Aug 4, 2023
In July 2020, the CA/Browser Forum established the SMCWG (S/MIME Certificate Working Group) with the purpose of developing requirements for Certification Authorities that issue S/MIME Digital Certificates for signing, verifying, encrypting, and decrypting emails.
The CA/B Forum's new set of standards, called Baseline Requirements, will take effect on September 1, 2023. It is a significant milestone for the security and privacy of electronic communications, as S/MIME Certificates are used to secure email communications and protect sensitive information. The new set of requirements ensures that S/MIME Certificates meet a consistent level of security and compatibility, providing a more secure environment to exchange information. This development is a positive step towards improving the overall security of the internet and safeguarding users' privacy.
As we know, S/MIME (Secure/Multipurpose Internet Mail Extension) is a widely used protocol for sending signed and encrypted email messages. By using S/MIME signatures, the origin of the message is verified and protected against tampering, while S/MIME encryption ensures the privacy of the communication between the sender and recipient. This new set of practices will be applicable for all trusted Digital Certificates that have the EKU (Extended Key Usage) extension set as id-kp-emailProtection (OID: 188.8.131.52.184.108.40.206.4).
S/MIME Baseline Requirements have now categorized the S/MIME Certificates into four different validation types defined in accordance with the information that goes in the subject field of the Certificate.
In all of these cases, mailbox control by the user is validated in accordance with the relevant set of rules defined in the baseline requirements. Furthermore, these types are segregated based on their Generations.
Furthermore, S/MIME Baseline Requirements have laid down validation methods that should be used to prove the identities of the user and its control over email addresses. These are:
S/MIME Baseline Requirements have also defined the duration of the validity of validation. Organization and individual identity shall not be used for more than 825 days prior to previous validation. Similarly, validation control of the mail server and domain control shall be obtained no more than 398 days prior to issuing the Certificate.
GMO GlobalSign, being a proud publicly trusted Certificate Authority will adopt this change for all and current S/MIME offerings.
All impacts and changes on our S/MIME products are explained on the following articles:
For more information and to increase the security of your email communications, visit this link: