[Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

Buschart, Rufus rufus.buschart at siemens.com
Thu Sep 22 13:27:37 UTC 2022 

Hi Martjin,

under normal circumstances I’d share your opinion about the long duration for the last valid certificate based on the legacy profile. But in this case, I’d say we need to take into consideration, that latest from the effective date on, downstream applications will need to be able to handle S/MIME certificates that follow one of the stronger profiles. I believe this will be a very challenging target to achieve, especially since S/MIME certificate handling often is part of the business logic, opposite to TLS certificates that are handled typically very down in the software stack. Also nobody is forcing the mail client suppliers to accept certificates based on the legacy profile until the sunset date. They could phase them out earlier. But I’d like to avoid that CAs are becoming incompliant, because they need to support legacy applications that are not easy to adapt.

/Rufus


From: Martijn Katerbarg <martijn.katerbarg at sectigo.com>
Sent: Tuesday, 20 September 2022 19:55
To: Buschart, Rufus (IT IPS SIP ET) <rufus.buschart at siemens.com>; SMIME Certificate Working Group <smcwg-public at cabforum.org>; Clint Wilson <clintw at apple.com>; Stephen Davidson <Stephen.Davidson at digicert.com>
Subject: Re: [Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

If you take the end of 2026 as deprecation date for issuing Legacy profile certificates, that would mean the last one of those would expire somewhere in Q1 2030. That’s more than 7 years from now.

Compare that to the fact that at least one Trusted Root Store operator previously set a deadline of April 2022 (a decision that was later reversed).

I think the proposal of around October 2024 is a fair target for this deprecation. That’s just about 2 years from now, and, estimating that the SMIME BRs should be in effect somewhere in Q3 of 2023, leaves more than a year from the effective date.

With 8 months in-between the SMIME BRs adoption date and it’s effective date, I’d say it makes sense to incorporate this date through a separate ballot instead of adding this to the first version. That has the added effect of it having more potential to become a separate news item, and “spread the word”.

Regards,

Martijn

From: Smcwg-public <smcwg-public-bounces at cabforum.org<mailto:smcwg-public-bounces at cabforum.org>> on behalf of Buschart, Rufus via Smcwg-public <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>>
Date: Monday, 19 September 2022 at 15:20
To: Clint Wilson <clintw at apple.com<mailto:clintw at apple.com>>, SMIME Certificate Working Group <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>>, Stephen Davidson <Stephen.Davidson at digicert.com<mailto:Stephen.Davidson at digicert.com>>
Subject: Re: [Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

I think this proposed date of Oct. 2024 is far too early, as there are systems down stream which are consuming the certificates and might need to be adjusted. It will take time to inform the customers of the CAs, the customers need to understand and need to identify the affected systems, need to get in touch with the vendors, identify necessary changes, allocate money, get development resources, implement the changes, test them and roll them into production --> I’d say we should aim for something like as early as end of 2026 as sunset date for legacy profiles.

/Rufus

From: Smcwg-public <smcwg-public-bounces at cabforum.org<mailto:smcwg-public-bounces at cabforum.org>> On Behalf Of Clint Wilson via Smcwg-public
Sent: Thursday, 15 September 2022 18:28
To: Stephen Davidson <Stephen.Davidson at digicert.com<mailto:Stephen.Davidson at digicert.com>>; SMIME Certificate Working Group <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>>
Subject: Re: [Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

As you’re considering changes, one concern that I still have is there remains no deprecation date for the Legacy profile — just the callout that it will be deprecated in the future. While I don’t believe this to be a blocker to voting in favor of the ballot, I do think it would be better to adopt a date sooner than later so there’s ample time for CAs to adjust, rather than having a shorter time frame if a date is set in the future instead.
My proposal would be roughly (give or take a few months) October 1, 2024 as the date after which no new Legacy certs should be issued, which would mean the deprecation would complete some time in 2028. While I’d prefer an earlier deprecation date, as mentioned numerous times, I think this time frame remains tractable.


On Sep 15, 2022, at 9:01 AM, Stephen Davidson via Smcwg-public <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>> wrote:

Thank you Matthias.
Under the by-laws we may incorporate feedback into the text.  I will add this, as well as changes addressing some other suggestions that have been made, for circulation to the SMCWG before we move to ballot.
Best regards, Stephen

From: Wiedenhorst, Matthias <M.Wiedenhorst at tuvit.de<mailto:M.Wiedenhorst at tuvit.de>>
Sent: Thursday, September 15, 2022 5:39 AM
To: Stephen Davidson <Stephen.Davidson at digicert.com<mailto:Stephen.Davidson at digicert.com>>; smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>
Subject: AW: Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

Dear Stephen, Dear all,
I just realized one issue with regard to auditing and I am very sorry that I didn’t realize it earlier in one of the many times I read through the draft during its creation.
In section 8.2, number 4 it is written: "(For audits conducted in accordance with any one of the ETSI standards)accredited in accordance with ISO 17065 applying the requirements specified in ETSI EN 319 403;" However, since some time the ETSI EN 319 403-1 has been released as successor of 319 403. At the time being, both versions are valid and can be used for CAB accreditation. I assume most CAB’s are on their way to migrate accreditation to the newer 403-1, some have already finished. Hence, section 8.2 number 4 should be amended as follows:
"(For audits conducted in accordance with any one of the ETSI standards)accredited in accordance with ISO 17065 applying the requirements specified in ETSI EN 319 403 or ETSI EN 319 403-1;"
In addition, a reference to the new version should be added to section 1.6.3:
“ETSI EN 319 403-1, Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment; Part 1:‐Requirements for conformity assessment bodies assessing Trust Service Providers”

I also noticed one other thing:
In the provided PDF there are some sections with tables, where text of the first two columns partly overlay each other. I found examples in sections 7.1.2.3 e), 7.1.4.2.5 and 7.1.4.2.6. I realize that this is only an issue of presentation and not of content, but nevertheless, maybe there is a way to fix it.
Best regards
Matthias

Von: Smcwg-public <smcwg-public-bounces at cabforum.org<mailto:smcwg-public-bounces at cabforum.org>> Im Auftrag von Stephen Davidson via Smcwg-public
Gesendet: Donnerstag, 8. September 2022 09:03
An: smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>
Betreff: [Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”

Purpose of Ballot:

The S/MIME Certificate Working Group was chartered to discuss, adopt, and maintain policies, frameworks, and standards for the issuance and management of Publicly-Trusted S/MIME Certificates.  This ballot adopts a new “S/MIME Baseline Requirements” that includes requirements for verification of control over email addresses, identity validation for natural persons and legal entities, key management and certificate lifecycle, certificate profiles for S/MIME Certificates and Issuing CA Certificates, as well as CA operational and audit practices.

An S/MIME Certificate for the purposes of this document can be identified by the existence of an Extended Key Usage (EKU) for id-kp-emailProtection (OID: 1.3.6.1.5.5.7.3.4) and the inclusion of a rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox in the subjectAltName extension in the Certificate.

The following motion has been proposed by Stephen Davidson of DigiCert and endorsed by Martijn Katerbarg of Sectigo and ­­­Ben Wilson of Mozilla.

Charter Voting References

Section 5.1 (“Voting Structure”)<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fblob%2Fe6ad111f4477010cbff409cd939c5ac1c7c85ccc%2Fdocs%2FSMCWG-charter.md%2351-voting-structure&data=05%7C01%7Crufus.buschart%40siemens.com%7Cb3c934224778424eb0d108da9b313e8a%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637992933055563380%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YU954Q27M9hsVu1Fyzmvi66z%2F%2BCkjzlH34WRV7DeIEE%3D&reserved=0> of the SMCWG Charter says:

In order for a ballot to be adopted by the SMCWG, two-thirds or more of the votes cast by the Certificate Issuers must be in favor of the ballot and more than 50% of the votes cast by the Certificate Consumers must be in favor of the ballot. At least one member of each class must vote in favor of a ballot for it to be adopted. Quorum is the average number of Member organizations (cumulative, regardless of Class) that have participated in the previous three (3) SMCWG Meetings or Teleconferences (not counting subcommittee meetings thereof).

— MOTION BEGINS —

This ballot adopts the “Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates” (“S/MIME Baseline Requirements”) as Version 1.0.0.

The proposed S/MIME Baseline Requirements may be found athttps://github.com/cabforum/smime/compare/7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fsmime%2Fcompare%2F7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52&data=05%7C01%7Crufus.buschart%40siemens.com%7Cb3c934224778424eb0d108da9b313e8a%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637992933055563380%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Xt7dHCIbs8ZAv2krT41qVATtpqZlj0ToCbo3jTwHhiE%3D&reserved=0> or the attached document.

The SMCWG Chair or Vice-Chair is permitted to update the Relevant Dates and Version Number of the S/MIME Baseline Requirements to reflect final dates.

— MOTION ENDS —

This ballot proposes a Final Guideline. The procedure for approval of this ballot is as follows:

Discussion (7+ days)
Start Time: 8 September 2022 17:00 UTC
End Time: 15 September 2022 17:00 UTC

Vote for approval (7 days)
Start Time: 15 September 2022 17:00 UTC
End Time: 22 September 2022 17:00 UTC

IPR Review (60 days)



______________________________________________________________________________________________________________________

Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH * Am TÜV 1 * 45307 Essen, Germany

Registergericht/Register Court: Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251

Geschäftsführung/Management Board: Dirk Kretzschmar


TÜV NORD GROUP

Expertise for your Success

Please visit our website: www.tuv-nord.com<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.tuv-nord.com%2F&data=05%7C01%7Crufus.buschart%40siemens.com%7Cb3c934224778424eb0d108da9b313e8a%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637992933055563380%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=RV6mUVltJKhsiYLYsdfbRSM2%2F2AlDNBT2H%2FWUar6zMg%3D&reserved=0>

Besuchen Sie unseren Internetauftritt: www.tuev-nord.de<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.tuev-nord.de%2F&data=05%7C01%7Crufus.buschart%40siemens.com%7Cb3c934224778424eb0d108da9b313e8a%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637992933055719597%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JRp3S6OfzjrVzeB7FrA5f%2FtM6hcEZON9ykb5V0ALFy8%3D&reserved=0>
_______________________________________________
Smcwg-public mailing list
Smcwg-public at cabforum.org<mailto:Smcwg-public at cabforum.org>
https://lists.cabforum.org/mailman/listinfo/smcwg-public<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fsmcwg-public&data=05%7C01%7Crufus.buschart%40siemens.com%7Cb3c934224778424eb0d108da9b313e8a%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637992933055719597%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=jvnOkLCcIMw16jrWCv5IEzfjno3o2OZAhmnZbvoi5uo%3D&reserved=0>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220922/eaa3d50b/attachment-0001.html>

More information about the Smcwg-public mailing list