Evolution of Secure Email Communication: S/MIME and CA/B Forum Updates

Did you know that the first email was sent in 1971, marking over fifty years of electronic communication? As technology progressed, so did the methods of sending emails, and with it came the need for safeguarding email content. Enter S/MIME (Secure/Multipurpose Internet Mail Extension), a vital protocol ensuring the confidentiality, integrity, and authenticity of sensitive communications.

The Role of S/MIME in Email Security

Moreover, S/MIME has become a cornerstone in email security, offering a robust defense against unauthorized access and tampering. Now, its widespread adoption is reaching new heights with its recent incorporation into the Certificate Authority/Browser (CA/B) Forum. This forum, dedicated to setting industry standards and guidelines for internet security, is bringing significant changes to S/MIME, scheduled to take effect on September 1, 2023.

Understanding the Baseline Requirements (BR)

These guidelines serve as a framework for establishing the foundational standards and specifications for Secure/Multipurpose Internet Mail Extension (S/MIME). These requirements introduce four distinct validation types, each containing specific information:

1. Mailbox-validated: Includes the email address and/or a serial number.
2. Organization-validated: Designed for organizational use, featuring the organization’s name and email address.
3. Sponsor-validated: Comprises the individual’s full name, organizational email, and affiliation details.
4. Individual-validated: Involves the person’s full name and personal email address.

GlobalSign, a key player in the cybersecurity landscape, has already integrated these validation processes into their product range, specifically the PersonalSign offering.

Introducing S/MIME Generations

Expanding on the BR, it defines different certificate profiles under the S/MIME Generations:

1. Legacy: Similar to the current model but may become obsolete due to evolving configurations.
2. Strict: Offers clearer and defined configurations, geared towards long-term usage.
3. Multipurpose: Builds upon the Strict profile, providing additional options for flexibility.

To align with the Baseline Requirements, GlobalSign is set to implement a new intermediate certificate for standard customers, effective from August 28th, 2023.

For more detailed information, users can refer to the relevant support articles for GCC and Atlas.

Additional Changes and Recommendations

In addition to the above, the BR introduces alterations to EPKI profiles, specifically regarding organizational information. New customers submitting an S/MIME profile are now required to include an Organization Identifier (OID) or Legal Entity Identifier (LEI), using the organization’s registration or tax number.

Noteworthy S/MIME Baseline Requirements

Several other S/MIME Baseline Requirements are noteworthy, including validation methods for proving user identities and control over email addresses. These methods encompass validating control of the mailbox via email message, validating authority of the mailbox via domain, and validating the applicant as the operator of the mail server(s).

Furthermore, the BR defines the duration of validation. Organization and individual identity validations should not extend beyond 825 days, and validation of mail servers and domain control must be obtained at least 398 days before issuing the certificate.

As we step into this new era of enhanced email security, staying informed and proactive is key. The changes introduced by the CA/B Forum signal a commitment to a more secure and reliable digital communication landscape.

Try our SMIME products today:  https://thesslproviders.com/