In 2020 the CA/Browser Forum created the S/MIME Certificate Working Group with the following charter. In the past two years, the working group has concentrated on developing the S/MIME Baseline Requirements (S/MIME BRs). The goal is to set a standard for the issuance and management of S/MIME certificates as there is no standard currently applicable for certification authorities to use.
An S/MIME certificate is a digital certificate meeting the requirements of RFC 5280 and it has an extended key usage (EKU) field of email protection. This EKU limits the certificate’s scope to provide verification for signed email and for encrypting or decrypting email. A signed email indicates the email is authentic and the corresponding S/MIME certificate will confirm the identity of the signatory of the email.
The S/MIME BRs provide a wide perspective of S/MIME certificate profiles, which include:
- Mailbox validated: Verification is limited to only the email domain; as such there is no identity in the subject of the certificate.
- Organization validated: The organization is the subject of the certificate, so validation extends to the organization and a unique organization identifier.
- Sponsor validated: An addition to the organization validated certificate, where an individual sponsored by the organization is the subject of the certificate. This certificate would typically be issued to an employee of the organization. Validation of the employee name can be done by the organization in the role of an enterprise RA.
- Individual validated: This certificate is issued to an individual not associated with an organization. The subject is limited to the identity of the individual.
In addition, the above certificate profiles can be issued in the following generations:
- Legacy: Provides flexibility for existing reasonable S/MIME certificate issuance practices, which includes the 3-year validity period. The goal is to deprecate the legacy generation in a future S/MIME edition.
- Multi-purpose: Aligned with the strict generation, but allows for multiple extended key usages such as email protection and document signing.
- Strict: The strict generation is the long-term target profile for S/MIME certificates, which will be limited to supporting only email protection.
It is assumed most CAs that issue S/MIME certificates will find gaps between their existing issuance processes and the S/MIME BRs. The goal will be to update their systems before the proposed adoption date. Intellectual property review will continue through January1, 2023, after which the proposed adoption date will be 8 months later, so September 1, 2023.
Entrust issues S/MIME certificates to protect your email and will support the S/MIME BRs.