[Smcwg-public] Definition of extant CA

Berge, Jochem Van den jochem.vanden.berge at logius.nl
Tue Sep 12 04:00:30 UTC 2023

Hi all,

Ballot SMC03 introduced the term "extant CA" as follows:

  1.  Is a Publicly-Trusted Subordinate CA Certificate whose `notBefore` field is before September 1, 2023 and has issued end entity S/MIME Certificates;
  2.  The CA Certificate includes no Extended Key Usage extension, contains `anyExtendedKeyUsage` in the EKU extension, or contains `id-kp-emailProtection` in the EKU extension;
  3.   The CA Certificate complies with the profile defined in [RFC 5280](http://tools.ietf.org/html/rfc5280). The following two deviations from the [RFC 5280](http://tools.ietf.org/html/rfc5280) profile are acceptable:
     *   The CA Certificate contains a `nameConstraints` extension that is not marked critical;
     *   The CA Certificate contains a policy qualifier of type UserNotice which contains `explicitText` that uses an encoding that is not permitted by [RFC 5280](http://tools.ietf.org/html/rfc5280) (i.e., the `DisplayText` is encoded using BMPString or VisibleString); and
  4.  The CA Certificate contains the `anyPolicy` identifier ( or specific OIDs in the `certificatePolicies` extension that do not include those defined in [Section](#7161-reserved-certificate-policy-identifiers) of these Requirements.

Now it might seem like nit-picking but we had a question specifically about the first line. If a CA is S/MIME capable but only issues other CA certificates which in turn issue end-user S/MIME certificates is that still be covered by this definition?

PKIoverheid operates a 4-layer hierarchy in which the level 2 CAs only issue CA certificates to Trust Service providers who actually issue end-user (S/MIME and qualified) certificates. We're asking this question because we're currently planning (re)issuance of existing PKIoverheid level 3 CAs to remain compliant with the SBRGs (or move them off S/MIME completely when it is no longer needed) per the timelines stated in Appendix B.

Reading the text verbatim would indicate that the level 2 CAs are not included in the definition of the "extant CA" since it never has and never will issue end-user certificates of any kind but we have our doubts if that is a valid interpretation.

What take do other CAs (or browsers) have on this?

Kind Regards,

Jochem van den Berge
Compliance officer PKIoverheid


Digital Government Service
Ministry of the Interior and Kingdom Relations

M (+31) (0)6 - 21 16 26 89
T  (+31) (0)70 - 888 76 91
jochem.vanden.berge at logius.nl<mailto:jochem.vanden.berge at logius.nl>

workdays Mo-Tue & Thu-Fri

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230912/f9cfc0ce/attachment.html>

More information about the Smcwg-public mailing list