For the first time since the pandemic began, the CA/Browser Forum held in-person meetings in February 2022. (For an overview of what the Forum does and how it works, see DigiCert’s Introduction to the CA/B Forum).

This face-to-face meeting was hosted in Salt Lake City by DigiCert and had parties joining both in-person and online. This hybrid approach was very successful and will continue for the next meeting in early June, to be held in Poland and hosted by Certum, in conjunction with the Trusted Economy Forum. The status of this face-to-face meeting will depend on current world events, and Forum officers are monitoring the situation to determine the best way to proceed.

As always, we’ve pulled together the top discussion items from this CA/B Forum. (Read past updates here). This Forum was a relatively quiet one but did include ongoing discussion around S/MIME Baseline Requirements and signing services, a discussion about CPA Canada’s decision to stop servicing Chinese companies and a presentation by Chrome’s new representative on their new root program. Additionally, Peter Thomassen of SSE Secure Systems, this meeting’s guest speaker, gave an interesting presentation on querying the Public Suffix List in real-time by using DNS queries.

Progress on S/MIME Baseline Requirements

The Baseline Requirements in progress will be the first broad standards in place for S/MIME, so there has been great interest and participation in these efforts. For the first time, a wide group of CAs, as well as certificate consumers and interested parties, are discussing a universal standard. The group is close to producing a complete draft of the Baseline Requirements and has produced a rough roadmap of subsequent steps to turn this into a viable standard after a ballot is passed.

During this month’s meeting, the S/MIME Working Group spent a significant amount of time discussing the requirements for vetting for individual identity. Existing requirements are either too lax or too stringent, and the group is looking for the just-right goldilocks mix. The right level to appropriate individual identity needs to be stringent enough for legal identity, but also realistically achievable. With over forty parties involved, this group has been one of the most engaged of late in the CA/B Forum and is getting closer to producing the just-right standard that can suit all interested parties’ needs. While the group has not solidified timelines, you can expect those to come together quickly now as we expect to have a more solid timeline and roadmap after the next CA/B Forum meeting.

Requirements for signing services continue

The Code Signing Working Group continues to work on improved requirements for signing services, which may offer better security and usability compared to personally held digital tokens. The group aims to clarify the current rules and produce better-defined requirements. While still in the early stages of discussion, we do anticipate that these new requirements will be beneficial for the security and usability of signing. However, we also note that it puts a burden on our customers to remain compliant when requirements change. That is why we support our customers with DigiCert® Secure Software Manager, which can support full automation of code signing to help ensure compliance.

CPA Canada to reconsider decision to stop issuing seals in China

Shortly before the Forum meeting, CPA Canada announced that it would no longer be issuing web trust seals for CAs in China. There was a discussion in this Forum’s meeting surrounding that decision, and CPA Canada has agreed to reconsider.

Chrome outlined key points for new root

Chrome’s new representative, Ryan Dickson, gave his first presentation on Chrome’s new root program. His professional presentation overviewed the key requirements for Chrome’s new root program.

The key priorities that he articulated were:

1. Encourage modern infrastructures and agility
2. Focus on simplicity
3. Promote automation
4. Reduce misissuance
5. Increase accountability and ecosystem integrity
6. Prepare for post-quantum cryptography

We agree with these priorities. In recent years at DigiCert we have made efforts to build a modern infrastructure and promote automation as well as post-quantum security. Recent research we have led shows that companies are planning to adopt automation within the next 12 months, and we have been encouraging customers to plan now for automation. We’ve also been encouraging companies to prepare for post-quantum cryptography for several years now, and have a tool kit to test the process of installing a hybrid RSA/PQC certificate. Our recent undertakings align well with the priorities that Chrome has set, and we look forward to working closely with the CA/B Forum in the future on this and other issues.