New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SMIME Baseline Requirements #258
Comments
The S/MIME requirements are now final, with an effective date (implementation date) of September 1, 2023. Proposed changes to the MRSP need to be drafted. |
Section 2.3 of MRSP - https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#23-baseline-requirements-conformance - should be modified to state that CAs must comply with the SMIME BRs - https://cabforum.org/smime-br/ (as of September 1, 2023) and section 3.1.2.1 (WebTrust) would need to be modified when the WebTrust S/MIME principles and criteria are published (April 2023) requiring that CAs provide audits of compliance beginning September 1, 2024. ETSI ESI is going to add a work item for creating an SMIME-BR-specific set of audit criteria. |
In addition to adding the audit requirement for SMBR, it would benefit adoption of improved algorithms to allow for Curve25519 and Curve448 EdDSA keys and signatures in Mozilla Policy (likely in a subsection of 5.1). I'd be happy to draft concrete policy language to that effect. |
@CBonnell - I'm curious who is pushing for support for these curves? What benefits do they bring? |
EdDSA was discussed on the SMIME working group list in 2021: https://lists.cabforum.org/pipermail/smcwg-public/2021-June/000137.html. Several certificate issuers expressed support for the issuance of EdDSA key certificates. As Dimitris's email points out, the adoption of EdDSA by mail receivers is best practice as indicated in RFC 8551. However, with the current language in Mozilla Policy, it is a violation to issue SMIME certificates which chain to Mozilla-trusted roots that contain EdDSA keys. |
@CBonnell could you propose some language for us to look at? |
Here's an initial draft that aligns Mozilla policy with the language in the SMIME BRs: https://github.com/CBonnell/pkipolicy/commit/2fc3524aa8fcb2491da7eea95d73d59d6f57e472. The hex encodings of the AlgorithmIdentifiers were generated using this script (the same script used to generate these encodings for the SMBRs): https://github.com/cabforum/smime/blob/main/src/rfc8410_oids.py. @mozkeeler @BenWilson-Mozilla please let me know what you think of the proposed language and how I can improve it, if needed. |
Ben, you mentioned to potentially put in an effective date of September 1, 2023 (just like the SMCBRs) and expecting audits to be completed as of September 1, 2024. I’m wondering if that covers CA’s that potentially have an audit period of (for example) August 1, 2023 until July 31st, 2024. They should be WebTrust for S/MIME audited for the Sept 1, 2023 until June 31, 2024 period, however, their audit reports may not be ready before September 1, 2024. Now for a normal audit, one would expect the reports to be in no later than October 31, 2024. Would stating September 1, 2024 in the Mozilla policy still allow for this 90 days grace-period, or should December 1, 2024 instead be stated for having Audit reports submitted into CCADB? |
We should consider adopting the CA/Browser Forum's Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates, https://lists.cabforum.org/pipermail/smcwg-public/attachments/20221103/19e8a979/attachment-0001.pdf / https://github.com/cabforum/smime/blob/preSBR/SBR.md. The S/MIME BRs have been adopted by the CABF and are final after conclusion of the IPR review period on 1/1/2023.
The text was updated successfully, but these errors were encountered: