Certificate Lifecycle Management Reading Time: 4 minutes

Raising the Bar: The CA/B Forum’s Move to Extend CAA to S/MIME 

The CA/B Forum has initiated a ballot requiring CAs (Certificate Authorities) to adopt CAA (CA Authorization) processing for email addresses included in S/MIME certificates.

What Exactly is CAA (Certification Authority Authorization)? 

A CAA record can be considered a DNS Resource Record (a piece of information stored in the DNS Zone database that provides details about a specific object within that domain). This allows an owner of a particular domain to specify which CAs are authorized to issue certificates of a particular kind for their domain and which are not. 

The idea is that a CA checks a domain’s CAA records before issuance of a certificate. If it finds that the domain has no CAA record, then the certificate is issued for it after all authentication checks succeed. However, if it encounters CAA records, the CA can only issue a certificate if it is named in one of the records, which indicates that it is authorized to issue a certificate for that domain. 

This entire process is designed to prevent CAs from issuing certificates to unauthorized certificate requests by bad actors or unauthorized parties. 

Putting Control in the Hands of Domain Owners! 

CAA was originally defined in RFC 8659 which is a way for domain holders to utilize DNS to specify which CAs are approved to issue TLS certificates for that particular domain. The CAA provides additional control over the use of their domain by the domain holder. Additionally, it reduces the risk of misuse of unintended certificates.

This new CA/B Forum requirement will amend the S/MIME Baseline Requirements to extend the adoption of CAA to public trust S/MIME certificates, following a new RFC 9495. 

RFC 9495 is responsible for describing how CAA processing may be applied to an email address while defining a new Tag for CAA Property “issuemail” for use in the context of S/MIME. By the issuance of one or multiple “issuemail” Property Tags, domain holders may specify the CAs that are approved to issue S/MIME certificates for the email domain. 

What is the Timeline for Ballot SMC05? 

Did you know that only six Certificate Authorities issue 90% of all SSL certificates?

The CA/B’s S/MIME Certificate Working Group is in the final stages of discussing Ballot SMC05, which introduces CAA for Email. Under this proposed ballot, CAs will be recommended to implement CAA for S/MIME by the end of September 2024, which will be implemented by March 2025. 

CAA is an optional security tool for the domain owner. Still, checking CAA will be mandatory for public CAs before the issuance of S/MIME certificates. 

Conclusion 

Enter CertSecure Manager, your solution for seamless certificate lifecycle management. It stands out as a critical tool in your security arsenal. CertSecure Manager simplifies the management of your certificates, ensuring that authorized CAs can issue S/MIME certificates for your domain. It saves your time and reduces the risks of human error and unauthorized certificate issuance.

Free Downloads

Datasheet of Certificate Management Solution

Download our datasheet and discover the power of seamless certificate management with our CertSecure Manager

Download

About the Author

Aryan Kumar's profile picture

Aryan Ajay Kumar is a cybersecurity consultant at Encryption Consulting. He safeguards data for clients by leveraging his knowledge of various technical domains, such as PKI, HSM, and Code Signing. His programming skills and knowledge of data science further enhance his ability to create complex cloud solutions. Aryan's impressive track record includes successful collaborations with top organizations on high-profile projects. Aryan's life also extends far beyond the world of cybersecurity. He enjoys playing football and is an avid reader. He is always seeking new ways to grow personally and professionally and loves various creative pursuits, like crafting or watching an inspiring movie. His passion for life and work enables him to contribute unique ideas and unwavering dedication.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo