[Smcwg-public] Proposed text for handling transition of existing S/MIME subCAs

Stephen Davidson Stephen.Davidson at digicert.com
Fri Jun 16 17:22:15 UTC 2023


At the face-to-face it was agreed that the SMCWG would propose a ballot to lay out parameters for Certificate Issuers to step from old S/MIME SubCAs to SubCAs that are fully-compliant with the S/MIME BR (SBR).

The following proposal does several things:

1.      It provides a new definition of "Extant S/MIME CA" for SubCAs that can be used during the transition phase.  This makes an easy reference for external requirements that may wish to pick up the definition; it also avoids the word "legacy" which is already used in the SBR.
2.      It adds a new Appendix B which allows "Extant" SubCAs to be used to issue otherwise compliant leafs following the Effective Date this Sept.  However, all S/MIME CAs would need to meet the SBR reqs by Sept 15, 2024.

The text does not require the revocation of the Extant S/MIME CAs; merely that they cease issuance before September 15, 2024.

This will be on our Agenda for next week.  I am also seeking endorsers, assuming this text finds support in the SMCWG.

Regards, Stephen

New definition

**Extant S/MIME CA**: A Subordinate CA that:

1.      Is a Publicly-Trusted CA Certificate with end entity S/MIME Certificates that are valid as of June 15, 2023;
2.      Is audited and has appeared on the CA's latest audit report which is acceptable to the relevant program for Publicly-Trusted Certificates;
3.      The CA Certificate includes no Extended Key Usage extension, contains anyExtendedKeyUsage in the EKU extension, or contains id-kp-emailProtection in the EKU extension;
4.      The CA Certificate complies with the profile defined in RFC 5280. The following two deviations from the RFC 5280 profile are acceptable:

a. The CA Certificate contains a nameConstraints  extension that is not marked critical;

b. The CA Certificate contains a policy qualifier of type UserNotice which contains explicitText that uses an encoding that is not permitted by RFC 5280 (i.e., the DisplayText is encoded using BMPString or VisibleString); and

5.      The CA Certificate may contain the anyPolicy identifier ( or specific OIDs in the certificatePolicies extension that do not include those defined in Section of these Requirements. Subordinate CA certificates

[Insert the following sentence to the intro.]

The issuance of end entity S/MIME Certificates by Extant S/MIME CAs is described in Appendix B.

Appendix B - Transition of Extant S/MIME CAs

Following the Effective Date for v 1.0.0 of these Requirements (September 1, 2023) an Extant S/MIME CA may continue to issue end entity S/MIME Certificates that are compliant with these Requirements.

On or after September 15, 2024, all newly-issued Publicly-Trusted end entity S/MIME Certificates must be issued from S/MIME Subordinate CAs that are compliant with these Requirements.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230616/521d7f23/attachment.html>

More information about the Smcwg-public mailing list