Jul 20, 2023
To meet the new S/MIME Baseline Requirements effective September 1, 2023, EPKI users must have a compliant profile to issue Certificates. To do that, we have added in it the Organization Identifier, and the control over the email domain must be verified.
If you are a current EPKI user with SMIME Certificates, we strongly advise you to make a new profile and issue any Certificates from that new profile. It is not possible for vetting to modify a profile and add an OID. Client authentication and AATL are not part of it, and no new profile is needed in those cases.
The new profiles for SMIME must not contain any OU and must have domain control.
All Profiles without OID won’t be compliant after September 1, 2023.
The CA/B Forum's new set of standards, called Baseline Requirements, will take effect on September 1, 2023. It is a significant milestone for the security and privacy of electronic communications, as S/MIME Certificates are used to secure email communications and protect sensitive information. The new set of requirements ensures that S/MIME Certificates meet a consistent level of security and compatibility, providing a more secure environment to exchange information. This development is a positive step towards improving the overall security of the internet and safeguarding users' privacy.
Secure/Multipurpose Internet Mail Extension (S/MIME) is an industry standard for email encryption and signature that is commonly used by businesses to improve email security. S/MIME is supported by most corporate email clients.
If your Certificate contains an email address in the subjects, then you have an SMIME.
Only SMIME users are affected; if your Certificate is only used for client authentication or for document signing (AATL), you don’t need a new Profile and you are not impacted.
The Certificates issued by those profiles after September 1st won’t be compliant, the profile will become unusable for issuance after September 1st.
Please check out this support article: How to create a new Profile in EPKI.
When you place an order, our system will ask you to choose between all your profiles available. Make sure to choose your new profile to get your SMIME Certificate.
Validating control over the mailbox via email, i.e., Mailbox Challenge: this proves control via email challenge or response email from the user.
Validating authority over the mailbox via domain, i.e., Domain Control: This uses the current best practices of the TLS Baseline Requirements existing domain control methods.
Validating the applicant as the operator of the associated mail server(s): This is done by confirming control of the SMTP FQDN to which a delivered message to the Mailbox Address is directed.
Please take a look at the second part of this article: How to create a new Profile in EPKI.
Once the email domain is added, our vetting team will contact you to get it validated.
Email domain validity is valid for 397 days.
The Organization Identifier can be allocated by the national tax authorities (VAT), by a national or state trade register (NTR), or specified in ISO 17442 (LEI) for a legal entity named Organization Name.