The S/MIME Certificate Working Group (SMCWG) of the CA/Browser Forum is considering a change to the S/MIME Baseline Requirements (BR) that will require the use of Multi Perspective Issuance Corroboration (MPIC) when conducting validation of email domains in accordance with sections 3.2.2.1 or 3.2.2.3 of the S/MIME BR.
The proposed approach is based on a similar ballot recently passed as SC67 in the TLS Baseline Requirements. The approach requires CAs, when performing domain validation and Certification Authority Authorization (CAA) checks, to check DNS from multiple network perspectives. The goal of MPIC is to make it more difficult for adversaries to successfully launch attacks (such as BGP hijacks) against the domain validation processes. The S/MIME BR reference the affected methods in the TLS BR.
Please note that CAs fall within the scope of the S/MIME BR if they issue public-trust end entity certificates that include an Extended Key Usage (EKU) for id-kp-emailProtection (OID: 1.3.6.1.5.5.7.3.4) and include an rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox in the subjectAltName extension.
The SMCWG encourages CAs that issue S/MIME certificates to be aware of the developments surrounding MPIC. It is noted that the majority of public-trust S/MIME issuers also issue TLS certificates and so will automatically be drawn into MPIC adoption by the TLS BR ballot. For more information:
With kind regards,
Stephen Davidson
Chair, S/MIME Certificate Working Group (SMCWG)