The CA/B Forum recently held their face-to-face meeting in Ottawa, Canada. The meeting covered several updates that customers should be aware of, including Chrome’s vision for 90-day certificate validity periods, the implementation of the first S/MIME Baseline Requirements (BRs) starting this September and proposed malware-based revocation and signing service requirements for code signing.
Chrome released their vision for their root policy that involved 90-day certificates, automation everywhere and stricter requirements around validation reuse. Moving from one-year certificates to 90 days will be a huge change for the industry, and we recognize the challenges this will pose to customers in managing certificate lifecycles. That’s why it’s more important than ever for enterprises to utilize a full stack solution that can handle certificate lifecycle management at scale, along with PKI services. DigiCert® Trust Lifecycle Manager does just that. For more information, see https://www.digicert.com/blog/chromes-proposed-90-day-certificate-validity-period. Additionally, we’ll discuss some of Chrome’s other policy proposals more in depth in a separate post.
The new S/MIME Baseline Requirements become effective for all new publicly trusted S/MIME certificates issued after Sept. 1, 2023. For the first time, the BRs will specify certificate profiles and validation requirements for all CAs issuing digital certificates used in email encryption. The S/MIME working group provided an update on the new audit criteria for both the ETSI and WebTrust regimes, and discussed a proposed expansion of Certificate Authority Authorization (CAA) to S/MIME. CAA allows domain owners to use DNS to specify which CAs are authorized to issue digital certificates to their domains and users.
The Code Signing Working Group is currently progressing ballots for malware-based revocation and signing service requirements. Malware-based revocation has been expanded to rework the revocation reason section to have it in line with the TLS/SSL and S/MIME BRs. Signing Service requirements have changed the name to Subscriber Key Protection Service, defined as “an organization that generates the Key Pair and securely manages the Private Key associated with a Subscriber's Code Signing Certificate.” The group also discussed the validity periods for code signing certificates and is considering a reduction from the current 39-month validity period, mirroring the discussion to further reduce TLS certificate periods.
Furthermore, as a reminder, code signing requirements will be changing starting June 1, to require EV-level key protection everywhere. These changes will enhance security in a significant way, but we are mindful of the potential burden that additional requirements might impose on customers. Thus, we recommend customers use DigiCert® Software Trust Manager to manage code signing by enabling automated security across Continuous Integration/Continuous Delivery (CI/CD) pipelines with portable, flexible deployment models and secure key management. For more information, read our blog on the matter: https://www.digicert.com/blog/improved-requirements-for-code-signing-key-protection.
The European Telecommunications Standards Institute (ETSI) is working to automatically incorporate the latest version of the TLS BRs into their standards to facilitate simultaneous compliance with both the BRs and ETSI requirements. A working group is preparing proposals to improve the operation of Qualified TLS certificates in browsers. Following a new Mozilla requirement that ETSI audit firms join ACAB’c (an organization of European conformity assessment bodies), the group reported an uptick in activity, including adoption of new attestation letter templates and participation in different standards groups.
DigiCert is leading efforts to develop a common language between the S/MIME, Code Signing and other BRs. Other companies like Apple agree and have proposed starting with aligning the definitions across all three standards.
Apple is currently working on a Verified Mark Certificate (VMC) root program, to support their display of VMCs, which allow a trademarked logo or government mark to be shown next to the “from” name in the inbox. Apple started displaying VMCs in Apple in iOS16 and MacOS Ventura last fall.
Mozilla discussed what will be in their next policy update, which will be version 2.9, from which we expect more transparency and disclosure requirements.
Microsoft will host the next CA/B Forum meeting in Redmond, Wash., on Jun. 6–8. For the latest CA/B Forum updates, visit the DigiCert blog at www.digicert.com/blog/category/ca-browser-forum.