In January 2023, the CA/B Forum adopted the ballot of S/MIME Baseline Requirements V1.0.0 which will go into effect in September 2023. The first set of baseline requirements for S/MIME certificates provides guidance and requirements for Certificate Authorities (CAs) to strictly follow in their certification practice statements. Previously there has been a lack of consistent security standards and awareness even though S/MIME certificates are so widely deployed. The first baseline requirements will form the foundation for issuing and managing all publicly trusted S/MIME certificates, aiming to improve industry standard and email security. NicSRS provides you with a summary of key information to help you better understand the content and deliver high-quality products that comply with the baseline requirements for your customers.

What is S/MIME Digital Certificate?

For those of you who are new to this, S/MIME (Secure/Multipurpose Internet Mail Extensions) Certificate is a digital certificate used to secure and authenticate email communications. It provides a way to encrypt and digitally sign email messages, ensuring the confidentiality, integrity, and authenticity of the content exchanged between parties. It also verifies the sender's identity to prevent arbitrary tampering and ensure the communication security of the email.

S/MIME Baseline Requirements will be applicable to:

These requirements apply to all Certificate Authorities (CAs) in the public trust chain, such as DigiCert, Sectigo, GlobalSign. However, these requirements do not apply to private CAs that are solely for internal purposes, and no application software vendors distribute root CA certificates for this purpose.

S/MIME Baseline Requirements Cover:

• The correct and incorrect use of certificates.
• Subject identity verification to ensure the subject's original control.
• Subject identity verification by CAs and registration authorities to ensure identity legitimacy.
• CA's operational practices (such as physical/logical security) and security controls.
• Matters related to auditing and compliance.
• Certificate profiles for S/MIME issuing CAs and end-entity certificates.

The Four Types of S/MIME Certificates Based on the Baseline Requirements

Digital certificates are commonly categorized according to their validation perspectives. However, the new baseline requirements have provided a new and distinct classification system based on certificate profiles. These baseline requirements have a direct impact on four types of validation certificates, namely individual validated, mailbox validated, organization validated, and sponsor validated S/MIME certificates. Section 1.2 (Document name and identification) of the baseline requirements outlines the four types of certificate profiles that are relevant to certificate users.

Individual-Validated S/MIME Certificate: Includes only Individual (Natural Person) attributes in the Subject. In other words, the subject description of the certificate can only include the individual's name, not the name of a company or organization.

Mailbox-Validated S/MIME Certificate: Subject is limited to (optional) subject:emailAddress and/or subject:serialNumber attributes. In other words, the subject field of the email will display either the email address, the serial number, or both.

Organization-Validated S/MIME Certificate: Includes only Organizational (Legal Entity) attributes in the Subject. In contrast to individual-validated S/MIME certificate, the description subject of an organization validation certificate includes only the name of the legal entity, not the individual's name.

Sponsor-Validated S/MIME Certificate: Combines Individual (Natural Person) attributes in conjunction with an subject:organizationName (an associated Legal Entity) attribute. Registration for Sponsor-validated Certificates may be performed by an Enterprise RA. This means that for certificates of this type issued by organizations to their employees, both the employee's name and the organization's name will be included in the subject.

Each certificate mentioned above falls under three generation profiles:

Legacy: The present S/MIME certificates are compatible with this old profile, but it will no longer be supported in forthcoming iterations of the baseline requirements.

Multipurpose: This particular version incorporates additional extended key usage options and can be used for cross-certification scenarios. Furthermore, any certificates issued based on this version are subject to a maximum validity period of 825 days.

Strict: The utilization of the long-term S/MIME certificate profile in this version involves rigorous generation and the maximum duration for this profile is 825 days.

A New Standard Means a New Level of Security

The new baseline requirements for S/MIME certificates bring several significant improvements to email security compared to before. Here we will list some key points:

Enhanced Trust: The new regulations ensure that S/MIME certificates are issued and managed in a new and distinct classification system based on certificate profiles. This enhances trust in the certificates and the email communications protected by them.

Improved Operational Practices: The regulations include guidelines for CAs and registration authorities to follow in their operational practices, such as physical and logical security measures. This promotes a higher level of security in the issuance and management of S/MIME certificates.

Auditing and Compliance: The new requirements address auditing and compliance-related matters, ensuring that CAs adhere to industry best practices and meet the necessary standards for S/MIME certificate issuance.

Industry-wide Implementation: Public trust chain must comply with the baseline requirements, including but not limited to DigiCert, Sectigo, and GlobalSign, to ensure effective implementation of regulations. This standardized approach improves the overall security and reliability of S/MIME certificates.

Overall, the new baseline requirements for S/MIME certificates signify a significant step forward in strengthening email security, enhancing trust, and ensuring the proper issuance and management of S/MIME certificates.

As a leading digital certificate provider, NicSRS is committed to offering users better products and higher quality services. We also strictly adhere to the CA/B requirements for S/MIME, ensuring that we provide you with superior products. If you have any questions, please feel free to contact us for assistance.

To read more details about the new baseline requirements for S/MIME, please refer to here.