Hi, I agree with your summary, Ben, but am struggling with the “how” and the “when”.
I don’t know if I’m alone in this, but it would be helpful to me to have the concerns that have been raised also outlined in text somewhere (ideally with details and data and all that good stuff). To be honest, at this point I’m not entirely sure which concerns were addressed as part of the discussion on recent calls, which concerns are outstanding, what the proposed remediation(s) or resolution(s) might be from both those who share the concerns and those who don’t, what questions related to individual concerns remain unanswered, what data exists to give any indication regarding the likely overall impact for each concern, or really what the path forward looks like. Apple had originally planned to restrict S/MIME validity periods to 2 years (something Gmail has done for a long time, aiui). Instead, that limit was increased to 3 years in 2021 based on an understanding from CAs that substantive efforts would be made to ensure the future deprecation of this longer validity period and a _very_ clear indication that deprecation of the Legacy profile was part of this. In the interim 2.5 years, many CAs *have* honored those commitments and successfully established systems, processes, communication channels, and automation capabilities reinforcing that future-facing outlook. On the other hand, in the interim 2.5 years, I have *not* seen topics raised by CAs related to the purported negative impact of deprecating the Legacy profile except recently and in direct response to Stephen's oft-repeated and impressively diligent inquiries regarding the topic. Even then, I have not seen problems defined in sufficient detail to allow for ecosystem-level solutions to be proposed, designed, or iterated upon. As in 2021, so today: I am committed to trying to solve these issues, but more: to understand and to incorporate that understanding in driving a balanced approach to iterative improvement to the SBRs. However, the seemingly unchanging status quo related to attempts to discuss and establish timelines for reducing S/MIME certificate validity periods is not encouraging confidence in this approach. Disruption is never the goal, but it *is* often an inevitability. In the same vein, avoiding disruption is also not the goal; an expectation that disruption be completely avoided is no different than a moratorium on future changes to the SBRs. Rather, at least in my mind, it’s the level of disruption that we should be focused on reducing. Also, just to repeat again one point: establishing a deprecation date for the Legacy profile is likely the _only_ way we actually can ensure that those not involved in the S/MIME WG are prepared (or even aware of the need *to* prepare) for a shift away from the Legacy profile. If there’s not a target, no one’s gonna be aiming anything. Thanks, -Clint > On May 9, 2024, at 2:27 PM, Ben Wilson via Smcwg-public > <smcwg-public@cabforum.org> wrote: > > Hi all, > > I am currently aligned with Wendy’s and Judith’s concerns expressed on the > recent call about sunsetting the Legacy profile, but I look forward to > discussing this further in Bergamo. The Legacy profile provides greater > flexibility, and migrating to only the Multipurpose and Strict profiles may > have unforeseen consequences. While no one else has explicitly stated they > are not ready for this move, the Mozilla Root Program has integrated the > S/MIME BRs into our root store policy, necessitating support for diverse use > cases while ensuring broad compliance. We need to ensure that everyone not > involved in the S/MIME WG is prepared for such a significant move, and we > might find out about problems when it is too late to address them. For > instance, we could see compliance issues in Bugzilla from CA operators who > are currently enabled with the email trust bit, or we might receive a root > inclusion request from a CA operator unwilling or unable to restrict issuance > to only strict or multipurpose certificates. > > In summary, I'd just like to understand the issues better and minimize > disruption and compliance issues down the road. > > I look forward to your thoughts and suggestions. > > Thanks, > > Ben > > > > On Thu, Apr 11, 2024 at 8:40 AM Stephen Davidson via Smcwg-public > <smcwg-public@cabforum.org <mailto:smcwg-public@cabforum.org>> wrote: >> Hello all: >> >> >> >> I attach the summary that we reviewed in the SMCWG call yesterday. >> >> >> >> It highlights the differences between the Legacy generation profiles and the >> Multipurpose/Strict profiles, including links to the relevant text sections >> in the S/MIME BR. >> >> >> >> https://cabforum.org/posts/2024/2024-04-10-legacy-deprecation/SMCWG_20240410_Final.pdf >> >> >> >> This should facilitate review and feedback to help the SMCWG determine >> appropriate steps and timelines to migrate to the Multipurpose/Strict >> profiles. >> >> >> >> Regards, Stephen >> >> _______________________________________________ >> Smcwg-public mailing list >> Smcwg-public@cabforum.org <mailto:Smcwg-public@cabforum.org> >> https://lists.cabforum.org/mailman/listinfo/smcwg-public > _______________________________________________ > Smcwg-public mailing list > Smcwg-public@cabforum.org > https://lists.cabforum.org/mailman/listinfo/smcwg-public
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Smcwg-public mailing list Smcwg-public@cabforum.org https://lists.cabforum.org/mailman/listinfo/smcwg-public
