CA/Transition SMIME BRs

From MozillaWiki
< CA
Revision as of 20:52, 18 July 2023 by Bwilson (talk | contribs) (Added S/MIME BR Transition Page)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

The CA/Browser Forum "Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates" ("S/MIME Baseline Requirements") introduces several new requirements for CAs capable of issuing working email certificates. The purpose of this page is to provide guidance for CAs transitioning toward compliance with the S/MIME Baseline Requirements.

Re-Issuance of Existing Intermediate CA Certificates for S/MIME

Section 3.1.3 of Mozilla Root Store Policy requires that all CA keys have the appropriate cradle-to-grave key protection audit reports. However, many existing Intermediate Certificates in the S/MIME ecosystem today were created prior to the establishment of this requirement. In order to facilitate the transition of email certificate-issuing Intermediate CAs to the profile specified in the S/MIME Baseline Requirements, the re-issuance of an existing Intermediate CA Certificate that fulfills all the following requirements (even in the absence of audit reports from key creation) is permitted:

  1. The original Intermediate Certificate directly or transitively chains to a Root Certificate with the email trust bit enabled in the Mozilla Root Program;
  2. The original Intermediate Certificate has been audited in accordance with section 3.1.3 and has appeared on the CA Operator's latest audit report;
  3. The original Intermediate Certificate includes no Extended Key Usage extension, contains anyExtendedKeyUsage in the Extended Key Usage extension, or contains id-kp-emailProtection in the Extended Key Usage extension; and
  4. The original Intermediate Certificate complies with the profile defined in RFC 5280. The following two deviations from the RFC 5280 profile are acceptable: (a) The original Intermediate Certificate contains a Name Constraints extension that is not marked critical; and/or (b) The original Intermediate Certificate contains a policy qualifier of type UserNotice which contains explicitText that uses an encoding that is not permitted by RFC 5280 (i.e., the DisplayText is encoded using BMPString or VisibleString).

If any of the above requirements are not satisfied by the original Intermediate Certificate, then the CA Organization SHALL NOT re-issue the Intermediate Certificate.

If all of the above requirements are met, then the Intermediate Certificate MAY be re-issued, subject to the following requirements:

  1. The original and re-issued Intermediate Certificate contain the same Subject Distinguished Name and certify the same key;
  2. The notAfter field value of the re-issued Intermediate Certificate is less than or equal to the value of the notAfter field of the original Intermediate Certificate;
  3. The re-issued Intermediate Certificate contains at least one of the following policy identifier types in the Certificate Policies extension: (a) anyPolicy; and/or (b) one or more of the CA/Browser Forum policy OIDs as defined in section 7.1.6.1 of the S/MIME Baseline Requirements. (Additional policy identifiers MAY be present.); and
  4. The re-issued Intermediate Certificate complies with the profile for S/MIME Intermediate Certificates as defined in section 7 of the S/MIME Baseline Requirements.

If any of the above requirements are not satisfied by the profile of the re-issued Intermediate Certificate, then the CA Organization SHALL NOT re-issue the Intermediate Certificate.

Retrieved from "https://wiki.mozilla.org/index.php?title=CA/Transition_SMIME_BRs&oldid=1247069"