The June CA/Browser (CA/B) Forum meeting was held earlier this month in Warsaw, Poland, hosted by Certificate Authority Asseco. The event enjoyed increased attendance, in part as it was held in conjunction with the Trusted Economy Forum, a meeting with a similar focus on trusted services. With a feeling of returning to normal in-person events, there were several interesting discussions and updates in this meeting, including Apple’s announcement of starting a root store for Verified Mark Certificates (VMCs), a final draft of S/MIME Baseline Requirements, code signing token changes, and Chrome overviewing changes to their root program.
The S/MIME working group has a final draft of the new standard for the digital certificates used in secure email. This month’s meeting was spent gathering input from various parties as part of a pre-ballot discussion. The new S/MIME Baseline Requirements will be the first industry-wide standard for S/MIME certificates and will incorporate knowledge from several dozen parties, including DigiCert and other certificate issuers, major email software and service providers, enterprise and public sector users, and the audit/compliance community.
As the S/MIME Baseline Requirements approach a ballot, customers should monitor for updates. The working group intends to move to a formal ballot at the start of Q4 2022, pending resolution of final input. Assuming the ballot passes as written, we expect it to be implemented industry wide in Q3 2023. Overall, the working group has made significant progress, as discussions on the new standard only began in 2020.
As a reminder, there will be upcoming changes in the token requirements for OV code signing certificates. The discussion on code signing during this CA/B Forum centered around improving requirements for signing services.
At DigiCert, we’re providing leadership in security as we have been sharing our implementation experience with DigiCert® Secure Software Manager with the working group and have provided consulting on the standards for signing services. With Secure Software Manager, customers can ensure compliance with regulations and support full automation to simplify code signing workflows.
Chrome recently published a comprehensive update to their root program policy, and at this month’s Forum their representative walked through the changes, including the rationale behind them and their long-term goals. Here are a few of the main changes explained:
Read more about Chrome’s root program here: https://www.chromium.org/Home/chromium-security/root-ca-policy/.
The next Forum meeting will be held in October 2022 in Berlin. We have seen increasing attendance at the face-to-face meetings as we return to in-person work and expect attendance in person to continue to rise as global COVID restrictions ease. This meeting is being held in conjunction with the annual European CA Day, hosted by the EU Agency for Network and Information Security. We will cover this meeting and any updates to these initiatives where relevant.