CA/Transition SMIME BRs: Difference between revisions

CA/Transition SMIME BRs (view source)

Revision as of 20:58, 8 August 2023

239 bytes removed , 8 August 2023

→‎Audit Migration Plan: Restructuring and fixing date consistency

Bwilson

Confirmed users

576

edits

@@ Line 1: / Line 1: @@
 The CA/Browser Forum "Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates" ("S/MIME Baseline Requirements") introduces several new requirements for CAs capable of issuing working email certificates.  The purpose of this page is to provide guidance for CAs transitioning toward compliance with the S/MIME Baseline Requirements.
+{{draft}}
 == Audit Migration Plan ==
-Effective September 1, 2023, Certification Authorities (CAs) must follow the CA/Browser Forum’s Baseline Requirements for S/MIME Certificates (S/MIME BRs).  WebTrust audit criteria are already in place for the S/MIME BRs. We assume that ETSI audit criteria will be in place for S/MIME BR audits by such date.
+Effective September 1, 2023, Certification Authorities (CAs) must follow the CA/Browser Forum’s Baseline Requirements for S/MIME Certificates ([https://cabforum.org/smime-br/ S/MIME BRs]).  WebTrust audit criteria are already in place for the S/MIME BRs. We assume that ETSI audit criteria (ETSI TS 119 411-6) will be in place for S/MIME BR audits by such date.
-Any root CA certificate being considered for inclusion after September 1, 2023, must be audited according to the S/MIME BRs if the email trust bit is to be enabled, and the CA operator’s CP or CPS must state that they follow the current version of the S/MIME BRs. Note that the CA operator’s first S/MIME BR audit may be a Point-in-Time audit if the audit period will be less than 60 days, and the audit statement may list non-compliances to be resolved within the next annual audit period.
+CA root certificates and subordinate CA certificates that are technically capable of issuing S/MIME certificates that chain up (either directly or transitively) to a root certificate that has the email (S/MIME) trust bit enabled in Mozilla's CA Certificate Program shall be audited with Period-of-Time audits according to the S/MIME BRs between October 30, 2023, and October 29, 2024, and annually thereafter.
-CA root certificates and subordinate CA certificates that are technically capable of issuing S/MIME certificates that chain up (either directly or transitively) to a root certificate that has the email (S/MIME) trust bit enabled in Mozilla's CA Certificate Program shall be audited with a Period-of-Time audit according to the S/MIME BRs between September 1, 2023, and August 31, 2024, and annually thereafter. For CA operators to maintain their current annual audit cycles, the new S/MIME BR audit should be provided along with the other audits that the CA operator provides annually.
+For CA operators to maintain their current annual audit cycles, new S/MIME BR audits should be provided when they provide their other annual audits.
+Any root CA certificate being considered for inclusion after October 30, 2023, must be audited according to the S/MIME BRs if the email trust bit is to be enabled, and the CA operator’s CP or CPS must state that they follow the current version of the S/MIME BRs.
+In most cases, the audit period start date for the first S/MIME BR audit will be September 1, 2023.
+* The initial audit period start date for the first S/MIME BR audit cannot be before the effective date of a CA operator’s CP or CPS that confirms the CA operator’s compliance with the current version of the S/MIME BRs.
+* The first S/MIME BR audit report should include September 1, 2023, until the regularly-scheduled end of the CA's audit period.
+** If the CA operator’s existing regular audit period for other audit types ends after October 30, 2023, then we will expect to receive an S/MIME BR audit that covers September 1, 2023, through the end of that audit period (i.e. a Period-of-Time audit).
-* The audit period start date for the first S/MIME BR audit will be September 1, 2023, or earlier.
-** At the CA operator’s option, the first S/MIME BR audit may cover the entire audit period.
-** The initial audit period start date for the first S/MIME BR audit cannot be before the effective date of a CA operator’s CP or CPS that confirms the CA operator’s compliance with the current version of the S/MIME BRs.
-* If the CA operator’s existing regular audit period for other audit types ends after October 30, 2023, then we will expect to receive an S/MIME BR audit that covers September 1, 2023, through the end of that audit period (i.e. a Period-of-Time audit).
-** If the CA operator’s first S/MIME BR audit period would be less than 60 days (e.g. audit period being September 1, 2023, to October 30, 2023), then a Point-in-Time audit may be performed.
 * The first S/MIME BR audit for each CA root certificate and subordinate CA certificate may include a reasonable list of non-compliances that the CA operator (or subordinate CA operator) is not yet in compliance with.
+** Major non-compliances should be reported in Bugzilla and corrected as soon as possible
 ** Only one Incident Bug needs to be filed containing the list of the non-compliances in a CA operator’s first S/MIME BR audit.
-* Submission of the second S/MIME BR audit report is expected to confirm that the issues that were listed in the first S/MIME BR audit report have been resolved.
+* Submission of a CA's S/MIME BR audit report during the second year is expected to confirm that the issues that were listed in the first S/MIME BR audit report have been resolved.
 == Re-Issuance of Existing Intermediate CA Certificates for S/MIME ==