[Smcwg-public] Definition of extant CA

Stephen Davidson Stephen.Davidson at digicert.com
Tue Sep 12 11:13:29 UTC 2023

Thank you Jochem:

We will add this to the agenda of our next SMCWG meeting.

With kind regards, Stephen




From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Berge,
Jochem Van den via Smcwg-public
Sent: Tuesday, September 12, 2023 6:01 AM
To: smcwg-public at cabforum.org
Cc: Berg, Patrick van den <Patrick.Berg at logius.nl>; Weissenberg, David
<david.weissenberg at logius.nl>
Subject: [Smcwg-public] Definition of extant CA


Hi all,


Ballot SMC03 introduced the term "extant CA" as follows:


1.	Is a Publicly-Trusted Subordinate CA Certificate whose `notBefore`
field is before September 1, 2023 and has issued end entity S/MIME
2.	The CA Certificate includes no Extended Key Usage extension,
contains `anyExtendedKeyUsage` in the EKU extension, or contains
`id-kp-emailProtection` in the EKU extension; 
3.	 The CA Certificate complies with the profile defined in [RFC 5280](
lZjpoOkY> http://tools.ietf.org/html/rfc5280). The following two deviations
from the [RFC 5280](
hYzpoOkY> http://tools.ietf.org/html/rfc5280) profile are acceptable: 

a.	The CA Certificate contains a `nameConstraints` extension that is
not marked critical; 
b.	The CA Certificate contains a policy qualifier of type UserNotice
which contains `explicitText` that uses an encoding that is not permitted by
[RFC 5280](
iNTpoOkY> http://tools.ietf.org/html/rfc5280) (i.e., the `DisplayText` is
encoded using BMPString or VisibleString); and 

4.	The CA Certificate contains the `anyPolicy` identifier (
or specific OIDs in the `certificatePolicies` extension that do not include
those defined in [Section](#7161-reserved-certificate-policy-identifiers) of these


Now it might seem like nit-picking but we had a question specifically about
the first line. If a CA is S/MIME capable but only issues other CA
certificates which in turn issue end-user S/MIME certificates is that still
be covered by this definition?  


PKIoverheid operates a 4-layer hierarchy in which the level 2 CAs only issue
CA certificates to Trust Service providers who actually issue end-user
(S/MIME and qualified) certificates. We're asking this question because
we're currently planning (re)issuance of existing PKIoverheid level 3 CAs to
remain compliant with the SBRGs (or move them off S/MIME completely when it
is no longer needed) per the timelines stated in Appendix B. 


Reading the text verbatim would indicate that the level 2 CAs are not
included in the definition of the "extant CA" since it never has and never
will issue end-user certificates of any kind but we have our doubts if that
is a valid interpretation.


What take do other CAs (or browsers) have on this? 


Kind Regards,


Jochem van den Berge

Compliance officer PKIoverheid




Digital Government Service

Ministry of the Interior and Kingdom Relations



M (+31) (0)6 - 21 16 26 89

T  (+31) (0)70 - 888 76 91

 <mailto:jochem.vanden.berge at logius.nl> jochem.vanden.berge at logius.nl


workdays Mo-Tue & Thu-Fri





Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u
niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden,
wordt u verzocht dat aan de afzender te melden en het bericht te
verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van
welke aard ook, die verband houdt met risico's verbonden aan het
elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you
are not the addressee or if this message was sent to you by mistake, you are
requested to inform the sender and delete the message. The State accepts no
liability for damage of any kind resulting from the risks inherent in the
electronic transmission of messages. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230912/45917787/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5293 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230912/45917787/attachment-0001.p7s>

More information about the Smcwg-public mailing list