[Smcwg-public] OCSP URLs in S/MIME Certificates

Tim Hollebeek tim.hollebeek at digicert.com
Fri Sep 23 18:13:39 UTC 2022

We would support this if a Microsoft representative publicly makes a statement clarifying that their OCSP requirements in Microsoft policy are not intended to apply to non-TLS certificates and/or updates their policy to state the same.

I would encourage them to do so because I personally believe that is in fact the original intent of the policy, but the problem is that our compliance team (and other compliance teams…) cannot rely upon my personal beliefs.


From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Dimitris Zacharopoulos (HARICA) via Smcwg-public
Sent: Friday, September 23, 2022 1:53 PM
To: smcwg-public at cabforum.org
Subject: [Smcwg-public] OCSP URLs in S/MIME Certificates

I dug up some emails HARICA exchanged with Microsoft Root Program Managers back in June 2021. We indicated that the Root Store Policy at-that-time had a "catch-all" phrase implying that OCSP URLs must be included in all Certificates trusted by Microsoft.

After it was pointed out by a Microsoft representative that it is not required for Code Signing Certificates, we reached out to Microsoft asking what is the case for other types of certificates. Their response was:

"Removing the OCSP URLs from non-TLS certificates is acceptable."

I know this is not a "normative statement" but for me it confirms that OCSP is not required for S/MIME Certificates in the Microsoft Root Program. So, unless there is an opposing statement by Microsoft, I hope we can agree to change the OCSP requirement from mandatory to optional in the first version of the SMBRs.

Thank you,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220923/a1480972/attachment.html>

More information about the Smcwg-public mailing list