The PKI market is undergoing a raft of changes as it responds to new emerging challenges. Across the industry, new plans are coming into force, or being proposed, to continue to defend against evolving threats as a response to the growing challenges within information security.
These proposals may put pressure on IT teams to secure their organizations when complying with these new requirements and regulations. Let’s take a look at the changes and proposals being made, and how IT and security teams can be prepared.
- S/MIME Baseline Requirements
- Proposed Transition to 90-Day Certificate Validity
- Mozilla Plans to Distrust Old Root Certificates
- Why are these Changes Important?
- Automation can Help IT Teams Prepare for Upcoming Changes to PKI Security
S/MIME Baseline Requirements
From September 1, a new set of standards for Secure/Multipurpose Internet Mail Extension (S/MIME) certificates are coming into effect. The new Baseline Requirements, set out by the Certificate Authority/Browser Forum (CA/B Forum), require Certificate Authorities (CAs) to provide specified organizational or individual validation for S/MIME Certificates. This standardizes the validation protocols across the industry to enhance security, confidentiality and integrity of online communications.
The changes will include four different validation types including Mailbox-validated, Organization-validated, Sponsor-validated and Individual-validated. The CA/B Forum will be introducing S/MIME Generations including Legacy, Strict, and Multipurpose to define certificate profiles and where they fall under the new requirements.
S/MIME is a protocol for sending encrypted emails using digital signatures. By using S/MIME, the email origin is verified with a signature that also indicates that the message has not been tampered with, while the encryption ensures privacy and security of both the sender and the recipient. The requirements work to protect user privacy and further validate user identities and their control over email addresses by ensuring that security and compatibility remain consistent.
Proposed Transition to 90-Day Certificate Validity
In March 2023, Google proposed plans to shorten SSL / TLS Certificate lifespans, capping validity at 90-days. Though there is no date for implementation of these suggested changes yet, were they to move forward, the plans would create a significant industry shift.
This proposal follows a trend in the cybersecurity industry for decreasing SSL / TLS certificate lifespans in response to reducing the potential for malicious attacks on organizations. Previously, SSL / TLS certificates had a maximum validity of five years, which was then reduced again several more times until reaching the current validity period of 397 days, or 13 months.
Mozilla Plans to Distrust Old Root Certificates
Mozilla has announced plans to distrust older root S/MIME and SSL / TLS certificates from 2025. S/MIME certificates will have their trust bits removed after 18 years and SSL / TLS certificates will have theirs removed after 15 years. The move comes as the browser looks to improve cryptographic agility within the industry and to ensure that all CA root hierarchies meet the current root requirements.
At present, many older CA root certificates do not meet Mozilla’s root store policy, nor the CA/B Forum Baseline Requirements. With this change, Mozilla highlights that industry security and policies are constantly evolving to keep up with demands and challenges, meaning that CA hierarchies become outdated during this process. Updating Mozilla’s root policy will ensure that CA hierarchies will continue to evolve with existing industry demands and browser requirements and remain fully compliant.
Why are these Changes Important?
While these changes will work to improve business security posture and promote internet safety, IT teams responsible for organizational security will undoubtedly feel the pressure as they organize themselves to adapt to these new requirements.
Many IT teams will have to update their security procedures in line with these requirements; a difficult feat for IT teams that are operating their security management manually, by storing and tracking their certificate inventories on spreadsheets. These new changes and proposals have been made to encourage organizations to evaluate their current security posture, and IT teams using outdated procedures will need to catch up, and if not, put company security and infrastructure at risk.
Automation can Help IT Teams Stay Up to Date with Changes in the PKI Market
The most efficient way for IT teams to manage their security alongside the new changes and proposals will be to automate their certificate management. Currently, many IT teams are still operating certificate management manually, placing an increasing amount of strain on IT management and their employees, especially as spending cuts within cybersecurity see a reduction in resources for IT teams.
Automation is a resource that IT teams will need to rely on to manage business security. Automating certificate management will also help strengthen business security posture and improve accountability for security by redistributing responsibility for certificate management.