CA/B Forum Update October 2020

DigiCert is committed to bringing you the latest news in the industry, including regular updates from the CA/B Forum

The CA/Browser Forum met virtually from Oct. 20–22 for their fall meeting. There is a growing trend in the CA/B Forum to limit the fields authorized in certificates, and Google has made several announcements, including announcing a Chrome root store.

Removal of the OU field

The Organization Unit (OU) field has been part of certificates for 25 years, but its use has recently been called into question. The OU field is optional and has a limited purpose. The data in the field is self-reported and not validated by the CA. So to reduce confusion and potential erroneous data, the CA/B Forum is discussing removing it.

We expect a ballot to remove this field in the near future; the ballot will likely pass before the end of the year and compliance will be enforced realistically within six months from when the ballot passes. Currently, this is specific to TLS certificates; however, other types of certificates like code signing and S/MIME may follow suit.

How it affects you

At DigiCert, we anticipated this change and have already been moving customers away from using the OU field. You will not find the OU field in order forms and it will be removed in all new, renewed and reissued public TLS certificates. There will be a transition period; however, it does not affect previously issued certificates with a valid OU field.

Chrome root store announcement

Chrome has historically used root stores from the operating systems in use, such as Windows, Android or Apple iOS, but they have not had their own root store. However, Google Chrome recently announced they are starting to create their own root policy. And Chrome is developing their own standards for their root program.

How it affects you

In order for your website to display the padlock in Chrome and avoid the “not secure” warning, you need to ensure that your site has a valid certificate from a CA in Chrome’s root store. DigiCert is one of the included CAs trusted in Chrome’s root store, so if you have a DigiCert certificate you do not need to do anything.

Ongoing CA/B Forum initiatives

DigiCert is also heavily involved in the new CA/B Forum S/MIME working group. In fact, our own Stephen Davidson is the new chair. And while S/MIME has been around for a long time, there haven’t been any dominant standards for these types of certificates. DigiCert advocates for best practices, including potential enhancements to EV standards and monitoring the development of post-quantum computing to define standards for post-quantum certificates. We will discuss the S/MIME working group and more CA/B Forum updates in future blog posts. Stay tuned to our blog or follow @digicert for the latest industry trends.

Posted in Announcements, CA/Browser Forum, SSL Certificate Management