[Smcwg-public] OCSP URLs in S/MIME Certificates

[Tim Hollebeek]

We would support this if a Microsoft representative publicly makes a statement clarifying that their OCSP requirements in Microsoft policy are not intended to apply to non-TLS certificates and/or updates their policy to state the same.

I would encourage them to do so because I personally believe that is in fact the original intent of the policy, but the problem is that our compliance team (and other compliance teams…) cannot rely upon my personal beliefs.

-Tim

From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Dimitris Zacharopoulos (HARICA) via Smcwg-public
Sent: Friday, September 23, 2022 1:53 PM
To: smcwg-public at cabforum.org
Subject: [Smcwg-public] OCSP URLs in S/MIME Certificates


I dug up some emails HARICA exchanged with Microsoft Root Program Managers back in June 2021. We indicated that the Root Store Policy at-that-time had a "catch-all" phrase implying that OCSP URLs must be included in all Certificates trusted by Microsoft.

After it was pointed out by a Microsoft representative that it is not required for Code Signing Certificates, we reached out to Microsoft asking what is the case for other types of certificates. Their response was:

"Removing the OCSP URLs from non-TLS certificates is acceptable."

I know this is not a "normative statement" but for me it confirms that OCSP is not required for S/MIME Certificates in the Microsoft Root Program. So, unless there is an opposing statement by Microsoft, I hope we can agree to change the OCSP requirement from mandatory to optional in the first version of the SMBRs.

Thank you,
Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220923/a1480972/attachment.html>