Three times per year, TV joins the voluntary group of certificate authorities (CAs), industry standards and audit bodies, and certificate consumer vendors that make up the Certification Authority/Browser (CA/B) Forum to discuss the industry guidelines governing digital certificate issuance and management and the system and network security of CAs.
In early October, we traveled to New Hampshire to attend the final CA/B Forum meeting of 2023. Here's a recap of the updates and insights most relevant to our customers and partners.
Google’s priorities haven’t changed—the company’s focus on Moving Forward, Together remains. But they’ve restructured the list, placing these three priorities at the top:
Automation: Certificates need to be rapidly replaceable when necessary. Google expects CAs to provide automated certificate issuance services, with support for ACME strongly recommended.
Root lifetime limits: Google acknowledged the challenges posed by shorter-term roots.
Minimum expectations for linting: Linting requirements are coming, and root programs expect certificates to be issued without compliance errors.
At the bottom of the priority list? The shorter certificate lifetimes Chrome proposed at the CA/B Forum in March.
Driven by the belief that much of the content of the Baseline Requirements (BRs) across code signing, TLS and S/MIME could be shared to encourage consistency in compliance requirements, TV has long pushed for a “BR of BRs.” With the CA/B Forum’s move to create a document that consolidates the common content used in the Server, Code Signing and S/MIME standards, the industry has made great progress toward our BR of BRs goal.
The BRs will now include uniform entries for things like definitions, validation and key protection, allowing automated tools to create the same documents from a shared source. Moving forward, the individual working groups will only handle items like profiles and other portions that require standard-specific customization.
The first ever audited standards for public S/MIME went into effect September 1, and the transition has gone smoothly for most CAs, many of which have made use of TV’s OSS pkilint tool to verify their compliance with the S/MIME BR. The same is true for the relatively smooth transition to the new private key storage requirements for code signing certificates, which require that private keys and certificates be stored in hardware tokens or signing services.
Looking ahead, the S/MIME Working Group anticipates the deprecation of legacy S/MIME certificates within three to five years. At that point, the legacy profile will be discontinued from new BR versions, requiring certificates to fall under multipurpose or strict generation profiles. The Certificate Authority Authorization (CAA) for S/MIME specification RFC was recently finalized and published as RFC 9495, which means it won’t be long until the Working Group takes it to ballot.
The guest speaker at the CA/B Forum meeting was a representative from the Dutch government, who discussed the role of the Electronic Identification, Authentication and Trust Services (eIDAS) regulation in fortifying trust and its impact on digital identity within the European Union. More big changes are yet to come with eIDAS 2 and the Network and Information Security (NIS2) Directive.
Recently, root programs have been reasonable and flexible when working with CAs to establish timelines for new standards. This flexibility has been crucial to ensuring standardization works for customers—not against them. TV will continue pushing for reasonable timelines as standards work their way into additional areas.
But the message from Google and other root programs is clear: Manual certificate management and replacementareno longer acceptable. The switch to automated certificate issuance will help CAs assist customers with validation to eliminate unwanted accidental expirations. Future policy changes to root program requirements will reflect the programs’ discouragement of manual certificate issuance processes.
Want to learn more about S/MIME, code signing or post-quantum cryptography? Subscribe to the TV blog to ensure you never miss a story.