The CA/Browser Forum has started a ballot that will require Certificate Authorities (CAs) to adopt CA Authorization (CAA) processing for email addresses included in S/MIME certificates. 

Putting control in domain owners’ hands

CAA was originally defined in RFC 8659 as a way for domain holders to use DNS to specify which CAs are approved to issue TLS certificates for that domain. The CAA record provides additional control for the holder over the use of their domain and reduces the risk of unintended certificate mis-issue.

The new CA/B Forum requirement will amend the S/MIME Baseline Requirements to extend adoption of CAA to public trust S/MIME certificates, following a new RFC 9495 written by DigiCert Technology Strategist Corey Bonnell. 

RFC 9495 describes how CAA processing may be applied to an email address and defines a new CAA Property Tag “issuemail” for use in the context of S/MIME. By adding one or more “issuemail” Property Tags, domain holders may specify the CAs that are approved to issue S/MIME certificates for the email domain.

Proposed timeline for Ballot SMC05

The CA/Browser Forum’s S/MIME Certificate Working Group is in the final stages of discussion for Ballot SMC05 to introduce CAA for email. Under the proposed ballot, CAs would be recommended to implement CAA for S/MIME by September 2024, with implementation required by March 2025. 

The use of CAA is an optional security tool for the domain owner, but checking CAA will be mandatory for public CAs before issuing S/MIME certificates.

The latest developments in digital trust

Want to learn more about topics like certificate management, enterprise security, and PKI? Subscribe to the DigiCert blog to ensure you never miss a story.