Thank you Jochem: We will add this to the agenda of our next SMCWG meeting.
With kind regards, Stephen From: Smcwg-public <smcwg-public-boun...@cabforum.org> On Behalf Of Berge, Jochem Van den via Smcwg-public Sent: Tuesday, September 12, 2023 6:01 AM To: smcwg-public@cabforum.org Cc: Berg, Patrick van den <patrick.b...@logius.nl>; Weissenberg, David <david.weissenb...@logius.nl> Subject: [Smcwg-public] Definition of extant CA Hi all, Ballot SMC03 introduced the term "extant CA" as follows: 1. Is a Publicly-Trusted Subordinate CA Certificate whose `notBefore` field is before September 1, 2023 and has issued end entity S/MIME Certificates; 2. The CA Certificate includes no Extended Key Usage extension, contains `anyExtendedKeyUsage` in the EKU extension, or contains `id-kp-emailProtection` in the EKU extension; 3. The CA Certificate complies with the profile defined in [RFC 5280]( <https://url.avanan.click/v2/___http:/tools.ietf.org/html/rfc5280___.YXAzOmR pZ2ljZXJ0OmE6bzplN2QzYmZjNDlhNGQ0MzM2M2MwYTFjZDIzODYyNmJhMDo2OmMxMzg6ZDg3NmE 0OGZiOWJmYWEyYmE2YmNiODRhYzE3NTZhOTBiYzk0NDgyNzg4N2U2NmI3MmExMDM1YWI1NTM4ZGR lZjpoOkY> http://tools.ietf.org/html/rfc5280). The following two deviations from the [RFC 5280]( <https://url.avanan.click/v2/___http:/tools.ietf.org/html/rfc5280___.YXAzOmR pZ2ljZXJ0OmE6bzplN2QzYmZjNDlhNGQ0MzM2M2MwYTFjZDIzODYyNmJhMDo2OjlkNzc6NmIzZGV jMmEzZTk5OTdlNjMzMTYwMzM4YmFiMzE3NmU5OWI1OGE4ZGVhYTIyMTBhMTRlNmI3ZGZmMWI4Y2N hYzpoOkY> http://tools.ietf.org/html/rfc5280) profile are acceptable: a. The CA Certificate contains a `nameConstraints` extension that is not marked critical; b. The CA Certificate contains a policy qualifier of type UserNotice which contains `explicitText` that uses an encoding that is not permitted by [RFC 5280]( <https://url.avanan.click/v2/___http:/tools.ietf.org/html/rfc5280___.YXAzOmR pZ2ljZXJ0OmE6bzplN2QzYmZjNDlhNGQ0MzM2M2MwYTFjZDIzODYyNmJhMDo2OmQ1ZGU6OTYzY2F kZWNiNWY4NDNhNTQ2MzM5M2ViZWI5OTg3ZDUxNzFiODFiMjljOTY3YTNhYzNlZTZlY2I2NmZjN2Z iNTpoOkY> http://tools.ietf.org/html/rfc5280) (i.e., the `DisplayText` is encoded using BMPString or VisibleString); and 4. The CA Certificate contains the `anyPolicy` identifier (2.5.29.32.0) or specific OIDs in the `certificatePolicies` extension that do not include those defined in [Section 7.1.6.1](#7161-reserved-certificate-policy-identifiers) of these Requirements. Now it might seem like nit-picking but we had a question specifically about the first line. If a CA is S/MIME capable but only issues other CA certificates which in turn issue end-user S/MIME certificates is that still be covered by this definition? PKIoverheid operates a 4-layer hierarchy in which the level 2 CAs only issue CA certificates to Trust Service providers who actually issue end-user (S/MIME and qualified) certificates. We're asking this question because we're currently planning (re)issuance of existing PKIoverheid level 3 CAs to remain compliant with the SBRGs (or move them off S/MIME completely when it is no longer needed) per the timelines stated in Appendix B. Reading the text verbatim would indicate that the level 2 CAs are not included in the definition of the "extant CA" since it never has and never will issue end-user certificates of any kind but we have our doubts if that is a valid interpretation. What take do other CAs (or browsers) have on this? Kind Regards, Jochem van den Berge Compliance officer PKIoverheid Logius Digital Government Service Ministry of the Interior and Kingdom Relations ........................................................................ M (+31) (0)6 - 21 16 26 89 T (+31) (0)70 - 888 76 91 <mailto:jochem.vanden.be...@logius.nl> jochem.vanden.be...@logius.nl <https://url.avanan.click/v2/___http:/www.logius.nl/___.YXAzOmRpZ2ljZXJ0OmE6 bzplN2QzYmZjNDlhNGQ0MzM2M2MwYTFjZDIzODYyNmJhMDo2OmE2YzY6YTQyMWU2Njk1ZDgyNWFi NTI2N2E0ODdlYmU1YzA4NjQyMWU0NWM3N2FiNmZlODk4ZWEwNjg1ZDA5NmNlNWI5NTpoOkY> www.logius.nl workdays Mo-Tue & Thu-Fri ........................................................................ _____ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Smcwg-public mailing list Smcwg-public@cabforum.org https://lists.cabforum.org/mailman/listinfo/smcwg-public
