Use of Certification Authority Authorization (CAA) was mandated for TLS certificates in September 2017. The primary purpose of CAA is to allow the domain owner to authorize specific CA(s) to issue TLS certificates for their domains. It also prevents other CAs from issuing TLS certificates for those domains. CAA limits the risk and scope of certificate issuance to only approved CAs.
When the Verified Mark Certificate (VMC) Requirements were introduced in July 2021, CAA was included with the “issuevmc” record. It was important to have a new record, so TLS CA authorizations would not impact VMC issuance.
With the introduction of the S/MIME Baseline Requirements, there is now a place to provide standard requirements for S/MIME certificate issuance. One goal was to extend CAA to email addresses for the issuance of S/MIME certificates. Certification Authority Authorization (CAA) Processing for Email Addresses- RFC 9495 has just been published to support this requirement and provide the “issuemail” record to permit CAs to issue S/MIME certificates.
The standard CAA record form for email addresses would look like this:
- mail.client.example CAA 0 issuemail “authority.example”
The “authority.example” identifying domain value would be provided by the CA in their CPS. The Entrust CAA identifying domain is “entrust.net”.
Domain owners are encouraged to use CAA to streamline the CAs that can issue TLS, VMC, or S/MIME certificates for domains. From a risk mitigation point of view, this stops CAs from issuing requests that have not been approved. An unapproved CA request could come from an attacker or could also come from a colleague who is not familiar with your CA selection process.
Note; There has been no CA/Browser Forum ballot to date, so the S/MIME Baseline Requirements have not been updated to require CAA to be checked before issuing S/MIME email certificates. We expect a CAA checking requirement to be added to the S/MIME BRs within the next year.
