[Discussion] Ballot SMC017: Increase Minimum RSA CA Key Size

554 views
Skip to first unread message

Stephen Davidson

unread,
Apr 29, 2026, 1:15:28 PMApr 29
to smcwg-...@groups.cabforum.org

Ballot SMC017: Increase Minimum RSA CA Key Size

 

Summary: 

 

This ballot increases the minimum RSA key size for Root and Subordinate CA certificates in the S/MIME BRs from 2048 to 4096 bits for keys created on or after September 15, 2026, while retaining the 2048-bit minimum for Subscriber certificates.

 

The ballot further requires that by September 15, 2027, CAs SHALL NOT issue certificates from any Sub-CA whose RSA key modulus is less than 4096 bits, effectively sunsetting issuance from legacy 2048-bit Sub-CAs.

 

This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Ben Wilson (Mozilla) and Roman Fischer (SwissSign).

 

— Motion Begins —

 

This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates” (“S/MIME Baseline Requirements”), based on Version 1.0.13.

 

MODIFY the Baseline Requirements as specified in the following Redline:

 

https://github.com/cabforum/smime/compare/21bda9e4a5f04f373dbd359b4e2213a3f4910c76...a6d582ab7da98ac1ca7fd92f35f321aa9f70df37

 

— Motion Ends —

 

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

 

Discussion (at least 7 days)

 

* Start time: April 29, 2026 at 18:30:00 UTC

 

* End time: May 6, 2026 at 18:30:00 UTC

 

 

Stephen Davidson

unread,
May 6, 2026, 4:15:53 PM (12 days ago) May 6
to smcwg-...@groups.cabforum.org

Voting for Approval

 

* Start time: May 6, 2026 at 21:30:00 UTC

 

* End time: May 13, 2026 at 21:30:00 UTC

 

Stefan Selbitschka

unread,
May 7, 2026, 3:27:13 AM (12 days ago) May 7
to smcwg-...@groups.cabforum.org
rundQuadrat votes 'YES' on SMC017

regards
stefan

On 5/6/26 22:15, 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) wrote:
> *Ballot SMC017: Increase Minimum RSA CA Key Size*
>
> **
>
> *Summary: *
>
> **
>
> This ballot increases the minimum RSA key size for Root and Subordinate CA certificates in the S/
> MIME BRs from 2048 to 4096 bits for keys created on or after September 15, 2026, while retaining the
> 2048-bit minimum for Subscriber certificates.
>
> The ballot further requires that by September 15, 2027, CAs SHALL NOT issue certificates from any
> Sub-CA whose RSA key modulus is less than 4096 bits, effectively sunsetting issuance from legacy
> 2048-bit Sub-CAs.
>
> This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Ben Wilson (Mozilla) and
> Roman Fischer (SwissSign).
>
> — Motion Begins —
>
> This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted
> S/MIME Certificates” (“S/MIME Baseline Requirements”), based on Version 1.0.13.
>
> MODIFY the Baseline Requirements as specified in the following Redline:
>
> https://github.com/cabforum/smime/
> compare/21bda9e4a5f04f373dbd359b4e2213a3f4910c76...a6d582ab7da98ac1ca7fd92f35f321aa9f70df37<https://
> url.avanan.click/v2/r01/___https:/github.com/cabforum/smime/
> compare/21bda9e4a5f04f373dbd359b4e2213a3f4910c76...a6d582ab7da98ac1ca7fd92f35f321aa9f70df37___.YXAzOmRpZ2ljZXJ0OmE6bzo5ZDNmNTkwMWU3M2UyNWE5Y2Q3NDIxZjUyODc3NmMyMjo3OjYyZGI6Y2VhMzVjZDc0ZGU1YTIxYjRjNWUyMzRmMzYwNjg4ZjU3ZTBiYjE5ZjYzNmJmMWIwNjM4MThiMTQ2ZTgwZmQ2ODpoOlQ6Rg>
>
> — Motion Ends —
>
> This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as
> follows:
>
> *Discussion (at least 7 days)*
>
> * Start time: April 29, 2026 at 18:30:00 UTC
>
> * End time: May 6, 2026 at 18:30:00 UTC
>
> *Voting for Approval *
>
> * Start time: May 6, 2026 at 21:30:00 UTC
>
> * End time: May 13, 2026 at 21:30:00 UTC
>
> --
> You received this message because you are subscribed to the Google Groups "S/MIME Certificate WG -
> Public (CA/B Forum)" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to smcwg-
> public+un...@groups.cabforum.org <mailto:smcwg-public...@groups.cabforum.org>.
> To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/smcwg-public/
> BL1PR14MB5143A997B4F8434F7085F0DBE53F2%40BL1PR14MB5143.namprd14.prod.outlook.com <https://
> groups.google.com/a/groups.cabforum.org/d/msgid/smcwg-public/
> BL1PR14MB5143A997B4F8434F7085F0DBE53F2%40BL1PR14MB5143.namprd14.prod.outlook.com?
> utm_medium=email&utm_source=footer>.

Pedro FUENTES

unread,
May 7, 2026, 3:28:27 AM (12 days ago) May 7
to smcwg-...@groups.cabforum.org
OISTE votes yes to SMC017

To unsubscribe from this group and stop receiving emails from it, send an email to smcwg-public...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/smcwg-public/a946afcb-b3f6-402e-81e3-435d0f898aef%40rundquadrat.at.


WISeKey SA
Pedro Fuentes
CSO - Trust Services Manager
Office: + 41 (0) 22 594 30 00
Mobile: + 41 (0) 791 274 790
Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland
Stay connected with WISeKey

THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks

CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender

DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.

Adriano Santoni

unread,
May 7, 2026, 3:40:29 AM (12 days ago) May 7
to smcwg-...@groups.cabforum.org

Actalis votes 'yes' to SMC017.

--
You received this message because you are subscribed to the Google Groups "S/MIME Certificate WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smcwg-public...@groups.cabforum.org.

Michael Guenther

unread,
May 7, 2026, 5:01:14 AM (11 days ago) May 7
to smcwg-...@groups.cabforum.org
smime.p7m

Ben Wilson

unread,
May 7, 2026, 9:18:28 AM (11 days ago) May 7
to smcwg-...@groups.cabforum.org
Mozilla votes "yes" on SMC-017.

--

Azira Zakaria

unread,
May 8, 2026, 12:19:54 AM (11 days ago) May 8
to smcwg-...@groups.cabforum.org

MSC Trustgate votes “Yes” on Ballot SMC017

 

BR,

Azira

--

Ashish Dhiman

unread,
May 8, 2026, 2:10:03 AM (11 days ago) May 8
to smcwg-...@groups.cabforum.org

GlobalSign Votes Yes to Ballot SMC017

 

Ashish

--

You received this message because you are subscribed to the Google Groups "S/MIME Certificate WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smcwg-public...@groups.cabforum.org.

Wojciech Trapczyński

unread,
May 8, 2026, 5:24:18 AM (10 days ago) May 8
to smcwg-...@groups.cabforum.org

Certum votes Yes to Ballot SMC017.

W dniu 6.05.2026 o 22:15, 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) pisze:
--
You received this message because you are subscribed to the Google Groups "S/MIME Certificate WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smcwg-public...@groups.cabforum.org.

Dimitris Zacharopoulos (HARICA)

unread,
May 8, 2026, 5:25:00 AM (10 days ago) May 8
to smcwg-...@groups.cabforum.org
Stephen, 

I'm sorry for missing the discussion for this ballot. Is there a rationale why 3072 bits are not allowed? Most international crypto standards deprecate RSA keys below 3000 bits which means 3072 should still be considered safe. Using 3072 is certainly is more performant for signing OCSP responses at scale than 4096.


Thanks,
Dimitris.
--
You received this message because you are subscribed to the Google Groups "S/MIME Certificate WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smcwg-public...@groups.cabforum.org.

Henschel, Andreas

unread,
May 8, 2026, 5:36:39 AM (10 days ago) May 8
to smcwg-...@groups.cabforum.org

D-TRUST votes ‚yes‘ on Ballot SMC017

 

KR

Andreas

--

You received this message because you are subscribed to the Google Groups "S/MIME Certificate WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smcwg-public...@groups.cabforum.org.

蔡家宏(chtsai)

unread,
May 8, 2026, 6:49:55 AM (10 days ago) May 8
to smcwg-...@groups.cabforum.org

TWCA votes Yes on Ballot on SMC017.

 

 

Best Regards

 

蔡家宏 Chya-Hung Tsai

Director

Identification & Certificate Research
Tel: +886-2-2370-8886 ext. 722
Fax: +886-2-2388-6720
Email: cht...@twca.com.tw

10F., No. 85, Yanping South Road,

Taipei 100002, Taiwan(R.O.C.)
https://www.twca.com.tw

 

 

From: 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-...@groups.cabforum.org>

Sent: Thursday, May 7, 2026 4:16 AM
To: smcwg-...@groups.cabforum.org

--

Stephen Davidson

unread,
May 8, 2026, 9:41:03 AM (10 days ago) May 8
to smcwg-...@groups.cabforum.org

Hi Dimitris:

 

The initial proposal was 3072 but following rounds of discussion, the WG decided to boost it to 4096.

 

Regards, Stephen

--
You received this message because you are subscribed to the Google Groups "S/MIME Certificate WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smcwg-public...@groups.cabforum.org.

Dimitris Zacharopoulos

unread,
May 8, 2026, 11:13:26 AM (10 days ago) May 8
to 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum)
Thanks Stephen,

I'm looking for the reasoning or the key arguments of specific representatives from the WG that pushed for 4096.

If the reasoning is vague or "just because", it can have some weight on our voting.

Thanks,

DZ.

May 8, 2026 16:41:10 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-...@groups.cabforum.org>:

Judith Spencer

unread,
May 8, 2026, 12:41:40 PM (10 days ago) May 8
to smcwg-...@groups.cabforum.org

Greeting Dimitris

I suggested 4096 in lieu of 3072 for the CA certificates during working group discussion.  Our experience has been that the larger key size for the CA certificates (currently still signing 2048 bit end user certificates) is not causing increased interoperability or performance issues, and it may provide additional protection for the CAs in the short term.  The real test will come when and if we grow the end user certificates.

Judy

 

Judith Spencer | PMA Chair | CertiPath, Inc.
1900 Reston Metro Plaza, Suite 303, Reston, VA 20190

PH +1 301 974 4227

Email Judith....@CertiPath.com

 

CertiPath: Identity Without Compromise www.certipath.com

Dimitris Zacharopoulos (HARICA)

unread,
May 8, 2026, 1:40:10 PM (10 days ago) May 8
to smcwg-...@groups.cabforum.org


On 5/8/2026 7:41 PM, 'Judith Spencer' via S/MIME Certificate WG - Public (CA/B Forum) wrote:

Greeting Dimitris

I suggested 4096 in lieu of 3072 for the CA certificates during working group discussion.  Our experience has been that the larger key size for the CA certificates (currently still signing 2048 bit end user certificates) is not causing increased interoperability or performance issues, and it may provide additional protection for the CAs in the short term.  The real test will come when and if we grow the end user certificates.

Judy


Hi Judy,

I'm not sure that approach is enough to warrant jumping to 4096 and leaving 3072 out. Issuing OCSP responses with 4096 bit RSA signatures has more performance issues than 3072.

International studies [1], [2] (scheduled for update) suggest deprecating RSA keys below 3000 bits.

Can I ask if the current SMBRs, with the proposed ballot, allow for delegated OCSP responders that can use 2048 bit RSA certificates?


Thanks,
Dimitris.

Judith Spencer

unread,
May 8, 2026, 3:27:49 PM (10 days ago) May 8
to smcwg-...@groups.cabforum.org

Stephen will have to correct me if wrong, but my understanding is this ballot affects the CAs only.  You would sign a 2048 OCSP responder certificate (at least in the near future) which would be signing the responses.  I don’t think this ballot prohibits 3072 OCSP responder certificates.    

 

Judith Spencer | PMA Chair | CertiPath, Inc.
1900 Reston Metro Plaza, Suite 303, Reston, VA 20190

PH +1 301 974 4227

Email Judith....@CertiPath.com

 

CertiPath: Identity Without Compromise www.certipath.com

 

Nome Huang

unread,
May 8, 2026, 8:44:27 PM (10 days ago) May 8
to S/MIME Certificate WG - Public (CA/B Forum), Stephen Davidson
TrustAsia votes "Yes" on SMC017.

Dustin Hollenback

unread,
May 8, 2026, 9:09:13 PM (10 days ago) May 8
to smcwg-...@groups.cabforum.org, smcwg-...@groups.cabforum.org
Apple votes “Yes” on SMC-017.

On Apr 29, 2026, at 10:15 AM, 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-...@groups.cabforum.org> wrote:


--
You received this message because you are subscribed to the Google Groups "S/MIME Certificate WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smcwg-public...@groups.cabforum.org.

大野 文彰

unread,
May 10, 2026, 10:56:01 PM (8 days ago) May 10
to smcwg-...@groups.cabforum.org

SECOM Trust Systems votes YES on Ballot SMC017.

 

Best regards,

 

ONO Fumiaki / 大野 文彰

(Japanese name order: family name first, in uppercase)

SECOM Trust Systems CO., LTD.

 

From: 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-...@groups.cabforum.org>

Sent: Thursday, May 7, 2026 5:16 AM
To: smcwg-...@groups.cabforum.org

--

You received this message because you are subscribed to the Google Groups "S/MIME Certificate WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smcwg-public...@groups.cabforum.org.

Ruiter, Albert de

unread,
May 11, 2026, 9:36:28 AM (7 days ago) May 11
to smcwg-...@groups.cabforum.org

Logius votes in favor for this ballot

 

 

Kind regards,

 


Albert de Ruiter

Policy Authority PKIoverheid

 

Logius

 

Dienst Digitale Samenleving

Ministerie van Binnenlandse Zaken en Koninkrijksrelaties

........................................................................

M 06-22796535

Albert...@logius.nl

www.logius.nl

 

........................................................................

Logius is continu op zoek naar nieuwe collega’s. Bekijk alle vacatures op onze website.

Samen zorgen we voor een digitale overheid die werkt voor iedereen

--

You received this message because you are subscribed to the Google Groups "S/MIME Certificate WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smcwg-public...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/smcwg-public/BL1PR14MB5143A997B4F8434F7085F0DBE53F2%40BL1PR14MB5143.namprd14.prod.outlook.com.


Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.

Tim Hollebeek

unread,
May 11, 2026, 4:34:25 PM (7 days ago) May 11
to smcwg-...@groups.cabforum.org
DigiCert votes YES on SMC-017.

-Tim


From: 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum)
Sent: Wednesday, May 6, 2026 4:15 PM
To: smcwg-...@groups.cabforum.org
Subject: [Smcwg-public] [Voting for Approval] Ballot SMC017: Increase Minimum RSA CA Key Size

Dimitris Zacharopoulos (HARICA)

unread,
May 12, 2026, 3:28:41 AM (7 days ago) May 12
to smcwg-...@groups.cabforum.org
In the spirit of this ballot, perhaps this should be limited as well.

Thanks,
Dimitris.

Dimitris Zacharopoulos (HARICA)

unread,
May 12, 2026, 3:29:21 AM (7 days ago) May 12
to 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum)
HARICA votes "yes" to ballot SMC017.

Dimitris.
--
You received this message because you are subscribed to the Google Groups "S/MIME Certificate WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smcwg-public...@groups.cabforum.org.

Martijn Katerbarg

unread,
May 12, 2026, 9:57:04 AM (6 days ago) May 12
to smcwg-...@groups.cabforum.org

Sectigo votes NO to ballot SMC-017.

While we see no issue in restricting new issuance of leaf certificates to Subordinate CAs with an RSA key size of 4096 bits, we believe the restriction to no longer issue certificates from Subordinate CAs of at least RSA 3072 bits, is not deemed justified at this point.

Furthermore, and unfortunately we did not identify this during earlier review, hence the late notice on this list, we believe the current proposed language has an unintended side-effect:

To quote Dimitris, a few days ago:


>Can I ask if the current SMBRs, with the proposed ballot, allow for delegated OCSP responders that can use 2048 bit RSA certificates?

While this ballot does not block the usage of such certificates, it does block the issuance of any new Delegated OCSP Responder Certificates from any SubCA with a key size less than RSA 4096 bits. Specifically:
“Effective September 15, 2027 the CA SHALL NOT issue Certificates from any Subordinate CA whose RSA Key modulus size, when encoded, is less than 4096 bits.”
i.e.: An RSA 3072 bit Subordinate CA would no longer be able to issue a new Delegated OCSP Responder Certificate, regardless of keysize.

Added to that, this has an (in our eyes unintended) side-effect of potentially halting the issuance of new Cross Signed Subordinate CA certificates by legacy Root CAs, if such Root CAs themselves have in the past been cross-signed, and utilize a key size smaller than RSA 4096 bits.

Once a Root CA is cross-signed, the cross-signed CA is effectively a Subordinate CA, and would need to adhere to this policy change. As such, any RSA 2048 or 3072 bit Cross Signed Root CA, would no longer be allowed to perform any cross-signing issuance (or any other type of issuance).

Regards,

Martijn

From: 'Dimitris Zacharopoulos (HARICA)' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-...@groups.cabforum.org>
Date: Tuesday, 12 May 2026 at 09:29
To: 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-...@groups.cabforum.org>
Subject: Re: [Smcwg-public] [Voting for Approval] Ballot SMC017: Increase Minimum RSA CA Key Size

This Message Is From an External Sender
This message came from outside your organization.
 

Dimitris Zacharopoulos (HARICA)

unread,
May 12, 2026, 10:22:44 AM (6 days ago) May 12
to smcwg-...@groups.cabforum.org
HARICA changes its vote to "No".

We should work on this ballot some more to ensure there are no unintended consequences.

Scott Rea

unread,
May 12, 2026, 10:25:56 AM (6 days ago) May 12
to smcwg-...@groups.cabforum.org
eMudhra votes No on Ballot SMC-017

Martijn makes some very good points. We are 100% behind the spirit of this ballot, but think some changes are needed in text to further clarify and eliminate unintended consequences. 

From: 'Martijn Katerbarg' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-...@groups.cabforum.org>
Date: Tuesday, 12 May 2026 at 7:57 AM
To: smcwg-...@groups.cabforum.org <smcwg-...@groups.cabforum.org>
Subject: Re: [Smcwg-public] [Voting for Approval] Ballot SMC017: Increase Minimum RSA CA Key Size

CAUTION: This email is originated from outside of the organization. Do not open the links or the attachments unless you recognize the sender and know the content is safe.
Disclaimer: The email and its contents hold confidential information and are intended for the person or entity to which it is addressed. If you are not the intended recipient, please note that any distribution or copying of this email is strictly prohibited as per Company Policy, you are requested to notify the sender and delete the email and associated attachments with it from your system.

Pedro FUENTES

unread,
May 12, 2026, 10:39:30 AM (6 days ago) May 12
to smcwg-...@groups.cabforum.org
OISTE also changes its vote to No.

Although we are certain that the OISTE CAs won’t be affected by the constraint by the due date, we think it’s sensible to let the ballot fail and facilitate more discussions and give more time to properly assess side effects.



Stephen Davidson

unread,
May 12, 2026, 10:59:18 AM (6 days ago) May 12
to smcwg-...@groups.cabforum.org

Thanks Martijn.

 

As there have been several concerns raised, as the sponsor, we WITHDRAW ballot SMC017 and will address it in our May 20 meeting.

 

For those who have questions regarding  the existing text, please ensure that you are able to join the meeting.

 

In particular, we’d welcome suggestions for amendments to the text so that the WG can discuss concrete proposals.

 

Best, Stephen

Martijn Katerbarg

unread,
May 12, 2026, 11:02:38 AM (6 days ago) May 12
to smcwg-...@groups.cabforum.org
Thank you Stephen. I’m reserving some time tomorrow to work on a proposal with the original intended outcome.

Inigo Barreira

unread,
May 12, 2026, 11:12:30 AM (6 days ago) May 12
to smcwg-...@groups.cabforum.org

I think the first part of the proposal is ok for new CAs created after sept this year (even can be reduced to 3072). That will comply with the RSA <3000 bits issue.

The second part will need some additional work, but maybe allowing the above (3072) will have less impact and still compliant with the RSA <3000 issue.

 

 

De: 'Martijn Katerbarg' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-...@groups.cabforum.org>
Enviado el: martes, 12 de mayo de 2026 17:02
Para: smcwg-...@groups.cabforum.org
Asunto: Re: [Smcwg-public] [Voting for Approval] Ballot SMC017: Increase Minimum RSA CA Key Size

 

Thank you Stephen. I’m reserving some time tomorrow to work on a proposal with the original intended outcome. From: 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-public@groups.cabforum.org> Date: Tuesday, 12

ZjQcmQRYFpfptBannerStart

This Message Is From an External Sender

This message came from outside your organization.

    Report Suspicious    ‌

ZjQcmQRYFpfptBannerEnd

Martijn Katerbarg

unread,
May 15, 2026, 8:56:02 AM (3 days ago) May 15
to smcwg-...@groups.cabforum.org
All,

In https://github.com/cabforum/smime/pull/304 I’ve proposed SMC017v2. This PR builds on top of the version prepared by Stephen, but adds more specificity to what a CA can and cannot issue after September 15th, 2027.

Additionally, I’ve opted to drop the limit down to 3072 bits, while keeping the 4096 bit limit for any new CA issuance. 

The reason for this is two-fold:
  • The original ballot was created based on the fact that RSA < 3000 bits, is no longer allowed to be used. Several standards already appear to forbid this now, while others target 2030. There is no mention of < 4000, however. 
  • When the S/MIME BRs came into effect, many CAs were forced to issue new SubCAs in order to move away from Extant SubCA issuance. It seems, several CAs issued SubCAs with RSA 3072 bits at that point, in line with upcoming standards changes. It seems unreasonable to force the CAs doing the right thing at that time, to now have to replace these issuing CAs again, without any clear benefits.

To the WG, please review the proposed changes in this PR, and share any feedback you may have.

Regards,

Martijn

Reply all
Reply to author
Forward
0 new messages