All, I am editing the S/MIME Baseline Requirements transition guidance wiki page (https://wiki.mozilla.org/CA/Transition_SMIME_BRs) slightly to make it more clear that existing CA operators are to submit their S/MIME BR audit reports consistent with their existing audit cycles. Right now, the language on the wiki page says, "For CA operators to maintain their current annual audit cycles, new S/MIME BR audits should be provided when they provide their other annual audits." This seems pretty straightforward. But then it says, "Any root CA certificate being considered for inclusion after October 30, 2023, must be audited according to the S/MIME BRs if the email trust bit is to be enabled, and the CA operator’s CP or CPS must state that they follow the current version of the S/MIME BRs."
This latter sentence might be inferred to mean that an earlier, out-of-cycle audit would be required for new root CA certificates created by existing CAs. I am recommending that we change this to make it clear that if an existing CA operator has an email-trust-bit-enabled CA certificate in the root store, then it can submit its S/MIME BR audit (that will include new, email-enabled root CAs) when it provides its other regularly-scheduled, other audits. For example, if a CA operator in the Mozilla root program usually submits their audits in July, and they are requesting the inclusion of a new email-enabled root CA, then that S/MIME BR audit can be submitted in July, too. Here are my suggested revisions: For CA operators *that already have ** an email-trust-bit-enabled CA certificate in the root store* to *may* maintain their current annual audit cycles *and provide*, *the* new S/MIME BR audits should be provided when they provide their other annual audit *report*s*, even if they are in the process of requesting inclusion of one or more new, email-trust-bit-enabled root CA certificates*. *For instance, if a CA operator typically provides audit reports in July 2024 and is requesting the inclusion of a new email-bit-enabled root CA, the corresponding S/MIME BR audit encompassing both existing and new * *email-trust-bit-enabled* *root CA certificates can be submitted during the annual audit submission in July 2024.* *For any new CA operator requesting inclusion of a* Any root CA certificate being considered for inclusion after October 30, 2023, *the root CA *must be audited according to the S/MIME BRs if the email trust bit is to be enabled *.* *A* , and the CA operator’s CP or CPS must state that they follow the current version of the S/MIME BRs. Are there any comments or suggestions? Thanks, Ben On Wed, Jul 19, 2023 at 11:01 AM Ben Wilson <bwil...@mozilla.com> wrote: > All, > > I have created a wiki page ( > https://wiki.mozilla.org/CA/Transition_SMIME_BRs) to address > miscellaneous issues that might arise for CAs in their transition toward > compliance with the CA/Browser Forum’s Baseline Requirements for S/MIME > Certificates (S/MIME BRs). (The wiki page is for items that are not > directly explained in the upcoming version 2.9 of the Mozilla Root Store > Policy.) > > The first issue addressed in the wiki page relates to the re-issuance of > existing intermediate CAs used for issuing S/MIME certificates. Based on > language provided by Corey Bonnell, the wiki page explains how Mozilla > expects S/MIME CA re-issuance to occur. > > We may add explanations about other items of concern to the wiki page in > the future, and if so, I’ll advise you accordingly. > > Thanks, > > Ben > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabGsE5N9mJeOWaROcu17dTKtKfZf8tpjLDGS7jA49jVzg%40mail.gmail.com.
