Are You Ready for the New CA/B Forum Baseline Requirements for S/MIME?

Did you know, the first email was sent in 1971, over half a century ago? Over the years, the way we send emails has changed as the development of technology has evolved. And the importance of securing emails by using S/MIME is to safeguard the confidentiality, integrity, and authenticity of sensitive communication providing a robust defense against unauthorized access and tampering.

S/MIME or Secure/Multipurpose Internet Mail Extension is a widely used protocol and for the first time since its inception, is now included within the Certificate Authority/Browser (CA/B) Forum, which establishes industry standards and guideline to enhance the security and trustworthiness of internet use. The S/MIME changes implemented from the CA/B Forum takes effect from September 1, 2023.

The Baseline Requirements (BR) outline the minimum allowable settings and configurations for S/MIME.

Four Different Validation Types

With this BR comes four different validation types, which contains different information namely:

• Mailbox-validated – that will contain just the email address and/or a serial number
• Organization-validated – is for organizational use with the organization’s name and organization’s email address
• Sponsor-validated – contains the person’s full name and organizational email, as well as the organization they belong to
• Individual-validated – includes a person’s full name and personal email address

GlobalSign already provided these validation processes within the product range PersonalSign.

Introducing S/MIME Generations

With these certificate types, S/MIME BR introduced Generations to define each certificate profile, namely:

• Legacy – which is the model most similar to what is being used today but will be deprecated as its configurations may become obsolete
• Strict – clearer defined configurations and is geared towards long term usage
• Multipurpose – follows the Strict profile with defined configurations and has additional options to allow flexibility for other usage

GlobalSign will be implementing a new intermediate certificate to adhere to the Baseline Requirements for standard customers, and these will take effect on August 28th, 2023

For more information we encourage you to read the relevant support articles:

If you are using GCC, click here

If you are using Atlas, click here

Changes to EPKI Profiles: Organizational Identifier

Additionally, a field will be added when new customers are submitting an S/MIME profile to be vetted and this affects profiles with organizational information as they will be required to add an Organization Identifier or OID (also called as Legal Entity Identifier or LEI). The organization’s registration number or tax number can be used alternatively.

As an EPKI user with S/MIME certificates you are strongly encouraged to read our support articles which give further details about how this impacts the vetting process.

For Enterprise PKI users, click here

And for Enterprise PKI API users, click here

Other S/MIME Baseline Requirements to Note

S/MIME Baseline Requirements have specified validation methods that should be used to prove the identities of the user and their control over email addresses. These are; validating control of the mailbox via email message, validating authority of the mailbox via domain, and validating the applicant as the operator of the mail server(s).

Further to this, the S/MIME Baseline Requirements have also defined the duration of the of the validation. Organization and individual identity shall not be used for more than 825 days before previous validation. Similarly, validation of the mail server and domain control shall be obtained at least 398 days before issuing the Certificate.

Click here to learn more details about the S/MIME BRs

Or if you are still not using S/MIME certificates and are interested, you may contact us here.