I am editing the S/MIME Baseline Requirements transition guidance wiki page
slightly to make it more clear that existing CA operators are to submit their S/MIME BR audit reports consistent with their existing audit cycles. Right now, the language on the wiki page says, "For CA operators to maintain their current annual audit cycles, new
S/MIME BR audits should be provided when they provide their other annual
audits." This seems pretty straightforward. But then it says, "Any root CA certificate being considered for inclusion after
October 30, 2023, must be audited according to the S/MIME BRs if the
email trust bit is to be enabled, and the CA operator’s CP or CPS must
state that they follow the current version of the S/MIME BRs."
This latter sentence might be inferred to mean that an earlier, out-of-cycle audit would be required for new root CA certificates created by existing CAs. I am recommending that we change this to make it clear that if an existing CA operator has an email-trust-bit-enabled CA certificate in the root store, then it can submit its S/MIME BR audit (that will include new, email-enabled root CAs) when it provides its other regularly-scheduled, other audits. For example, if a CA operator in the Mozilla root program usually submits their audits in July, and they are requesting the inclusion of a new email-enabled root CA, then that S/MIME BR audit can be submitted in July, too.
Here are my suggested revisions:
For CA operators that already have
an email-trust-bit-enabled CA certificate in the root store
to may maintain their current annual audit cycles and provide , the new
S/MIME BR audit s should be provided when they provide their other annual
audit reports, even if they are in the process of requesting inclusion of one or more new, email-trust-bit-enabled root CA certificates.
instance, if a CA operator typically provides audit reports in July 2024 and is requesting
the inclusion of a new email-bit-enabled root CA, the corresponding S/MIME BR audit
encompassing both existing and new
root CA certificates can be submitted during the
annual audit submission in July 2024.
any new CA operator requesting inclusion of a
Any root CA certificate being considered for inclusion after
October 30, 2023, the root CA must be audited according to the S/MIME BRs if the
email trust bit is to be enabled.
, and the CA operator’s CP or CPS must
state that they follow the current version of the S/MIME BRs.
Are there any comments or suggestions?