S/MIME by Root Program
Stephen Davidson
On the SMCWG call today, there was discussion of whether the S/MIME BR should reflect the strictest setting of the underlying root programs.
To aid that discussion I have created some analysis drawing from CCADB as of today to layout the public-trust S/MIME ecosystem. It includes:
- Summary showing intersection roots by program (Apple, Gmail, Microsoft, Mozilla) including the count of associated subordinateCAs
-Detail of the same roots by program including the count of associated subordinateCAs
- Accounting of the intermediates
Best, Stephen
大野 文彰
Hi Stephen-san,
Thank you very much for preparing and sharing this analysis. I find it extremely helpful in setting the context for the discussion.
While reviewing the SECOM Root CAs listed, I noticed that the list includes Root CAs for which the S/MIME trust bit was disabled by Microsoft on
September 15, 2025, at our request.
These trust bits were disabled because we have never operated S/MIME Subordinate CAs under these Root CAs, nor do we have any plans to construct S/MIME Subordinate CAs under them in the future.
Based on this, it seems possible that similar situations may already be occurring with Root CAs from other organizations as well.
For reference, the relevant SECOM Root CAs are as follows:
- Security Communication RootCA3
https://crt.sh/?caid=43337 - Security Communication ECC RootCA1
https://crt.sh/?caid=43338
Best regards,
ONO Fumiaki / 大野 文彰
(Japanese name order: family name first, in uppercase)
SECOM Trust Systems CO., LTD.
--
You received this message because you are subscribed to the Google Groups "S/MIME Certificate WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
smcwg-public...@groups.cabforum.org.
To view this discussion visit
https://groups.google.com/a/groups.cabforum.org/d/msgid/smcwg-public/BL1PR14MB5143664AFFB712D25798B288E549A%40BL1PR14MB5143.namprd14.prod.outlook.com.
Stephen Davidson
Hello Fumiaki-san!
Thank you for this. The CA list was taken from CCADB via the public report at https://ccadb.my.salesforce-sites.com/ccadb/AllIncludedRootCertsCSV
Best regards, Stephen
大野 文彰
Hi Stephen-san,
Thank you for the clarification, and for pointing to the CCADB public report you used.
After reviewing the CCADB CSV and comparing it with crt.sh, I noticed a few points that might be worth noting (and I may be misunderstanding something, so please take this as an observation rather than a conclusion).
While looking at crt.sh, I saw cases where the Trust Purpose is shown as “Valid,” whereas the same Trust Purpose appears as “Not Included” in the CCADB CSV.
In addition, as another case that does not appear to be captured in the CCADB CSV, I noticed that crt.sh shows some Trust Purposes as time-bound disabled (they are displayed as “Valid,” but with a specific date shown in orange), while the same certificates appear simply as “Valid” in CCADB.
These points are shared as a supplemental observation about how the underlying data may be presented, and are not intended to detract from the usefulness of your analysis. For a very detailed investigation into S/MIME trust coverage, it might be helpful to keep this possibility in mind and, if needed, cross-check with the trust information published by each root program.