Aug 4, 2023

A Quick look at new S/MIME Baseline Requirements via CA/B Forum

In July 2020, the CA/Browser Forum established the SMCWG (S/MIME Certificate Working Group) with the purpose of developing requirements for Certification Authorities that issue S/MIME Digital Certificates for signing, verifying, encrypting, and decrypting emails.

The CA/B Forum's new set of standards, called Baseline Requirements, will take effect on September 1, 2023. It is a significant milestone for the security and privacy of electronic communications, as S/MIME Certificates are used to secure email communications and protect sensitive information. The new set of requirements ensures that S/MIME Certificates meet a consistent level of security and compatibility, providing a more secure environment to exchange information. This development is a positive step towards improving the overall security of the internet and safeguarding users' privacy.

As we know, S/MIME (Secure/Multipurpose Internet Mail Extension) is a widely used protocol for sending signed and encrypted email messages. By using S/MIME signatures, the origin of the message is verified and protected against tampering, while S/MIME encryption ensures the privacy of the communication between the sender and recipient. This new set of practices will be applicable for all trusted Digital Certificates that have the EKU (Extended Key Usage) extension set as id-kp-emailProtection (OID: 1.3.6.1.5.5.7.3.4).

S/MIME Baseline Requirements have now categorized the S/MIME Certificates into four different validation types defined in accordance with the information that goes in the subject field of the Certificate.

• Mailbox-Validated: Subject is limited to (optional) subject: emailAddress and/or subject: serialNumber attributes.
• Organization-Validated: Includes only Organizational (Legal Entity) attributes in the subject.
• Sponsor-Validated: Subject contains the Individual (Natural Person) attributes in conjunction with the subject: organizationName.
• Individual-Validated: Subject contains only the individual details of the user in the Certificate.

In all of these cases, mailbox control by the user is validated in accordance with the relevant set of rules defined in the baseline requirements. Furthermore, these types are segregated based on their Generations.

• Legacy: This is to facilitate most of the acceptable current practices to be eligible for audit under CA/B guidelines, with minor changes like the inclusion of a unique organization identifier in all types of certificates that contain organizational attributes. Also, the maximum validity of the certificate is 1185 days. Legacy profiles will make the transition to Multipurpose and Strict much easier as compared to current practices.
• Multipurpose: This is designed to facilitate use cases like client authentication, document signing, etc. to be allowed along with secure mail. Here, the maximum validity is only 825 days. Like ‘Strict’, this generation type also focuses on stricter use of subject DN attributes.
• Strict: SMIME Working Group aims toward this generation type for the longer term. It focuses only on secure mail use cases, and it cannot be integrated with other extensions, unlike Multipurpose and Legacy Generations. Also, the goal here is to achieve stricter use of Subject DN attributes and other extensions. This also has a reduced maximum validity of 825 days.

Furthermore, S/MIME Baseline Requirements have laid down validation methods that should be used to prove the identities of the user and its control over email addresses. These are:

• Validating control over the mailbox via email, i.e., Mailbox Challenge: this proves control via email challenge or response email from the user. 
• Validating authority over the mailbox via domain, i.e., Domain Control: This uses the current best practices of the TLS Baseline Requirements existing domain control methods.
• Validating the applicant as the operator of the associated mail server(s): This is done by confirming control of the SMTP FQDN to which a delivered message to the Mailbox Address is directed.

S/MIME Baseline Requirements have also defined the duration of the validity of validation. Organization and individual identity shall not be used for more than 825 days prior to previous validation. Similarly, validation control of the mail server and domain control shall be obtained no more than 398 days prior to issuing the Certificate.

GMO GlobalSign, being a proud publicly trusted Certificate Authority will adopt this change for all and current S/MIME offerings.

All impacts and changes on our S/MIME products are explained on the following articles:

• PersonalSign Products BR changes, and Impacts
• EPKI S/MIME Products BR changes, and Impacts
• ATLAS S/MIME Products BR changes, and Impacts

For more information and to increase the security of your email communications, visit this link: 

Email Security - S/MIME and Secure Email - GlobalSign