At the October 2021 CA/Browser virtual face-to-face conference, Apple advised of updates to their root certificate program. The updates included new requirements for S/MIME certificates effective April 1, 2022.
All S/MIME certificates:
- Require the emailProtection extended key usage (EKU)
- Must contain at least one subjectAlternativeName rfc882Name value containing an email address
- Need to use a signature hash algorithm of greater than or equal strength to SHA-256
- Employ a key size of at least 2048-bits RSA or represent a valid point on the NIST P‐256, NIST P‐384, or NIST P‐521 named elliptic curves
- Are subject to a maximum validity period of 825 days, as of the effective date
The requirements meet the norms that are currently used in the S/MIME ecosystem, with the exception of the 825-day validity period requirement. Note that the 825-day validity period is consistent with the Gmail S/MIME certificate profiles, which require a maximum term of 27 months.
The difference between the Apple and the Gmail requirement is that the Apple requirement is a root program requirement. If the issuing certification authority (CA) does not meet the new requirement, they would be in non-compliance and the CA’s root may become distrusted. This would impact all other types of publicly trusted certificates in the Apple browser, including TLS/SSL. To avoid this scenario, the CAs will plan to be in compliance. With regard to the Gmail requirement, this is not a violation of Google’s root program, but S/MIME certificates with a validity period of greater than 27 months would not be trusted by Gmail. This allows the S/MIME certificate subscriber to determine if they want to support Gmail.
Perhaps the issue with the S/MIME certificate ecosystem is that currently there is no standard. S/MIME certificates are issued around the high-level requirements of the operating system and browser vendors and based on best practices. The best practices may be derived from requirements that are specified in the TLS/SSL Baseline Requirements (BRs). The good news is the CA/Browser Forum S/MIME Certificate Working Group is currently working on S/MIME BRs. The S/MIME BRs will provide the new standard for S/MIME certificates, which will also address the maximum validity period.
Effective on or before April 1, 2022, Entrust will limit S/MIME certificate durations for all newly issued certificates (including renewals and re-issues) in order to meet Apple’s new 825-day validity period requirement. Previously issued certificates will not be affected.
S/MIME certificate subscribers should please stay tuned as we expect the S/MIME BRs to also include other new requirements.
