[Smcwg-public] FW: MRSP 2.9: S/MIME BRs Transition Timeline

Stephen Davidson Stephen.Davidson at digicert.com
Wed Jun 21 00:21:03 UTC 2023

FYI, for thoroughness:  MDSP announcement re S/MIME BR.

Regards, Stephen

From: dev-security-policy at mozilla.org <dev-security-policy at mozilla.org> On Behalf Of Ben Wilson
Sent: Friday, June 16, 2023 1:37 PM
To: dev-secur... at mozilla.org <dev-security-policy at mozilla.org>
Subject: MRSP 2.9: S/MIME BRs Transition Timeline


Our proposal for a migration plan towards having Certification Authorities (CAs) follow the CA/Browser Forum’s Baseline Requirements for S/MIME Certificates (S/MIME BRs) is as follows, keeping in mind that the Effective Date for version 1.0.0 of the S/MIME BRs is September 1, 2023, and assuming that ETSI and WebTrust audit criteria are in place for S/MIME BR audits by September 1, 2023.

Any root CA certificate being considered for inclusion after September 1, 2023, must be audited according to the S/MIME BRs if the email trust bit is to be enabled, and the CA operator’s CP or CPS must state that they follow the current version of the S/MIME BRs. Note that the CA operator’s first S/MIME BR audit may be a Point-in-Time audit if the audit period will be less than 60 days, and the audit statement may list non-compliances to be resolved within the next annual audit period.

CA root certificates and subordinate CA certificates that are technically capable of issuing S/MIME certificates that chain up (either directly or transitively) to a root certificate that has the email (S/MIME) trust bit enabled in Mozilla's CA Certificate Program shall be audited with a Period-of-Time audit according to the S/MIME BRs between September 1, 2023, and August 31, 2024, and annually thereafter. For CA operators to maintain their current annual audit cycles, the new S/MIME BR audit should be provided along with the other audits that the CA operator provides annually.

*       The audit period start date for the first S/MIME BR audit will be September 1, 2023, or earlier.

   *    At the CA operator’s option, the first S/MIME BR audit may cover the entire audit period.
   *    The initial audit period start date for the first S/MIME BR audit cannot be before the effective date of a CA operator’s CP or CPS that confirms the CA operator’s compliance with the current version of the S/MIME BRs.

*       If the CA operator’s existing regular audit period for other audit types ends after October 30, 2023, then we will expect to receive an S/MIME BR audit that covers September 1, 2023, through the end of that audit period (i.e. a Period-of-Time audit).

   *    If the CA operator’s first S/MIME BR audit period would be less than 60 days (e.g. audit period being September 1, 2023, to October 30, 2023), then a Point-in-Time audit may be performed.

*       The first S/MIME BR audit for each CA root certificate and subordinate CA certificate may include a reasonable list of non-compliances that the CA operator (or subordinate CA operator) is not yet in compliance with.

   *    Only one Incident Bug needs to be filed containing the list of the non-compliances in a CA operator’s first S/MIME BR audit.

*       Submission of the second S/MIME BR audit report is expected to confirm that the issues that were listed in the first S/MIME BR audit report have been resolved.

We look forward to your constructive feedback on the proposed transition timeline.


Ben and Kathleen

You received this message because you are subscribed to the Google Groups "dev-security-policy at mozilla.org<mailto:dev-security-policy at mozilla.org>" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscribe at mozilla.org<mailto:dev-security-policy+unsubscribe at mozilla.org>.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabGSZqHeAF1BkaepgYXh73-c12%3DrxfChiUfPcC10TaH0Q%40mail.gmail.com<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabGSZqHeAF1BkaepgYXh73-c12%3DrxfChiUfPcC10TaH0Q%40mail.gmail.com?utm_medium=email&utm_source=footer>.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230621/912b2ec6/attachment-0001.html>

More information about the Smcwg-public mailing list