The June CA/Browser (CA/B) Forum meeting was held earlier this month in Warsaw, Poland, hosted by Certificate Authority Asseco. The event enjoyed increased attendance, in part as it was held in conjunction with the Trusted Economy Forum, a meeting with a similar focus on trusted services. With a feeling of returning to normal in-person events, there were several interesting discussions and updates in this meeting, including Apple’s announcement of starting a root store for Verified Mark Certificates (VMCs), a final draft of S/MIME Baseline Requirements, code signing token changes, and Chrome overviewing changes to their root program.

S/MIME Baseline Requirements

The S/MIME working group has a final draft of the new standard for the digital certificates used in secure email. This month’s meeting was spent gathering input from various parties as part of a pre-ballot discussion. The new S/MIME Baseline Requirements will be the first industry-wide standard for S/MIME certificates and will incorporate knowledge from several dozen parties, including DigiCert and other certificate issuers, major email software and service providers, enterprise and public sector users, and the audit/compliance community.

As the S/MIME Baseline Requirements approach a ballot, customers should monitor for updates. The working group intends to move to a formal ballot at the start of Q4 2022, pending resolution of final input. Assuming the ballot passes as written, we expect it to be implemented industry wide in Q3 2023. Overall, the working group has made significant progress, as discussions on the new standard only began in 2020.

Code signing

As a reminder, there will be upcoming changes in the token requirements for OV code signing certificates. The discussion on code signing during this CA/B Forum centered around improving requirements for signing services.

At DigiCert, we’re providing leadership in security as we have been sharing our implementation experience with DigiCert® Secure Software Manager with the working group and have provided consulting on the standards for signing services. With Secure Software Manager, customers can ensure compliance with regulations and support full automation to simplify code signing workflows.

Chrome root program

Chrome recently published a comprehensive update to their root program policy, and at this month’s Forum their representative walked through the changes, including the rationale behind them and their long-term goals. Here are a few of the main changes explained:

• Rotating root certificates: Chrome has signaled the intent to require that root certificates be rotated every few years within their root program. Chrome wishes to fade out the old practice of having a single root for 20 or more years, believing that root rotations will allow security changes to be pushed into the market faster.
• Automation: Chrome has been pushing for more automation by CAs including ACME, which Chrome argues could help revoke and replace certificates in a timely manner. DigiCert offers ACME automation with third-party ACME clients, as well as a CertCentral-managed automation which allows you to manage all your automations from the CertCentral web console and includes features to ensure that ACME and other software components are always kept updated.
• Changing OS implementation: Chrome previously relied on various OS for CA root stores and validation, but now is moving to their own implementations. We do not anticipate that this will have much effect on our customers.

Read more about Chrome’s root program here: https://www.chromium.org/Home/chromium-security/root-ca-policy/.

Stay tuned for next time

The next Forum meeting will be held in October 2022 in Berlin. We have seen increasing attendance at the face-to-face meetings as we return to in-person work and expect attendance in person to continue to rise as global COVID restrictions ease. This meeting is being held in conjunction with the annual European CA Day, hosted by the EU Agency for Network and Information Security. We will cover this meeting and any updates to these initiatives where relevant.

Additionally, for a summary of what else the Forum has discussed recently, read our recap blogs from February 2022 and October 2021.