S/MIME Baseline Requirements for EPKI - FAQs

Mar 22, 2024

S/MIME Baseline Requirements for EPKI - FAQs

What's Changing?

To meet the new S/MIME Baseline Requirements effective September 1, 2023, EPKI users must have a compliant profile to issue Certificates. To do that, we have added in it the Organization Identifier, and the control over the email domain must be verified.

What Action Do You Need to Take?

If you are a current EPKI user with SMIME Certificates, we strongly advise you to make a new profile and issue any Certificates from that new profile. It is not possible for vetting to modify a profile and add an OID. Client authentication and AATL are not part of it, and no new profile is needed in those cases.
The new profiles for SMIME must not contain any OU and must have domain control.
All Profiles without OID won’t be compliant after September 1, 2023.

Why is GlobalSign doing that?

The CA/B Forum's new set of standards, called Baseline Requirements, will take effect on September 1, 2023. It is a significant milestone for the security and privacy of electronic communications, as S/MIME Certificates are used to secure email communications and protect sensitive information. The new set of requirements ensures that S/MIME Certificates meet a consistent level of security and compatibility, providing a more secure environment to exchange information. This development is a positive step towards improving the overall security of the internet and safeguarding users' privacy.

What is an SMIME?

Secure/Multipurpose Internet Mail Extension (S/MIME) is an industry standard for email encryption and signature that is commonly used by businesses to improve email security. S/MIME is supported by most corporate email clients.

How do I know I have an SMIME?

If your Certificate contains an email address in the subjects, then you have an SMIME.

Am I affected?

Only SMIME users are affected; if your Certificate is only used for client authentication or for document signing (AATL), you don’t need a new Profile and you are not impacted.

What happens if I don’t get a new profile on time?

The Certificates issued by those profiles after September 1st won’t be compliant, the profile will become unusable for issuance after September 1st.

How do I make a new profile?

Please check out this support article: How to create a new Profile in EPKI.

How do I use the new profile for ordering?

When you place an order, our system will ask you to choose between all your profiles available. Make sure to choose your new profile to get your SMIME Certificate.

What is email domain control?

Validating control over the mailbox via email, i.e., Mailbox Challenge: this proves control via email challenge or response email from the user.
Validating authority over the mailbox via domain, i.e., Domain Control: This uses the current best practices of the TLS Baseline Requirements existing domain control methods.
Validating the applicant as the operator of the associated mail server(s): This is done by confirming control of the SMTP FQDN to which a delivered message to the Mailbox Address is directed.

How do I add an email domain?

Please take a look at the second part of this article: How to create a new Profile in EPKI.
Once the email domain is added, our vetting team will contact you to get it validated.

How long is the email domain validity?

Email domain validity is valid for 397 days.

What is an OrgID?

The Organization Identifier can be allocated by the national tax authorities (VAT), by a national or state trade register (NTR), or specified in ISO 17442 (LEI) for a legal entity named Organization Name.