See what our global post-quantum study uncovered about where the world stands in the race to prepare for quantum computing.
CAA was originally defined in RFC 8659 as a way for domain holders to use DNS to specify which CAs are approved to issue TLS certificates for that domain. The CAA record provides additional control for the holder over the use of their domain and reduces the risk of unintended certificate mis-issue.
The new CA/B Forum requirement will amend the S/MIME Baseline Requirements to extend adoption of CAA to public trust S/MIME certificates, following a new RFC 9495 written by DigiCert Technology Strategist Corey Bonnell.
RFC 9495 describes how CAA processing may be applied to an email address and defines a new CAA Property Tag “issuemail” for use in the context of S/MIME. By adding one or more “issuemail” Property Tags, domain holders may specify the CAs that are approved to issue S/MIME certificates for the email domain.
The CA/Browser Forum’s S/MIME Certificate Working Group is in the final stages of discussion for Ballot SMC05 to introduce CAA for email. Under the proposed ballot, CAs would be recommended to implement CAA for S/MIME by September 2024, with implementation required by March 2025.
The use of CAA is an optional security tool for the domain owner, but checking CAA will be mandatory for public CAs before issuing S/MIME certificates.