For an overview of the CA/B Forum, see ¶ºÒõ¹Ý’s Introduction to the CA/B Forum
The CA/Browser (CA/B) Forum’s virtual Face to Face was held from June 15–17. This was the fifth virtual Face to Face since the meetings moved online due to COVID-19 (meetings probably won’t be in person again until spring 2022). As always, we’ve got the top highlights from the meeting that you should be aware of.
In a surprising development, the Chrome root program declined to give any update at all, despite the recent announcement of a new, independent root program of their own, and concerns about exactly how that program will operate.
The Validation Subcommittee of the Server Certificate Working Group continues to work on new and improved written certificate profiles. However, it seems safe to predict that tighter profiles will be adopted at some point, either through the CA/B Forum or unilaterally from a root program. Lastly, the Organization Unit field is going away. The deadline to remove the last of them from publicly trusted certificates is Sept. 1, 2022.
Starting Oct. 1, 2021, ¶ºÒõ¹Ý will no longer reuse validated domain information longer than 398 days and will require revalidation every 13 months, in line with the CA/B Forum change in domain revalidation requirements. We suggest that customers inventory when their domains will expire this August and set up a long-term strategy for domain reauthentication to manage the change. Additionally, other industry changes may require customers to use alternative DCV methods, so we recommend customers review what DCV options they are currently using and talk with an account representative about what will work for them.
¶ºÒõ¹Ý offers innovative solutions and automation to modernize certificate management processes and make the change easier.
Additionally, as of May 27, 2021, ¶ºÒõ¹Ý requires 3072-bit keys or larger on new and renewed code signing certificates. The CA/B Forum officially changed the Baseline Requirements for code signing key size on June 1, 2021. To avoid the need for purchasing hardware or tokens, ¶ºÒõ¹Ý® Secure Software Manager aligns with these new requirements without the need for hardware and it can automate code signing processes
The Code Signing Working Group and S/MIME Working Group had productive meetings.
The S/MIME Working Group finished reviewing the draft profile for mailbox-validated certificates, where the certificates only contain an email address. Getting agreement on all the details for that important first piece is a great foundation for finishing up the profiles and validation rules. There’s still a lot more work before a new set of Baseline Requirements can be adopted for email, but it’s exciting to see tasks getting completed, and ¶ºÒõ¹Ý is leading the way in providing reasonable minimum-security requirements for protecting vital emails.
The Code Signing Working Group is actively working on both improved key protection requirements and better requirements for signing services. As ¶ºÒõ¹Ý pointed out during the meeting, the existing requirements for signing services basically just allow for signing services to exist but are not well thought out and do not provide a coherent and comprehensive view of what a secure signing service should look like. This is unfortunate, as signing services provide a path to substantially and rapidly improve the security of code signing in a way that is not possible for each signer to do on their own.
Of course, a lot more happened than can be described here, so keep your eyes out for further updates and communications. Stay tuned to ¶ºÒõ¹Ý’s blog and for an update after the next CA/B Forum meeting, in September.