Hi,
I agree with your summary, Ben, but am struggling with the “how” and the “when”.
I don’t know if I’m alone in this, but it would be helpful to me to have the
concerns that have been raised also outlined in text somewhere (ideally with
details and data and all that good stuff). To be honest, at this point I’m not
entirely sure which concerns were addressed as part of the discussion on recent
calls, which concerns are outstanding, what the proposed remediation(s) or
resolution(s) might be from both those who share the concerns and those who
don’t, what questions related to individual concerns remain unanswered, what
data exists to give any indication regarding the likely overall impact for each
concern, or really what the path forward looks like.
Apple had originally planned to restrict S/MIME validity periods to 2 years
(something Gmail has done for a long time, aiui). Instead, that limit was
increased to 3 years in 2021 based on an understanding from CAs that
substantive efforts would be made to ensure the future deprecation of this
longer validity period and a _very_ clear indication that deprecation of the
Legacy profile was part of this. In the interim 2.5 years, many CAs *have*
honored those commitments and successfully established systems, processes,
communication channels, and automation capabilities reinforcing that
future-facing outlook. On the other hand, in the interim 2.5 years, I have
*not* seen topics raised by CAs related to the purported negative impact of
deprecating the Legacy profile except recently and in direct response to
Stephen's oft-repeated and impressively diligent inquiries regarding the topic.
Even then, I have not seen problems defined in sufficient detail to allow for
ecosystem-level solutions to be proposed, designed, or iterated upon.
As in 2021, so today: I am committed to trying to solve these issues, but more:
to understand and to incorporate that understanding in driving a balanced
approach to iterative improvement to the SBRs. However, the seemingly
unchanging status quo related to attempts to discuss and establish timelines
for reducing S/MIME certificate validity periods is not encouraging confidence
in this approach.
Disruption is never the goal, but it *is* often an inevitability. In the same
vein, avoiding disruption is also not the goal; an expectation that disruption
be completely avoided is no different than a moratorium on future changes to
the SBRs. Rather, at least in my mind, it’s the level of disruption that we
should be focused on reducing.
Also, just to repeat again one point: establishing a deprecation date for the
Legacy profile is likely the _only_ way we actually can ensure that those not
involved in the S/MIME WG are prepared (or even aware of the need *to* prepare)
for a shift away from the Legacy profile. If there’s not a target, no one’s
gonna be aiming anything.
Thanks,
-Clint
> On May 9, 2024, at 2:27 PM, Ben Wilson via Smcwg-public
> wrote:
>
> Hi all,
>
> I am currently aligned with Wendy’s and Judith’s concerns expressed on the
> recent call about sunsetting the Legacy profile, but I look forward to
> discussing this further in Bergamo. The Legacy profile provides greater
> flexibility, and migrating to only the Multipurpose and Strict profiles may
> have unforeseen consequences. While no one else has explicitly stated they
> are not ready for this move, the Mozilla Root Program has integrated the
> S/MIME BRs into our root store policy, necessitating support for diverse use
> cases while ensuring broad compliance. We need to ensure that everyone not
> involved in the S/MIME WG is prepared for such a significant move, and we
> might find out about problems when it is too late to address them. For
> instance, we could see compliance issues in Bugzilla from CA operators who
> are currently enabled with the email trust bit, or we might receive a root
> inclusion request from a CA operator unwilling or unable to restrict issuance
> to only strict or multipurpose certificates.
>
> In summary, I'd just like to understand the issues better and minimize
> disruption and compliance issues down the road.
>
> I look forward to your thoughts and suggestions.
>
> Thanks,
>
> Ben
>
>
>
> On Thu, Apr 11, 2024 at 8:40 AM Stephen Davidson via Smcwg-public
> mailto:smcwg-public@cabforum.org>> wrote:
>> Hello all:
>>
>>
>>
>> I attach the summary that we reviewed in the SMCWG call yesterday.
>>
>>
>>
>> It highlights the differences between the Legacy generation profiles and the
>> Multipurpose/Strict profiles, including links to the relevant text sections
>> in the S/MIME BR.
>>
>>
>>
>> https://cabforum.org/posts/2024/2024-04-10-legacy-deprecation/SMCWG_20240410_Final.pdf
>>
>>
>>
>> This should facilitate review and feedback to help the SMCWG determine
>> appropriate steps and timelines to migrate to the Multipurpose/Strict
>> profiles.
>>
>>
>>
>> Regards,