As usual, DigiCert attended the CA/Browser (CA/B) Forum meeting hosted by Microsoft this June, and we are sharing the key takeaways relevant for our customers and partners.

Key discussion points

Some of the key emerging themes we’re seeing from the CA/B Forum at this time are automation, reducing the number of changes to Baseline Requirements (BRs) per year and providing inclusion/input from various stakeholders.

First, the forum is interested in how adoption of automation can be encouraged. There is general consensus that automation can benefit the industry through simplified processes and removing human error, which can increase security. Chrome’s proposal for shorter certificates, new validation processes and more are all centered on automation. With the typical enterprise managing over 50,000 certificates, enterprises are also focused on automation. According to a recent DigiCert survey, 91% of enterprises want PKI automation and 70% are looking to implement automation in the near future. Thus, it’s no surprise that the CA/B Forum is also discussing automation.

There is also an emerging discussion that BR changes should only be done a few times a year, to reduce the burden of changes as well as simplify the number of ballots in place at once. However, at the moment there is no timeline in place for when this would be implemented, only discussion.

Finally, the forum is revising its bylaws to facilitate participation from various stakeholder groups in the sector. This will ensure that there is accurate representation across the industry involved in making the decisions surrounding the standards that underpin digital trust on the internet.

Chrome’s proposed 90-day certificates

As many are aware from our last update, earlier this year Chrome released “Moving Forward, Together,” its vision for the Chrome root policy, which included a proposal to move toward 90-day certificate validity periods as well as more frequent ICA rotation. However, Chrome has not made any decisions or specified any timeframes on this particular proposal. Currently, Chrome is seeking community feedback on what are suitable timeframes to reduce certificate lifetimes in a way that will advance automation. Aligned with their interest in more automation adoption, in the future, Chrome will also require CAs to offer ACME or other automation solutions for inclusion in their root program.

While a proposed ballot in front of the forum would remove the need to support revocation services for short-validity certificates, Microsoft announced that its root program would continue to require Online Certificate Status Protocol (OCSP) support by CAs.

S/MIME Baseline Requirements

At this meeting, several root programs confirmed that they will require CAs to be compliant with the new S/MIME BRs for publicly-trusted email certificates starting Sept. 1. Subject to policy updates, a major root program stated that CAs will be expected to include the S/MIME BRs in audits by the end of 2024.

Recognizing the complexity of implementing a new standard, it has been agreed to allow a transition period for existing S/MIME CAs to be used, as long as they can support the issuance of compliant end entity certificates. A forthcoming ballot will propose a later deadline for operators to transition to fully compliant issuing CAs.

An additional ballot will introduce corrections to the S/MIME BRs (for example, relating to EdDSA certificates) as well as clarifications on topics such as the role and responsibilities of Enterprise RAs, including their ability to issue certificates to their users on the basis of existing internal business records.

Automated domain validation

The TLS BRs include several options to validate domain control, including the customer making changes to their DNS settings, which needed to be periodically updated. This sometimes is presented an obstacle to automation, as DNS and certificate management is often the responsibility of different teams within an organization. With the enhanced interest in automation, the CA/B Forum seems willing to adapt the DNS methods to allow ongoing use of the DNS-challenge method with fewer manual updates required by the customer. We will keep readers updated on these proposed changes.

Software supply chain integrity

Increasingly, laws and industry regulations require organizations to attest to the security of their software, including embedded toolkits and code interdependencies. During the Code Signing Working Group meeting, Microsoft presented background information about the IETF SCITT project, which is standardizing interoperable building blocks that will help improve integrity, transparency and trust for both digital and physical assets.

Microsoft believes that standardized, cross-platform approaches such as SCITT are fundamental to the next generation of code signing technologies. Work at IETF is just beginning on this important project, but it is fundamental to supporting the future envisioned in recent White House directives.

Check for more info in October

GlobalSign will host the next CA/B Forum meeting in New Hampshire in early October 2023. For the latest CA/B Forum updates, visit the DigiCert blog at www.digicert.com/blog/category/ca-browser-forum.