[Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Tue Sep 13 15:46:04 UTC 2022

I agree with the assessment that the NCSSRs mostly related to TLS. This 
means that for certificate types not related to existing CA/B Forum 
Guidelines (TLS, Code Signing), some CAs might find it really surprising 
having to implement the entirety of the NCSSRs, especially the 
air-gapped/offline RootCA requirements for S/MIME hierarchies.

It's also very challenging for a CA to implement a roll-over S/MIME 
hierarchy (with an air-gapped/offline Root CA) within 3-6 months and 
complete Root inclusion requests, get ubiquity and so on.

Dear Hongquan, is this the major concern or you see other issues with 
the adoption of the NCSSRs for S/MIME hierarchies in the SMBRs?


On 13/9/2022 2:40 μ.μ., Hongquan Yin via Smcwg-public wrote:
> After sharing the guideline to more people in Microsoft, we have some 
> feedback regarding below line:
> “6.7 Network security controls
> The CA/Browser Forum’s Network and Certificate System Security 
> Requirements are incorporated by reference as if fully set forth herein.”
> While the goal of the NCSSR’s is to be certificate agnostic, the 
> history is mostly related to TLS. There’s a risk that a requirement 
> has already been implemented or could be implemented that would 
> conflict with S/MIME requirements. We would recommend adding a 
> statement that if there are any conflicts, that the S/MIME Baseline 
> Requirements take precedence.
> Possibly add a sentence such as: “In the event of a conflict between 
> the S/MIME BRs and the NCSSRs, the S/MIME BRs will take precedence.”
> Thank you for considering the change.
> *Ho*ngquan *Yi*n
> *From:* Smcwg-public <smcwg-public-bounces at cabforum.org> *On Behalf Of 
> *Stephen Davidson via Smcwg-public
> *Sent:* Thursday, September 8, 2022 3:03 PM
> *To:* smcwg-public at cabforum.org
> *Subject:* [EXTERNAL] [Smcwg-public] Ballot SMC01: Final Guideline for 
> “S/MIME Baseline Requirements”
> *Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements” ***
> **
> *Purpose of Ballot:*
> The S/MIME Certificate Working Group was chartered to discuss, adopt, 
> and maintain policies, frameworks, and standards for the issuance and 
> management of Publicly-Trusted S/MIME Certificates.  This ballot 
> adopts a new “S/MIME Baseline Requirements” that includes requirements 
> for verification of control over email addresses, identity validation 
> for natural persons and legal entities, key management and certificate 
> lifecycle, certificate profiles for S/MIME Certificates and Issuing CA 
> Certificates, as well as CA operational and audit practices.
> An S/MIME Certificate for the purposes of this document can be 
> identified by the existence of an Extended Key Usage (EKU) for 
> id-kp-emailProtection (OID: and the inclusion of a 
> rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox in the 
> subjectAltName extension in the Certificate.
> The following motion has been proposed by Stephen Davidson of DigiCert 
> and endorsed by Martijn Katerbarg of Sectigo and ­­­Ben Wilson of Mozilla.
> *Charter Voting References*
> Section 5.1 (“Voting Structure”) 
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fblob%2Fe6ad111f4477010cbff409cd939c5ac1c7c85ccc%2Fdocs%2FSMCWG-charter.md%2351-voting-structure&data=05%7C01%7Chongquan.yin%40microsoft.com%7C70f13519b92c4417b4f508da91682f2b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637982174108537999%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HhWwlEUw7uF2tm%2Fzit%2BBZmgz7%2Bp0jct%2BHpHkEe5BDuQ%3D&reserved=0>of 
> the SMCWG Charter says:
> In order for a ballot to be adopted by the SMCWG, two-thirds or more 
> of the votes cast by the Certificate Issuers must be in favor of the 
> ballot and more than 50% of the votes cast by the Certificate 
> Consumers must be in favor of the ballot. At least one member of each 
> class must vote in favor of a ballot for it to be adopted. Quorum is 
> the average number of Member organizations (cumulative, regardless of 
> Class) that have participated in the previous three (3) SMCWG Meetings 
> or Teleconferences (not counting subcommittee meetings thereof).
> *
> This ballot adopts the “Baseline Requirements for the Issuance and 
> Management of Publicly-Trusted S/MIME Certificates” (“S/MIME Baseline 
> Requirements”) as Version 1.0.0.
> The proposed S/MIME Baseline Requirements may be found at 
> https://github.com/cabforum/smime/compare/7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52 
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fsmime%2Fcompare%2F7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52&data=05%7C01%7Chongquan.yin%40microsoft.com%7C70f13519b92c4417b4f508da91682f2b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637982174108694198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LeGxSesCeeTKziMM1pTk985zVUXqAwvzuEWlVJJ6OyQ%3D&reserved=0> 
> or the attached document.
> The SMCWG Chair or Vice-Chair is permitted to update the Relevant 
> Dates and Version Number of the S/MIME Baseline Requirements to 
> reflect final dates.
> *— MOTION ENDS —**
> *
> This ballot proposes a Final Guideline. The procedure for approval of 
> this ballot is as follows:
> Discussion (7+ days)
> Start Time: 8 September 2022 17:00 UTC
> End Time: 15 September 2022 17:00 UTC
> Vote for approval (7 days)
> Start Time: 15 September 2022 17:00 UTC
> End Time: 22 September 2022 17:00 UTC
> IPR Review (60 days)
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220913/f744856c/attachment.html>

More information about the Smcwg-public mailing list