[Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

Corey Bonnell Corey.Bonnell at digicert.com
Tue Sep 13 17:58:43 UTC 2022

Hi Dimitris,

The requirements for CRL and OCSP were discussed in the June 22nd meeting. The minutes are available here: https://lists.cabforum.org/pipermail/smcwg-public/2022-August/000393.html

The conclusion from that meeting was that mail clients currently support different revocation mechanisms. Given the lack of consistency across Application Software Suppliers, it was agreed to reflect existing Root Program requirements in the SMBRs. Given that MSFT Root Policy explicitly mandates OCSP for end-entity certificates, this requirement was reflected in the SMBRs.

Additionally, there was discussion on the inclusion of the countryName (and other geographic location attributes) on August 3rd: https://lists.cabforum.org/pipermail/smcwg-public/2022-August/000433.html. The changes made to fix the issue that Martijn raised as well as the proposal to make the geographic location attributes optional were presented and no objections were raised at that time.



From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Dimitris Zacharopoulos (HARICA) via Smcwg-public
Sent: Tuesday, September 13, 2022 12:10 PM
To: Stephen Davidson <Stephen.Davidson at digicert.com>; SMIME Certificate Working Group <smcwg-public at cabforum.org>
Subject: Re: [Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”



On 13/9/2022 7:01 μ.μ., Stephen Davidson wrote:

Hi Dimitris:

Thank you for the feedback.  Both these points were addressed in our earlier discussions regarding the draft.

On the issue of OCSP support, you may recall that there were varying proposals for varying the requirements for both CRL and OCSP but the fact remains that different root distribution programs have pre-existing requirements for both of them.  Thus, the decision was made to retain the existing text.  I have suggested that revocation services would be a useful focus subject for a future CABF F2F as this topic seems to come up in different WG, and any changes must have the support of all the root programs.

Similarly, on the issue of C in the Subject DN, this was previously discussed several times and the decision was made to stick the current text where the CA MAY use the attribute but is not required to.

Best regards, Stephen

I did a quick search in previous minutes and I couldn't find consensus for both those topics. If you can point me to these previous discussions and minutes that demonstrate consensus among the group, it would be very helpful. 

For the OCSP topic, you mention that "different root distribution programs have pre-existing requirements". Which program, other than Microsoft, requires OCSP for S/MIME Certificates?

As things stand, HARICA will be forced to vote "No" to this ballot.




From: Smcwg-public  <mailto:smcwg-public-bounces at cabforum.org> <smcwg-public-bounces at cabforum.org> On Behalf Of Dimitris Zacharopoulos (HARICA) via Smcwg-public
Sent: Tuesday, September 13, 2022 7:25 AM
To: smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> 
Subject: Re: [Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”


After a more detailed review by the HARICA team, we noticed some areas of concern that we hope will be considered for update by the authors and endorsers of this ballot.

1. c

1.	authorityInformationAccess (SHALL be present) -> authorityInformationAccess (SHOULD be present) [Rationale: OCSP is not currently required for S/MIME Certificates by all Certificate Consumers. Only Microsoft Root Program requires it and perhaps this is due to a copy-over from the TLS BRs without performing a technical analysis specifically on S/MIME or clientAuth or codeSigning Certificates. The CSCWG already removed the requirement for OCSP in Subscriber Certificates in the CSBRs].
2.	The authorityInformationAccess extension SHALL contain at least one accessMethod value of type id-ad-ocsp that specifies the URI of the Issuing CA’s OCSP responder. -> The authorityInformationAccess extension MAY contain at least one accessMethod value of type id-ad-ocsp that specifies the URI of the Issuing CA’s OCSP responder. [Rationale: same as above]

2. Subject DN attributes for organization-validated profile and Subject DN attributes for sponsor-validated profile
    subject:countryName MAY -> subject:countryName SHALL [Rationale: Organization Names must contain a Country Name to indicate where this Organization is located. This applies to the organization-validated and the sponsor-validated profile. It is also referenced in Appendix A - Registration Schemes]

Thank you,

On 8/9/2022 10:03 π.μ., Stephen Davidson via Smcwg-public wrote:

Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements” 


Purpose of Ballot:


The S/MIME Certificate Working Group was chartered to discuss, adopt, and maintain policies, frameworks, and standards for the issuance and management of Publicly-Trusted S/MIME Certificates.  This ballot adopts a new “S/MIME Baseline Requirements” that includes requirements for verification of control over email addresses, identity validation for natural persons and legal entities, key management and certificate lifecycle, certificate profiles for S/MIME Certificates and Issuing CA Certificates, as well as CA operational and audit practices.


An S/MIME Certificate for the purposes of this document can be identified by the existence of an Extended Key Usage (EKU) for id-kp-emailProtection (OID: and the inclusion of a rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox in the subjectAltName extension in the Certificate.


The following motion has been proposed by Stephen Davidson of DigiCert and endorsed by Martijn Katerbarg of Sectigo and ­­­Ben Wilson of Mozilla.


Charter Voting References


 <https://github.com/cabforum/servercert/blob/e6ad111f4477010cbff409cd939c5ac1c7c85ccc/docs/SMCWG-charter.md#51-voting-structure> Section 5.1 (“Voting Structure”) of the SMCWG Charter says:


In order for a ballot to be adopted by the SMCWG, two-thirds or more of the votes cast by the Certificate Issuers must be in favor of the ballot and more than 50% of the votes cast by the Certificate Consumers must be in favor of the ballot. At least one member of each class must vote in favor of a ballot for it to be adopted. Quorum is the average number of Member organizations (cumulative, regardless of Class) that have participated in the previous three (3) SMCWG Meetings or Teleconferences (not counting subcommittee meetings thereof).



This ballot adopts the “Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates” (“S/MIME Baseline Requirements”) as Version 1.0.0.


The proposed S/MIME Baseline Requirements may be found at  <https://github.com/cabforum/smime/compare/7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52> https://github.com/cabforum/smime/compare/7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52 or the attached document.

The SMCWG Chair or Vice-Chair is permitted to update the Relevant Dates and Version Number of the S/MIME Baseline Requirements to reflect final dates.



This ballot proposes a Final Guideline. The procedure for approval of this ballot is as follows:


Discussion (7+ days)
Start Time: 8 September 2022 17:00 UTC
End Time: 15 September 2022 17:00 UTC


Vote for approval (7 days)
Start Time: 15 September 2022 17:00 UTC
End Time: 22 September 2022 17:00 UTC


IPR Review (60 days)

Smcwg-public mailing list
Smcwg-public at cabforum.org <mailto:Smcwg-public at cabforum.org> 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220913/664a34f2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4990 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220913/664a34f2/attachment-0001.p7s>

More information about the Smcwg-public mailing list