Greetings,
Our proposal for a migration plan towards having Certification Authorities
(CAs) follow the CA/Browser Forum’s Baseline Requirements for S/MIME
Certificates (S/MIME BRs) is as follows, keeping in mind that the Effective
Date for version 1.0.0 of the S/MIME BRs is September 1, 2023, and assuming
that ETSI and WebTrust audit criteria are in place for S/MIME BR audits by
September 1, 2023.
Any root CA certificate being considered for inclusion after September 1,
2023, must be audited according to the S/MIME BRs if the email trust bit is
to be enabled, and the CA operator’s CP or CPS must state that they follow
the current version of the S/MIME BRs. Note that the CA operator’s first
S/MIME BR audit may be a Point-in-Time audit if the audit period will be
less than 60 days, and the audit statement may list non-compliances to be
resolved within the next annual audit period.
CA root certificates and subordinate CA certificates that are technically
capable of issuing S/MIME certificates that chain up (either directly or
transitively) to a root certificate that has the email (S/MIME) trust bit
enabled in Mozilla's CA Certificate Program shall be audited with a
Period-of-Time audit according to the S/MIME BRs between September 1, 2023,
and August 31, 2024, and annually thereafter. For CA operators to maintain
their current annual audit cycles, the new S/MIME BR audit should be
provided along with the other audits that the CA operator provides annually.
-
The audit period start date for the first S/MIME BR audit will be
September 1, 2023, or earlier.
-
At the CA operator’s option, the first S/MIME BR audit may cover the
entire audit period.
-
The initial audit period start date for the first S/MIME BR audit
cannot be before the effective date of a CA operator’s CP or CPS that
confirms the CA operator’s compliance with the current version of the
S/MIME BRs.
-
If the CA operator’s existing regular audit period for other audit types
ends after October 30, 2023, then we will expect to receive an S/MIME BR
audit that covers September 1, 2023, through the end of that audit period
(i.e. a Period-of-Time audit).
-
If the CA operator’s first S/MIME BR audit period would be less than
60 days (e.g. audit period being September 1, 2023, to October 30, 2023),
then a Point-in-Time audit may be performed.
-
The first S/MIME BR audit for each CA root certificate and subordinate
CA certificate may include a reasonable list of non-compliances that the CA
operator (or subordinate CA operator) is not yet in compliance with.
-
Only one Incident Bug needs to be filed containing the list of the
non-compliances in a CA operator’s first S/MIME BR audit.
-
Submission of the second S/MIME BR audit report is expected to confirm
that the issues that were listed in the first S/MIME BR audit report have
been resolved.
We look forward to your constructive feedback on the proposed transition
timeline.
Regards,
Ben and Kathleen
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabGSZqHeAF1BkaepgYXh73-c12%3DrxfChiUfPcC10TaH0Q%40mail.gmail.com.
