[Smcwg-public] OCSP URLs in S/MIME Certificates

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Tue Sep 27 04:53:11 UTC 2022

On 23/9/2022 9:13 μ.μ., Tim Hollebeek wrote:
> We would support this if a Microsoft representative publicly makes a 
> statement clarifying that their OCSP requirements in Microsoft policy 
> are not intended to apply to non-TLS certificates and/or updates their 
> policy to state the same.
> I would encourage them to do so because I personally believe that is 
> in fact the original intent of the policy, but the problem is that our 
> compliance team (and other compliance teams…) cannot rely upon my 
> personal beliefs.

I completely understand the sentiments from compliance teams when it 
comes to merging different policy requirements. Having OCSP optional in 
the SMBRs doesn't mean that a CA that wants to abide with any additional 
rules can't do so. However, requiring it in the SMBRs doesn't allow 
other CAs, like HARICA, that have a written statement from a Microsoft 
representative, to see OCSP as optional because it would cause a 
non-comformity in the audit report which can only be mitigated by.... 
revoking all certs and adding OCSP support :)

Hopefully this explains HARICA's difficult situation.

If there is no consensus to remove the mandatory requirement of the OCSP 
URL in this version of the ballot, my recommendation would be to defer 
this topic for the upcoming F2F where we will have 3 Microsoft 
representatives (2 physically present and 1 remote) to hopefully comment 
and clarify the situation.


> -Tim
> *From:* Smcwg-public <smcwg-public-bounces at cabforum.org> *On Behalf Of 
> *Dimitris Zacharopoulos (HARICA) via Smcwg-public
> *Sent:* Friday, September 23, 2022 1:53 PM
> *To:* smcwg-public at cabforum.org
> *Subject:* [Smcwg-public] OCSP URLs in S/MIME Certificates
> I dug up some emails HARICA exchanged with Microsoft Root Program 
> Managers back in June 2021. We indicated that the Root Store Policy 
> at-that-time had a "catch-all" phrase implying that OCSP URLs must be 
> included in all Certificates trusted by Microsoft.
> After it was pointed out by a Microsoft representative that it is not 
> required for Code Signing Certificates, we reached out to Microsoft 
> asking what is the case for other types of certificates. Their 
> response was:
> "Removing the OCSP URLs from non-TLS certificates is acceptable."
> I know this is not a "normative statement" but for me it confirms that 
> OCSP is not required for S/MIME Certificates in the Microsoft Root 
> Program. So, unless there is an opposing statement by Microsoft, I 
> hope we can agree to change the OCSP requirement from mandatory to 
> optional in the first version of the SMBRs.
> Thank you,
> Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220927/100d943e/attachment.html>

More information about the Smcwg-public mailing list