I have posted this on our Mozilla CA wiki page for additional guidance during this S/MIME BRs transition - https://wiki.mozilla.org/CA/Transition_SMIME_BRs#Audit_Migration_Plan. Ben
On Tue, Jun 20, 2023 at 6:21 PM Stephen Davidson via Smcwg-public < smcwg-public@cabforum.org> wrote: > FYI, for thoroughness: MDSP announcement re S/MIME BR. > > Regards, Stephen > > > > > > > > *From:* dev-security-pol...@mozilla.org <dev-security-pol...@mozilla.org> *On > Behalf Of *Ben Wilson > *Sent:* Friday, June 16, 2023 1:37 PM > *To:* dev-secur...@mozilla.org <dev-security-pol...@mozilla.org> > *Subject:* MRSP 2.9: S/MIME BRs Transition Timeline > > > > Greetings, > > Our proposal for a migration plan towards having Certification Authorities > (CAs) follow the CA/Browser Forum’s Baseline Requirements for S/MIME > Certificates (S/MIME BRs) is as follows, keeping in mind that the Effective > Date for version 1.0.0 of the S/MIME BRs is September 1, 2023, and assuming > that ETSI and WebTrust audit criteria are in place for S/MIME BR audits by > September 1, 2023. > > Any root CA certificate being considered for inclusion after September 1, > 2023, must be audited according to the S/MIME BRs if the email trust bit is > to be enabled, and the CA operator’s CP or CPS must state that they follow > the current version of the S/MIME BRs. Note that the CA operator’s first > S/MIME BR audit may be a Point-in-Time audit if the audit period will be > less than 60 days, and the audit statement may list non-compliances to be > resolved within the next annual audit period. > > CA root certificates and subordinate CA certificates that are technically > capable of issuing S/MIME certificates that chain up (either directly or > transitively) to a root certificate that has the email (S/MIME) trust bit > enabled in Mozilla's CA Certificate Program shall be audited with a > Period-of-Time audit according to the S/MIME BRs between September 1, 2023, > and August 31, 2024, and annually thereafter. For CA operators to maintain > their current annual audit cycles, the new S/MIME BR audit should be > provided along with the other audits that the CA operator provides annually. > > - The audit period start date for the first S/MIME BR audit will be > September 1, 2023, or earlier. > > > - At the CA operator’s option, the first S/MIME BR audit may cover the > entire audit period. > - The initial audit period start date for the first S/MIME BR audit > cannot be before the effective date of a CA operator’s CP or CPS that > confirms the CA operator’s compliance with the current version of the > S/MIME BRs. > > > - If the CA operator’s existing regular audit period for other audit > types ends after October 30, 2023, then we will expect to receive an S/MIME > BR audit that covers September 1, 2023, through the end of that audit > period (i.e. a Period-of-Time audit). > > > - If the CA operator’s first S/MIME BR audit period would be less than > 60 days (e.g. audit period being September 1, 2023, to October 30, > 2023), > then a Point-in-Time audit may be performed. > > > - The first S/MIME BR audit for each CA root certificate and > subordinate CA certificate may include a reasonable list of non-compliances > that the CA operator (or subordinate CA operator) is not yet in compliance > with. > > > - Only one Incident Bug needs to be filed containing the list of the > non-compliances in a CA operator’s first S/MIME BR audit. > > > - Submission of the second S/MIME BR audit report is expected to > confirm that the issues that were listed in the first S/MIME BR audit > report have been resolved. > > We look forward to your constructive feedback on the proposed transition > timeline. > > > > Regards, > > > > Ben and Kathleen > > -- > You received this message because you are subscribed to the Google Groups " > dev-security-pol...@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-policy+unsubscr...@mozilla.org. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabGSZqHeAF1BkaepgYXh73-c12%3DrxfChiUfPcC10TaH0Q%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabGSZqHeAF1BkaepgYXh73-c12%3DrxfChiUfPcC10TaH0Q%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > _______________________________________________ > Smcwg-public mailing list > Smcwg-public@cabforum.org > https://lists.cabforum.org/mailman/listinfo/smcwg-public >
_______________________________________________ Smcwg-public mailing list Smcwg-public@cabforum.org https://lists.cabforum.org/mailman/listinfo/smcwg-public