The last twelve months have been quite eventful in the the CA/Brower Forum and BIMI Group. New initiatives include the new code signing requirements, organization unit (OU) fields deprecation, the removal of revocation checks, and the leveraging of VMCs and DMARC quarantine policies by Gmail, Apple and Fastmail. In addition to these industry changes, the new eIDAS regulation revision proposed by the EU Commission in 2021 (03/06/2021) is currently being evaluated and amended by the Parliament and Council. The discussions to finalize the changes are expected to start in January and may bring potential changes to the user interfaces of browsers, as proposed by the European Commission. Below you can find a summary of the most important updates in the digital certificates market.
eIDAS revision and the potential return of identity data in the browser’s user interface:
At the end of 2019, the EV certificate identity data within browsers was moved from the URL or address bar to the Page Info. Despite a dialogue that began in 2012 between the EU and the browser developers to recognize Qualified Web Authentication Certificate (QWAC) under the supervision of the eIDAS Regulation, and display identity data they assure (including the EU trust mark) in a user-friendly manner, web browsers have been reluctant to include them in their root stores. One of many reasons why the European Commission proposed the eIDAS legislation revision was that the lack of recognition of QWACs by web browsers conflicts with the protection of fundamental rights of European consumers*. A high level of trust in who is behind a website is particularly important for online services provided by public and private sectors, e.g., e-commerce, e-banking, and e-health.
According to the latest drafts, web browsers will need to: recognize QWACs and specifically display the identity information contained in QWACs in a user-friendly manner.
*as enshrined in articles 12, 101, 102, 114 and 169 of the Treaty on the Functioning of the European Union and with EU Consumer protection legislation, in particular Directive 2005/29/EC90)
Source: European Commission Impact Assessment documents Part 1 page 15, 21,22 & Part 3 page 42 https://digital-strategy.ec.europa.eu/en/library/trusted-and-secure-european-e-id-regulation
In June 2021, the CA/Browser Forum passed ballot SC47 to remove the organization unit (OU) field from all public trust TLS/SSL certificates. The problem with the OU field relates to the principle that the certification authority (CA) must verify and assert the identity of the certificate subject. The OU field is not a well-defined term but is considered a smaller part of the organization. The CA has no method to consistently verify the smaller part of the organization and correctly assert its identity. The change went into effect on September 1, 2022.
New code signing requirements:
The CA/Browser Forum has approved Ballot CSC-13, which aims to increase the protection of code signing certificate private keys. The effective date for this measure has however been delayed until June 1, 2023 (via Ballot CSC-17).
The key pair must be generated and stored in a hardware security module (HSM) that meets or exceeds the requirements of FIPS 140-2 Level 2 or Common Criteria EAL4+. This means the key pair will be generated in a device, where the private key cannot be exported. The goal is to reduce code signing certificate private key compromise, which mitigates the risk of installing signed malware in their systems. Entrust provides code signing certificates and HSMs to support enterprise code signing and private key protection.
BIMI Group updates:
Brand Indicators for Message Identification (BIMI) is a standard that aims to drive adoption of strong sender authentication for the entire email ecosystem. When configured properly, a brand’s registered logo will appear in the message avatar slot. This is great news for the email ecosystem as it was just last year on July 12th, that Gmail announced production support for BIMI. Gmail, Apple and Fastmail are leveraging the Verified Mark Certificate (VMC) along with a Domain-based Message Authentication Reporting and Conformance (DMARC) protocol policy of quarantine @ 100% or reject. Entrust has already signed up several partners and some, such as Red Sift have fully integrated into our API for VMCs.
Apple recently updated their root certificate program to include new requirements for S/MIME certificates effective April 1, 2022.
Certificates with a validity period of greater than 27 months are not trusted by Gmail which is consistent with the Apple’s new validity period requirement.
In response to the different browser requirements the CA/Browser Forum Certificate Working Group has currently introduced a set of draft S/MIME baseline requirements that we will talk about in our next webinar.
Digital certificates industry update webinar
For an in-depth overview of industry trends, and challenges please join our Director Technology Compliance, Paul van Brouwershaven, in an upcoming webinar. Learn what these transformations mean for your organization and the latest best practices based on automation and certificate lifecycle management tools provided by Entrust to help facilitate compliance with the industry changes.