Certificate Lifecycle Management

Raising the Bar: The CA/B Forum’s Move to Extend CAA to S/MIME 

Reading Time : 4 minutes

The CA/B Forum has initiated a ballot requiring CAs (Certificate Authorities) to adopt CAA (CA Authorization) processing for email addresses included in S/MIME certificates.

What Exactly is CAA (Certification Authority Authorization)? 

A CAA record can be considered a DNS Resource Record (a piece of information stored in the DNS Zone database that provides details about a specific object within that domain). This allows an owner of a particular domain to specify which CAs are authorized to issue certificates of a particular kind for their domain and which are not. 

The idea is that a CA checks a domain’s CAA records before issuance of a certificate. If it finds that the domain has no CAA record, then the certificate is issued for it after all authentication checks succeed. However, if it encounters CAA records, the CA can only issue a certificate if it is named in one of the records, which indicates that it is authorized to issue a certificate for that domain. 

This entire process is designed to prevent CAs from issuing certificates to unauthorized certificate requests by bad actors or unauthorized parties. 

Putting Control in the Hands of Domain Owners! 

CAA was originally defined in RFC 8659 which is a way for domain holders to utilize DNS to specify which CAs are approved to issue TLS certificates for that particular domain. The CAA provides additional control over the use of their domain by the domain holder. Additionally, it reduces the risk of misuse of unintended certificates.

This new CA/B Forum requirement will amend the S/MIME Baseline Requirements to extend the adoption of CAA to public trust S/MIME certificates, following a new RFC 9495. 

RFC 9495 is responsible for describing how CAA processing may be applied to an email address while defining a new Tag for CAA Property “issuemail” for use in the context of S/MIME. By the issuance of one or multiple “issuemail” Property Tags, domain holders may specify the CAs that are approved to issue S/MIME certificates for the email domain. 

What is the Timeline for Ballot SMC05? 

Did you know that only six Certificate Authorities issue 90% of all SSL certificates?

The CA/B’s S/MIME Certificate Working Group is in the final stages of discussing Ballot SMC05, which introduces CAA for Email. Under this proposed ballot, CAs will be recommended to implement CAA for S/MIME by the end of September 2024, which will be implemented by March 2025. 

CAA is an optional security tool for the domain owner. Still, checking CAA will be mandatory for public CAs before the issuance of S/MIME certificates. 

Conclusion 

Enter CertSecure Manager, your solution for seamless certificate lifecycle management. It stands out as a critical tool in your security arsenal. CertSecure Manager simplifies the management of your certificates, ensuring that authorized CAs can issue S/MIME certificates for your domain. It saves your time and reduces the risks of human error and unauthorized certificate issuance.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Arpan Roy is a seasoned technical writer with five years of experience specializing in data security. With a keen focus on PKI, Certificate Lifecycle Management, and various other aspects of data protection, Arpan has contributed extensively to disseminating knowledge through detailed blogs and informative articles.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo