In January 2023, the CA/B Form has brought new guideline about issuance of S/MIME (secure multi-purpose internet mail extension) certificate standards. These guidelines will come into effect from Sep 1, 2023.
About S/MIME Certificate
S/MIME certificates are digital certificates that runs/install on the devices for identity affirmation and used to sign outgoing emails. Both sender and receiver use Email Signing certificate to send encrypted message.
About S/MIME Baseline Requirement
S/MIME baseline requirement are rules and standards about proper issuance of certificates. It ensures that all security standards are met. The baseline requirement includes minimum standard criteria of the issuance of a certificate. S/MIME certificate working group has written the baseline documents and certificate authorities, tech companies, and browser community agreed on it.
This baseline requirement will be applicable to organizations who in their daily routine send email outside network as well well-known certificate authorities.
Internal CA and PKI
However, this baseline does not apply to internal private CA, who issues certificates for internal use. The baseline applies to only public key infrastructure and organizations, which use well-known third party certificates.
Why This Amendment Came into Force?
The reason to bring this amendment is to streamline certificate issuance process and practice among all CAs and registration authorities. In past, certificate authorities and registration authorities did different issuance processes and it may lead to security risks. Here, consistency is mandatory while issuing a publicly trusted digital certificate.
S/MIME Baseline Requirement covers:
- Correct or incorrect use of certificate
- Subject identity verification, which includes original control of domain by the subject.
- Subject Identity Validation in which the CA and registration authority ensure about the legitimacy of subject’s identity.
- The CA’s operational practices and security controls.
- Auditing and compliance.
Types of S/MIME Certificate
The baseline requirement influences four types of validation certificates including individual, Organization validation and extended validation. In section 1.2, the baseline defines four types of certificate profiles regarding to certificate subject:
Individual Validated S/MIME Certificate: This certificate description includes Individual’s name in subject’s field like “Michael Bay” instead of any company or organization name.
Mailbox Validated S/MIME Certificate: This certificate description includes either email address or serial number attributes. For example, firstname.lastname@example.org or a serial number like 03:73:F0:57: FA: 90: CD: E8:3B:E0:4E:C7:C6: EE: FD: 5E.
Organization Validated S/MIME Certificate: This certificate description includes a legal entity organization’s name in subject field. Therefore, there should not be individual’s name in subject line.
Sponsor Validated S/MIME Certificate: This certificate description includes combination of person and organization’s name. Such type of certificate validation is performed by enterprise Registered Authority. Organizations issue such type of certificates to their employees in which an employee’s name and company name is included in subject line.
Generation Profiles As Per Certificates
Each above certificate falls under three generation profiles:
Legacy: This Legacy profile applies to current S/MIME certificate and it will be discontinued in future baseline requirement version.
Multipurpose: This version includes an extended key usage option. It can be used for crossover usage. It can be issued for max validity period of 825 days.
Strict: This type of version applies strict generation in which the long-term S/MIME certificate profile is applied. This profile carries maximum 825 days validity.