Document Signing 01-12-2023

New RFC 9336 for Document Signing  

Stephen Davidson
New RFC 9336 for Document Signing  

The Internet Engineering Task Force (IETF) has released the new RFC 9336 standard, which defines a general-purpose Extended Key Usage (EKU) dedicated to electronic signatures and document signing. An EKU is a means for a Certificate Authority (CA) to declare the intended use of a digital certificate.

The new EKU is part of a movement in public trust PKI to separate CAs by the types of digital certificates they create. The trend began in the work of the CA/Browser (CA/B) Forum, whose standards for TLS/SSL and code signing certificates dictate the separation of those use cases by CA. More recently, browser root programs have begun requesting that CAs replace their existing Root CA certificates with new versions that are separated by use case.

This housekeeping is widely supported from a compliance and standards perspective. However, it quickly became apparent that the list of EKU originally defined by the IETF required expanding.  RFC 5280 defines a range of general-purpose EKU, such as id-kp-serverAuth or id-kp-clientAuth for TLS and id-kp-codeSigning for code signing, but has nothing for document signing.

As a result, the majority of signing certificates today use the id-kp-emailProtection EKU, which is intended for S/MIME certificates. Alternatively, some CAs use proprietary EKU provided by individual signing platforms.

Ongoing standards efforts which regulate CA behavior in issuing certificates used for secure email and e-signatures make it beneficial to separate these certificate types by EKU. Examples include the CA/B Forum’s S/MIME Baseline Requirements, and the EU’s ongoing development of the eIDAS regulation and Qualified certificates.

Now each of those certificate types will have a clear EKU home of their own, allowing standards development to continue with lower risk of unintended adverse effects for multipurpose certificates that previously overlapped the use cases.

The new RFC 9336 was authored by Tadahiko ITO of SECOM, Tomofumi Okubo of DigiCert and Sean Turner of sn3rd.  The id-kp-documentSigning EKU has been allocated Object Identifier (OID) of by the Internet Assigned Numbers Authority (IANA), making the EKU available to be used in certificates.

Going forward document signing standards, root programs and e-signature products will then be able to use the EKU to determine whether a particular certificate is intended for use for document signing or not.

DigiCert believes the adoption of a documentSigning EKU is in line with industry trends for separation of certificate uses and will benefit the continuing development of industry standards for document signing and S/MIME.

About DigiCert® Document Trust Manager

DigiCert® Document Trust Manager in DigiCert ONE™ helps to digitally transform organizations by enabling secure, legally-binding digital document signing anywhere, any time and on any device. Organizations using Document Trust Manager can create and automate digital signing for natural and legal persons that are encrypted to prevent tampering and authenticated to verify identity. Additionally, signatures are compliant with stringent global standards, including eIDAS regulation No 910.2014. Digital document signing eliminates the need for handwritten signatures, decreases costs, saves time and leaves a smaller environmental footprint. DigiCert Document Trust Manager makes it easy to manage any volume of documents, in a variety of file formats, without additional hardware or software investment.

Learn more about Document Trust Manager at or email


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min