[Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Tue Sep 13 18:24:16 UTC 2022

Hi Corey,

Thanks for providing additional information about these issues. 
Unfortunately I was away for both of the two meetings you mentioned but 
I did look through those minutes and didn't consider them conclusive on 
the two issues at hand.

On 13/9/2022 8:58 μ.μ., Corey Bonnell wrote:
> Hi Dimitris,
> The requirements for CRL and OCSP were discussed in the June 22^nd 
> meeting. The minutes are available here: 
> https://lists.cabforum.org/pipermail/smcwg-public/2022-August/000393.html
> The conclusion from that meeting was that mail clients currently 
> support different revocation mechanisms. Given the lack of consistency 
> across Application Software Suppliers, it was agreed to reflect 
> existing Root Program requirements in the SMBRs. Given that MSFT Root 
> Policy explicitly mandates OCSP for end-entity certificates, this 
> requirement was reflected in the SMBRs.

This is not my reading of those minutes. Here is a copy from a portion 
of those minutes:

> The WG continued to discuss comments that had been made in favor of making either CRL or OCSP optional. Martijn proposed a PR attempting to blend those changes. Stephen noted that the Microsoft policy required OCSP. Clint noted that Apple's requirement required CRL support (reported in CCDAB but not necessarily in a CDP in the leaf). Ben Wilson noted that Thunderbird preferred OCSP over CRL. However he also noted the possible privacy concerns that some may have regarding OCSP being used to mine information about users opening encrypted emails. Corey Bonnell pointed out that the same privacy issues could befall CRL as well in the case of sharded CRLs.
> Stephen stated that he felt the draft S/MIME BR must make OCSP and CRL mandatory unless there was an explicit allowance on the point by the overarching root store requirements. He suggested revocation information of nonTLS certificates may be a useful topic at the next CABF F2F.  Stefan Selbitschka noted the privacy issues relating to revocation are equally a concern that should be placed upon the mail user agents. Stephen noted that he would adopt some of the improvements however found in Martijn's PR.

It is clearly stated that Microsoft Trusted Root Program Policy mandates 
OCSP for end-entity certificates but, as already explained in my 
previous message, this is most likely a copy-over from the TLS BRs and 
already overridden by the Code Signing BRs. Also, Apple 
<https://www.apple.com/certificateauthority/ca_program.html>, Gmail 
<https://support.google.com/a/answer/7300887>and Mozilla 
Programs do not require OCSP for S/MIME Certificates.

Setting up reliable OCSP infrastructure that is not used by the majority 
of mail clients is a huge burden for CAs. I don't object to doing an 
in-depth analysis with the collaboration of Certificate Consumers, and 
determine whether OCSP should be required or not in the next version of 
the SMBRs. However, until this analysis is performed, mandating OCSP for 
S/MIME Certificates seems premature.

As Stephen mentioned on that call, we should defer and discuss this 
particular issue at the upcoming F2F meeting.

> Additionally, there was discussion on the inclusion of the countryName 
> (and other geographic location attributes) on August 3^rd : 
> https://lists.cabforum.org/pipermail/smcwg-public/2022-August/000433.html. 
> The changes made to fix the issue that Martijn raised as well as the 
> proposal to make the geographic location attributes optional were 
> presented and no objections were raised at that time.

Similarly, I didn't ready anything in the quoted minutes about the 
countryName for those cases.

> The WG returned to the topic of the use of geographic attributes in the Subject DN. Stephen noted that conflicting text on the use of the L and ST attributes that had been copied from the TLS BR has now been removed. He noted that the attributes are not allowed in Mailbox-validated profiles, and that the WG had previously agreed to allow significant flexibility in the Legacy generation profiles. As it stands, the SBR stipulates MAY for the attributes in the Organization-, Sponsored-, and Individual-validated profiles.

The discussion was mainly around the localityName and the 
stateOrProvinceName, especially in cases where the countryName is 
sufficient for disambiguating the organization. The countryName 
attribute is included in every ETSI-issued identity Certificate used for 
S/MIME and is extremely easy to validate, as explained in my previous 
message. Please consider at least requiring the countryName for the 
Strict and Multipurpose profiles.


> Thanks,
> Corey
> *From:* Smcwg-public <smcwg-public-bounces at cabforum.org> *On Behalf Of 
> *Dimitris Zacharopoulos (HARICA) via Smcwg-public
> *Sent:* Tuesday, September 13, 2022 12:10 PM
> *To:* Stephen Davidson <Stephen.Davidson at digicert.com>; SMIME 
> Certificate Working Group <smcwg-public at cabforum.org>
> *Subject:* Re: [Smcwg-public] Ballot SMC01: Final Guideline for 
> “S/MIME Baseline Requirements”
> On 13/9/2022 7:01 μ.μ., Stephen Davidson wrote:
>     Hi Dimitris:
>     Thank you for the feedback.  Both these points were addressed in
>     our earlier discussions regarding the draft.
>     On the issue of OCSP support, you may recall that there were
>     varying proposals for varying the requirements for both CRL and
>     OCSP but the fact remains that different root distribution
>     programs have pre-existing requirements for both of them.  Thus,
>     the decision was made to retain the existing text.  I have
>     suggested that revocation services would be a useful focus subject
>     for a future CABF F2F as this topic seems to come up in different
>     WG, and any changes must have the support of all the root programs.
>     Similarly, on the issue of C in the Subject DN, this was
>     previously discussed several times and the decision was made to
>     stick the current text where the CA MAY use the attribute but is
>     not required to.
>     Best regards, Stephen
> I did a quick search in previous minutes and I couldn't find consensus 
> for both those topics. If you can point me to these previous 
> discussions and minutes that demonstrate consensus among the group, it 
> would be very helpful.
> For the OCSP topic, you mention that "different root distribution 
> programs have pre-existing requirements". Which program, other than 
> Microsoft, requires OCSP for S/MIME Certificates?
> As things stand, HARICA will be forced to vote "No" to this ballot.
> Dimitris.
>     *From:* Smcwg-public <smcwg-public-bounces at cabforum.org>
>     <mailto:smcwg-public-bounces at cabforum.org> *On Behalf Of *Dimitris
>     Zacharopoulos (HARICA) via Smcwg-public
>     *Sent:* Tuesday, September 13, 2022 7:25 AM
>     *To:* smcwg-public at cabforum.org
>     *Subject:* Re: [Smcwg-public] Ballot SMC01: Final Guideline for
>     “S/MIME Baseline Requirements”
>     After a more detailed review by the HARICA team, we noticed some
>     areas of concern that we hope will be considered for update by the
>     authors and endorsers of this ballot.
>      1. c
>          1. authorityInformationAccess (*SHALL *be present) ->
>             authorityInformationAccess (*SHOULD *be present)
>             [Rationale: OCSP is not currently required for S/MIME
>             Certificates by all Certificate Consumers. Only Microsoft
>             Root Program requires it and perhaps this is due to a
>             copy-over from the TLS BRs without performing a technical
>             analysis specifically on S/MIME or clientAuth or
>             codeSigning Certificates. The CSCWG already removed the
>             requirement for OCSP in Subscriber Certificates in the CSBRs].
>          2. The authorityInformationAccess extension *SHALL *contain
>             at least one accessMethod value of type id-ad-ocsp that
>             specifies the URI of the Issuing CA’s OCSP responder. ->
>             The authorityInformationAccess extension *MAY *contain at
>             least one accessMethod value of type id-ad-ocsp that
>             specifies the URI of the Issuing CA’s OCSP responder.
>             [Rationale: same as above]
>      2. Subject DN attributes for organization-validated
>         profile and Subject DN attributes for
>         sponsor-validated profile
>             subject:countryName *MAY *-> subject:countryName *SHALL
>         *[Rationale: Organization Names must contain a Country Name to
>         indicate where this Organization is located. This applies to
>         the organization-validated and the sponsor-validated profile.
>         It is also referenced in Appendix A - Registration Schemes]
>     Thank you,
>     Dimitris.
>     On 8/9/2022 10:03 π.μ., Stephen Davidson via Smcwg-public wrote:
>         *Ballot SMC01: Final Guideline for “S/MIME Baseline
>         Requirements” *
>         **
>         *Purpose of Ballot:*
>         The S/MIME Certificate Working Group was chartered to discuss,
>         adopt, and maintain policies, frameworks, and standards for
>         the issuance and management of Publicly-Trusted S/MIME
>         Certificates.  This ballot adopts a new “S/MIME Baseline
>         Requirements” that includes requirements for verification of
>         control over email addresses, identity validation for natural
>         persons and legal entities, key management and certificate
>         lifecycle, certificate profiles for S/MIME Certificates and
>         Issuing CA Certificates, as well as CA operational and audit
>         practices.
>         An S/MIME Certificate for the purposes of this document can be
>         identified by the existence of an Extended Key Usage (EKU) for
>         id-kp-emailProtection (OID: and the
>         inclusion of a rfc822Name or an otherName of type
>         id-on-SmtpUTF8Mailbox in the subjectAltName extension in the
>         Certificate.
>         The following motion has been proposed by Stephen Davidson of
>         DigiCert and endorsed by Martijn Katerbarg of Sectigo and
>         ­­­Ben Wilson of Mozilla.
>         *Charter Voting References*
>         Section 5.1 (“Voting Structure”)
>         <https://github.com/cabforum/servercert/blob/e6ad111f4477010cbff409cd939c5ac1c7c85ccc/docs/SMCWG-charter.md#51-voting-structure>of
>         the SMCWG Charter says:
>         In order for a ballot to be adopted by the SMCWG, two-thirds
>         or more of the votes cast by the Certificate Issuers must be
>         in favor of the ballot and more than 50% of the votes cast by
>         the Certificate Consumers must be in favor of the ballot. At
>         least one member of each class must vote in favor of a ballot
>         for it to be adopted. Quorum is the average number of Member
>         organizations (cumulative, regardless of Class) that have
>         participated in the previous three (3) SMCWG Meetings or
>         Teleconferences (not counting subcommittee meetings thereof).
>         *— MOTION BEGINS —**
>         *
>         This ballot adopts the “Baseline Requirements for the Issuance
>         and Management of Publicly-Trusted S/MIME Certificates”
>         (“S/MIME Baseline Requirements”) as Version 1.0.0.
>         The proposed S/MIME Baseline Requirements may be found at
>         https://github.com/cabforum/smime/compare/7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52
>         <https://github.com/cabforum/smime/compare/7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52>or
>         the attached document.
>         The SMCWG Chair or Vice-Chair is permitted to update the
>         Relevant Dates and Version Number of the S/MIME Baseline
>         Requirements to reflect final dates.
>         *— MOTION ENDS —**
>         *
>         This ballot proposes a Final Guideline. The procedure for
>         approval of this ballot is as follows:
>         Discussion (7+ days)
>         Start Time: 8 September 2022 17:00 UTC
>         End Time: 15 September 2022 17:00 UTC
>         Vote for approval (7 days)
>         Start Time: 15 September 2022 17:00 UTC
>         End Time: 22 September 2022 17:00 UTC
>         IPR Review (60 days)
>         _______________________________________________
>         Smcwg-public mailing list
>         Smcwg-public at cabforum.org
>         https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220913/ebd8c5d6/attachment-0001.html>

More information about the Smcwg-public mailing list