Certificate Authority Authorization (CAA) allows domain owners to specify which CAs may issue digital certificates  

Following the recent adoption of the S/MIME Baseline Requirements (BRs), the CA/Browser (CA/B) Forum, is considering the expansion of CAA to include S/MIME certificates. 

The S/MIME BRs set the first industry-wide standards governing the issuance of digital certificates used for email security and are expected to take effect across the industry later in 2023.

With the initial S/MIME BR established, the CA/B working group is already at work on additional security ideas to improve the S/MIME ecosystem, including the adoption of CAA. 

CAA was originally defined in RFC 8659 as a way for domain holders to use DNS to specify which Certificate Authorities (CAs) are approved to issue TLS certificates for that domain. The CAA record provides additional control for the holder over the use of their domain and reduces the risk of unintended certificate mis-issue. 

CAs must adopt CAA checking for TLS certificates according to the CA/B Forum’s TLS BRs, and many thousands of domains already have CAA records deployed specifying one or more CAs for TLS certificates.  

The view is that the S/MIME use case is sufficiently different from TLS to merit its own separate CAA definitions. For example, an enterprise may wish to allow multiple CAs to issue TLS for its domains, but approve a different subset of CAs to issue S/MIME certificates for its email domains. Other certificate types, such as Verified Mark Certificates, have already expanded CAA for use in their procedures. 

To contribute to the discussion regarding CAA’s suitability for S/MIME, Corey Bonnell of DigiCert has submitted an Internet-draft on Certification Authority Authorization (CAA) Processing for Email Addresses.   

The CAA for S/MIME Internet-draft describes how CAA processing may be applied to an email address, and defines a new CAA Property Tag “issuemail” for use in the context of S/MIME. By adding one or more “issuemail” Property Tags, domain holders may specify the CAs that are approved to issue S/MIME certificates for the email domain. 

The CA/B Forum may consider a ballot to add CAA in a future update of the S/MIME BRs, making it mandatory for CAs to check CAA before issuing certificates. 

Additional discussion about the proposed use of CAA for S/MIME is occurring on the LAMPS working group mailing list of the IETF, and within the CA/B Forum S/MIME working group. 

DigiCert also provides more information about the security benefits of CAA from its TLS operations.