CA Browser Forum 10-26-2021

DigiCert’s October 2021 CA/Browser Forum Recap


The CA/Browser Forum met in October for the final time this year. (For an overview of what the Forum does and how it works, see DigiCert’s Introduction to the CA/B Forum). This month’s meeting proved to be quite productive, and we have several updates for you, including news about Apple’s new root program, certificate profiles, eIDAS 2.0, the return of in-person meetings and more. Additionally, Chrome is changing its representation and a new root program lead will take over for the next meeting. Here’s what you should know from October’s CA/B Forum meeting:

Apple’s new root program

Most notably, Apple announced new S/MIME profile requirements, aiming for implementation of April next year. Apple said that they will enforce a two-year lifetime on S/MIME certificates as of April 1, 2022. Starting then, Apple will require certificate authorities (CAs) to disclose all CA certificates which chain up to Root Certificate(s) included in the Apple Root Program. Additionally, Apple will require S/MIME certificates to:

  • include the emailProtection EKU
  • include at least one subjectAlternativeName rFC822Name value containing an email address
  • not have a validity period greater than 825 days
  • use a signature hash algorithm of greater than or equal strength to SHA-256 (see section and of the Forum’s Baseline Requirements).
  • meet the following key size requirements:

    • For RSA key pairs, the modulus size must be at least 2048 bits when encoded and its size in bits must be evenly divisible by 8.
    • For ECDSA key pairs, the key must represent a valid point on the NIST P‐256, NIST P‐384 or NIST P‐521 named elliptic curve.

Changing certificate profiles

For the last two years or so, the Validation Subcommittee has been working on certificate profiles that are clearer and more explicit about exactly what may and may not appear in publicly trusted TLS certificates. While we are strongly in favor of clear requirements, the tightened profiles may cause problems for some customers. There are quite a few changes, and many of them are likely to pass in 2022 and be required in 2023. Although the new requirements will not be adopted anytime soon, we’re already working with other participants to make sure the transition is handled in a smooth and professional manner, and that there aren’t any hidden surprises in the requirements.

eIDAS 2.0 preview

Enrico Entschew gave a summary of the work around the eIDAS update that’s going on in Europe. (For more background on eIDAS, read our blog on the legal requirements for digital signatures). With the current proposal, browsers would be required to honor the EU trust lists and provide visual indicators for European certificates, known as QWACs. Additionally, eIDAS 2.0 will include strong emphasis on digital identities; there’s a lot of work on digital wallets and other next-generation digital identities.

S/MIME Baseline Requirements

The S/MIME working group is working on a new set of Baseline Requirements for S/MIME. While the requirements won’t be finalized until 2022, and probably won’t be effective until 2023 or later, the group has finished talking through the draft S/MIME profiles, and a consensus rough draft is emerging. The strategy we proposed and the group has adopted has a few attractive elements: first, it includes a “legacy” profile that basically just codifies existing practice in the industry, allowing existing CAs to rapidly adopt and promote the new S/MIME Baseline Requirements. However, it also includes an upgraded path to more valuable certificate types, including those that include validated identity information. Lastly, the most onerous provisions are relegated to a “strict” profile, where they can be adopted by those who find them useful and ignored by those who don’t.

Improved requirements for signing services

Lastly, the Code Signing Working Group is working on improved requirements for signing services, which can potentially offer greatly improved security and usability over personally held digital tokens. The current requirements are unclear, which leads to confusion in this area. Therefore, the primary focus will be to produce better requirements for signing services. This working group effort is still in the early stages, but we are hopeful that signing services will rapidly improve both the security and usability of signing digital assets.

Additionally, just like when the code signing baseline requirements changed to require larger keys earlier this year, we agree that this change will be a positive step for security, yet we understand that it can put a burden on customers to make the switch. That’s why we support our customers with DigiCert® Secure Software Manager, which can support full automation of code signing and help to ensure compliance.

Return to Face to Face

After a year and a half of virtual meetings, it looks like in-person meetings will resume in early 2022. DigiCert will be hosting the next CA/B Forum Face to Face in Salt Lake City in the first quarter of 2022. We look forward to returning to in-person events, which enable better relationship building and engagement. Stay tuned for our next update in Spring 2022, and in the meantime, we’ll provide any relevant news as it comes.

Additionally, for a summary of what else the CA/B Forum has discussed this year, read our recap blogs from June and March.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


Pioneering the next wave of secure digital solutions 


4 best practices for bulk email senders



Driving digital trust with SOC 2-compliant DNS