Skip to main content

CAA for S/MIME Email Certificates

Nov

28

2023

Time to read

Read so far

Written by: 

Bruce Morton

Time to read

Written by: 

CAA for S_MIME Certificates_1000x420

Use of Certification Authority Authorization (CAA) was mandated for TLS certificates in September 2017. The primary purpose of CAA is to allow the domain owner to authorize specific CA(s) to issue TLS certificates for their domains. It also prevents other CAs from issuing TLS certificates for those domains. CAA limits the risk and scope of certificate issuance to only approved CAs.

When the Verified Mark Certificate (VMC) Requirements were introduced in July 2021, CAA was included with the “issuevmc” record. It was important to have a new record, so TLS CA authorizations would not impact VMC issuance.

With the introduction of the S/MIME Baseline Requirements, there is now a place to provide standard requirements for S/MIME certificate issuance. One goal was to extend CAA to email addresses for the issuance of S/MIME certificates. Certification Authority Authorization (CAA) Processing for Email Addresses- RFC 9495 has just been published to support this requirement and provide the “issuemail” record to permit CAs to issue S/MIME certificates.

The standard CAA record form for email addresses would look like this:

  • mail.client.example     CAA 0 issuemail "authority.example"

The “authority.example” identifying domain value would be provided by the CA in their CPS. The Entrust CAA identifying domain is “entrust.net”.

Domain owners are encouraged to use CAA to streamline the CAs that can issue TLS, VMC, or S/MIME certificates for domains. From a risk mitigation point of view, this stops CAs from issuing requests that have not been approved. An unapproved CA request could come from an attacker or could also come from a colleague who is not familiar with your CA selection process.

Note; There has been no CA/Browser Forum ballot to date, so the S/MIME Baseline Requirements have not been updated to require CAA to be checked before issuing S/MIME email certificates. We expect a CAA checking requirement to be added to the S/MIME BRs within the next year.

photo-bruce-morton
Bruce Morton
Director for Certificate Services
Bruce Morton is a pioneering figure in the PKI and digital certificate industry. He currently serves as Director for Certificate Services at Entrust, where he has been employed since 1997. His day-to-day responsibilities include managing standards implementations, overseeing Entrust’s policy authority, and monitoring Entrust Certificate Services for industry compliance.
View all of Bruce's Posts
Facebook