the
certificate documents. I don't think it would make sense for a CA to be
expected to deploy network security differently based on the certificate
being issued.

I really think this is a non-issue and the certificate working group should
correct any conflicts through ballot.



From: Smcwg-public <smcwg-public-bounces at cabforum.org
<mailto:smcwg-public-bounces at cabforum.org> > On Behalf Of Hongquan Yin via
Sent: Tuesday, September 13, 2022 7:41 AM
To: Stephen Davidson <Stephen.Davidson at digicert.com
<mailto:Stephen.Davidson at digicert.com> >; SMIME Certificate Working Group
<smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> >
Subject: [EXTERNAL] Re: [Smcwg-public] Ballot SMC01: Final Guideline for
"S/MIME Baseline Requirements"


WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the
content is safe.


After sharing the guideline to more people in Microsoft, we have some
feedback regarding below line:

"6.7 Network security controls 

The CA/Browser Forum's Network and Certificate System Security Requirements
are incorporated by reference as if fully set forth herein."


While the goal of the NCSSR's is to be certificate agnostic, the history is
mostly related to TLS. There's a risk that a requirement has already been
implemented or could be implemented that would conflict with S/MIME
requirements. We would recommend adding a statement that if there are any
conflicts, that the S/MIME Baseline Requirements take precedence.

Possibly add a sentence such as: "In the event of a conflict between the
S/MIME BRs and the NCSSRs, the S/MIME BRs will take precedence."


Thank you for considering the change.

Hongquan Yin


From: Smcwg-public <smcwg-public-bounces at cabforum.org
<mailto:smcwg-public-bounces at cabforum.org> > On Behalf Of Stephen Davidson
via Smcwg-public
Sent: Thursday, September 8, 2022 3:03 PM
To: smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> 
Subject: [EXTERNAL] [Smcwg-public] Ballot SMC01: Final Guideline for "S/MIME
Baseline Requirements"


Ballot SMC01: Final Guideline for "S/MIME Baseline Requirements" 


Purpose of Ballot:


The S/MIME Certificate Working Group was chartered to discuss, adopt, and
maintain policies, frameworks, and standards for the issuance and management
of Publicly-Trusted S/MIME Certificates.  This ballot adopts a new "S/MIME
Baseline Requirements" that includes requirements for verification of
control over email addresses, identity validation for natural persons and
legal entities, key management and certificate lifecycle, certificate
profiles for S/MIME Certificates and Issuing CA Certificates, as well as CA
operational and audit practices.


An S/MIME Certificate for the purposes of this document can be identified by
the existence of an Extended Key Usage (EKU) for id-kp-emailProtection (OID: and the inclusion of a rfc822Name or an otherName of type
id-on-SmtpUTF8Mailbox in the subjectAltName extension in the Certificate.


The following motion has been proposed by Stephen Davidson of DigiCert and
endorsed by Martijn Katerbarg of Sectigo and ---Ben Wilson of Mozilla.


Charter Voting References


Section 5.1 ("Voting Structure") of the SMCWG Charter says:


In order for a ballot to be adopted by the SMCWG, two-thirds or more of the
votes cast by the Certificate Issuers must be in favor of the ballot and
more than 50% of the votes cast by the Certificate Consumers must be in
favor of the ballot. At least one member of each class must vote in favor of
a ballot for it to be adopted. Quorum is the average number of Member
organizations (cumulative, regardless of Class) that have participated in
the previous three (3) SMCWG Meetings or Teleconferences (not counting
subcommittee meetings thereof).



This ballot adopts the "Baseline Requirements for the Issuance and
Management of Publicly-Trusted S/MIME Certificates" ("S/MIME Baseline
Requirements") as Version 1.0.0.


The proposed S/MIME Baseline Requirements may be found at
9c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52 or the attached document.


The SMCWG Chair or Vice-Chair is permitted to update the Relevant Dates and
Version Number of the S/MIME Baseline Requirements to reflect final dates.



This ballot proposes a Final Guideline. The procedure for approval of this
ballot is as follows:


Discussion (7+ days)
Start Time: 8 September 2022 17:00 UTC
End Time: 15 September 2022 17:00 UTC


Vote for approval (7 days)
Start Time: 15 September 2022 17:00 UTC
End Time: 22 September 2022 17:00 UTC


IPR Review (60 days)

Any email and files/attachments transmitted with it are confidential and are
intended solely for the use of the individual or entity to whom they are
addressed. If this message has been sent to you in error, you must not copy,
distribute or disclose of the information it contains. Please notify Entrust
immediately and delete the message from your system. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220913/6aced3ae/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4990 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220913/6aced3ae/attachment-0001.p7s>

More information about the Smcwg-public mailing list