scope:

The present document specifies policy and security requirements for the issuance, maintenance and life-cycle management of S/MIME certificates as defined in the S/MIME Baseline Requirements (SBR) [1] in the context of the ETSI Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates series.

An S/MIME certificate for the purposes of the present document can be identified by the existence of an Extended Key Usage (EKU) for id-kp-emailProtection (OID: 1.3.6.1.5.5.7.3.4) and the inclusion of an email address (in the form of an rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox) in the subjectAltName extension.

These policy and security requirements support reference certificate policies for the issuance, maintenance and life-cycle management of S/MIME certificates issued to mailboxes (containing only an email address), natural persons (including natural persons associated with a legal person) and to legal persons, respectively.

The present document does not specify how the requirements identified can be assessed by an independent party, including requirements for information to be made available to such independent assessors, or requirements on such assessors.

NOTE 1: See ETSI EN 319 403-1 [i.1] for guidance on assessment of TSP's processes and services, expanded as relevant by ETSI TS 119 403-2 [i.2] for additional requirements for publicly-trusted certificates, and by ETSI TS 119 403-3 [i.3] for additional requirements for EU qualified TSPs.

NOTE 2: The present document integrates all the policy requirements of the CA/Browser Forum S/MIME Baseline Requirements (SBR) [1] with ETSI EN 319 411-1 [2] for the [LCP], [NCP], and/or [NCP+] certificate policies, and with ETSI EN 319 411-2 [3] for the [QCP-l], [QCP-n], [QCP-l-qscd], and/or [QCP-n-qscd] certificate policies.