Add CABF S/MIME certificate policies #14190
Draft
+346
−7
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
|
cc: @woodruffw If I'm reading this correctly, the only two substantive differences are CRL DP validation, and two additional key types? The biggest thing we'd need for this are test cases -- in https://github.com/c2sp/x509-limbo. |
Contributor
Author
Is that something you have to do or should I? If I can do it, is there documentation about it that would help me get started? |
Member
|
Anyone can contribute to that repo! We don't really have docs for it,
but https://github.com/C2SP/x509-limbo/tree/main/limbo/testcases if
you look in a file you'll see what it looks like to add a test case.
…On Tue, Jan 27, 2026 at 8:46 AM Taavi Eomäe ***@***.***> wrote:
TaaviE left a comment (pyca/cryptography#14190)
The biggest thing we'd need for this are test cases -- in https://github.com/c2sp/x509-limbo.
Is that something you have to do or should I? If I can do it, is there documentation about it that would help me get started?
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.Message ID: ***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR intends to add the base for S/MIME certificate validation based on the CA/B Forum S/MIME BR 1.0.12.
The biggest change is likely the addition of
cRLDistributionPointsvalidation for both WebPKI and S/MIME, to the extent that is the lowest common denominator.I did not introduce ML-DSA or ML-KEM support, even though the S/MIME BR allows them. Nor did I implement S/MIME signature validation or anything CMS-related. This is intended to be the first "brick" that can be built upon.‡
I took the Server TLS policies as the base, to be as lax or strict as those are. So they generally do not differ a lot. There's also work ongoing to further align S/MIME BR with Server TLS ones, so it might be possible to simplify futher later on.
‡ - Such as strict verification based on specific S/MIME certificate profiles or the signature/signing code in #12465 or #12267