Digital Trust for:
Enterprise IT, PKI & Identity
Code & Software Signing
Documents & eSignatures
IoT & Connected Devices
Explore these pages to discover how DigiCert is helping organizations establish, manage and extend digital trust to solve real-world problems.
The CA/Browser Forum has started a ballot that will require Certificate Authorities (CAs) to adopt CA Authorization (CAA) processing for email addresses included in S/MIME certificates.
CAA was originally defined in RFC 8659 as a way for domain holders to use DNS to specify which CAs are approved to issue TLS certificates for that domain. The CAA record provides additional control for the holder over the use of their domain and reduces the risk of unintended certificate mis-issue.
The new CA/B Forum requirement will amend the S/MIME Baseline Requirements to extend adoption of CAA to public trust S/MIME certificates, following a new RFC 9495 written by DigiCert Technology Strategist Corey Bonnell.
RFC 9495 describes how CAA processing may be applied to an email address and defines a new CAA Property Tag “issuemail” for use in the context of S/MIME. By adding one or more “issuemail” Property Tags, domain holders may specify the CAs that are approved to issue S/MIME certificates for the email domain.
The CA/Browser Forum’s S/MIME Certificate Working Group is in the final stages of discussion for Ballot SMC05 to introduce CAA for email. Under the proposed ballot, CAs would be recommended to implement CAA for S/MIME by September 2024, with implementation required by March 2025.
The use of CAA is an optional security tool for the domain owner, but checking CAA will be mandatory for public CAs before issuing S/MIME certificates.
Want to learn more about topics like certificate management, enterprise security, and PKI? Subscribe to the DigiCert blog to ensure you never miss a story.
© 2024 DigiCert, Inc. All rights reserved.
Legal Repository Audits & Certifications Terms of Use Privacy Center Accessibility Cookie Settings