S/MIME Certificate Working Group of the CA/Browser Forum takes on writing a baseline standard for S/MIME email certificates

By Stephen Davidson, Governance, Risk and Compliance at DigiCert and Chair of S/MIME Certificate Working Group

The S/MIME Certificate Working Group (SMCWG) is the newest specialist subgroup of the CA/Browser Forum, focused on creating the first global requirements for the Certification Authorities (CAs) that issue the digital certificates used in email to

• create digital signatures to protect the integrity of the email contents or to assert their origin or authenticity. Sometimes, the signature is used to express agreement or content commitment.
• provide encryption to protect confidentiality.

Formed in August 2020, the SMCWG already has 37 members who represent major CAs from around the world, certificate consumers (including important providers of email software and cloud services, including enterprise email gateways), compliance bodies such as WebTrust and the European Accredited Conformity Assessment Bodies Council, and industry experts.

Why do we need a global S/MIME baseline?

Part of the challenge faced by the SMCWG is that S/MIME certificates may be deployed in many ways, which differs from other certificate types, like TLS/SSL certificates. For example, keys may be generated and held by a user locally in software, on a mobile device or on a cryptographic token. Equally, they may be held in the cloud in an email service or enterprise key management system or email gateway. Sometimes S/MIME is an added capability for certificates used for authentication or signing. And due to data retention requirements, some industries seek to escrow the private keys used for encryption for circumstances when emails may require archival treatment.

At the same time, most existing standards for S/MIME certificates are specific to an industry, platform or public sector program. As a result, historically most email software applications have been permissive in their processing of certificates, allowing the S/MIME functions to work as long as they had no deal-breaker flaws in their cryptography.

The SMCWG is chartered to create the first global baseline standard for S/MIME certificates, integrating the existing technical standards, as well as best practices from current industry requirements, including those from Mozilla, Gmail, the U.S. Federal PKI and ETSI. Although targeted for publicly-trusted certificates, the resulting S/MIME baseline requirements will equally be of interest for privately trusted S/MIME deployments, such as enterprises that are seeking to establish interoperability with other groups.

What will the S/MIME baseline requirements cover?

The SMCWG has laid out a roadmap of work, with the goal of first creating baseline certificate profiles for issuing CAs and leaf certificates. In its initial version, this would focus on documenting the core requirements and best practices in current use to bring a useful standard forward as expediently as possible. Future versions will focus on raising the bar, for example, by identifying aspects of the certificate that may assist relying parties in assessing the risk of a certificate.

In addition, the S/MIME baseline requirements will define the core processes allowed for CAs to verify control over email addresses, either for an individual email box or for an enterprise controlling all mailboxes under a domain.

The S/MIME baseline requirements will also cover familiar ground found in the CA/B Forum’s Baseline Requirements for topics such as key management, certificate lifecycle and CA operational practices, including physical/logical security.

The SMCWG has decided to address the subject of identity validation for natural persons and legal entities later in its process. In part this will allow the group to gather information on the SubjectDN fields in use and their rationale, as there is no certificate transparency to provide such insight.

Improved S/MIME security for email

Other CA/B Forum baselines have had a notable impact in improving security for other certificate types, like TLS/SSL and codesigning across the entire CA ecosystem, by clearly documenting specific requirements in such a way that they can be enforced via root store programs and independent audits. With the always-growing interest in data privacy, we believe the eventual S/MIME baseline requirements will bring increased security to email communications.