CA/Browser Forum S/MIME Baseline Requirements

373 views
Skip to first unread message

Ben Wilson

unread,
May 30, 2023, 9:02:33 PM5/30/23
to dev-secur...@mozilla.org
All,

The CA/Browser Forum (CABF) has created a set of Baseline Requirements for publicly trusted S/MIME digital certificates (S/MIME BRs), with an effective date of September 1, 2023.

The S/MIME BRs (https://cabforum.org/smime-br/) are the result of several years of work by the CA/Browser Forum’s S/MIME working group, which included representatives from CAs around the world, email software providers, auditors, and communities that use S/MIME. The S/MIME BRs contain requirements governing certificate profiles, verification of control over email addresses, validation of identity, key management and certificate lifecycles, and CA operational practices, including physical and logical security.

The S/MIME BRs define four S/MIME certificate types and three generations, as follows:

Types

  1. Mailbox-validated: the Subject is limited to (optional) emailAddress and/or serialNumber attributes.

  2. Individual-validated: the Subject includes only individual (natural person) attributes.

  3. Organization-validated: the Subject includes organization details (legal entity)

  4. Sponsor-validated: the most common type of S/MIME certificate, often issued by an Enterprise to its employees. The Subject includes organization details as well as attributes of a ‘sponsored’ individual.

Generations

  1. Legacy: A flexible profile to facilitate moving reasonable practices of the existing S/MIME ecosystem with 1,185 days maximum validity.

  2. Multipurpose: Modeled on Strict, but with more flexibility in allowed EKUs (up to 825-day validity).

  3. Strict: The long-term target profile limited to supporting only id-kp-emailProtection (up to 825-day validity).

Validation Methods

Methods of email validation require the establishment of control of the following:

  • the entire email domain, using existing methods defined in section 3.2.2.4 of the CABF’s TLS BRs;

  • specific email addresses, using a challenge/response email process; or

  • the SMTP FQDN to which a message to the email address should be directed.

Soon I will be starting a separate discussion for us to talk about how Mozilla’s Root Store Policy should be updated to require and enforce the S/MIME BRs. This will be followed by other proposed changes to the Mozilla Root Store Policy for version 2.9 as well.

Regards,

Ben

Reply all
Reply to author
Forward
0 new messages