The CA/B Forum, the de facto governing body for the use of digital certificates, has recently published guidelines for the use of S/MIME (personal or client) certificates. Up until now, S/MIME certificates have not been as strictly regulated as other certificate types meaning that the only requirement was for the e-mail address supplied to work…no further vetting was done and it was difficult to envoke a higher level of assurance in the certificate. These changes come into effect this month, so users of the GÉANT Trusted Certificate Service (TCS) will see some changes to our certificate options. Some of the security issues addressed by the new baseline are already in place in the current TCS service: the IGTF certificate types already required that names provided within certificate requests were reasonable, and our use of SAML authentication to request certificates ensured that some level of vetting was undertaken on the owners of the email addresses.
The new Baseline Requirements introduce different types of S/MIME certificate:
- mailbox validated: this contains ONLY the RFC822 name (e.g email address).
- organization validated: this contains only details related to the legal entity in the subject.
- sponsor validated: combines individual and organization details. These will be the default S/MIME certificate type for TCS.
- individual validated: includes only natural person details in the subject.
The new Baseline Requirements have also required us to make changes to the way in which we manage IGTF certificates. These have all now been moved to a private trust profiles to enable us to tailor them to meet the requirements of the Grid community.
Changes in TCS
Within TCS, you can expect to see several new certificate types. These are explained in more detail on the TCS wiki. For most typical use cases (an individual from your organisation that needs a certificate for email signing and encryption) you should choose the type “GÉANT Personal email signing and encryption”. For IGTF certificates, the profiles have been updated as follows:
- GÉANT Personal Authentication (previously IGTF personal)
- GÉANT Personal Automated Authentication (previously IGTF personal robot)
- GÉANT Organisation Automated Authentication (previously IGTF robot)
We hope these new, more descriptive names for certificate types will also help users better understand which certificate they neeed to choose.
It is also now possible to order a “GÉANT Organisation email signing” certificate that are not specifically linked to individuals but has public trust.
Impact of Revalidation
One of the biggest impacts of these changes is that all organisations that order certificates through any CA vendor will be required to undergo revalidation. The validation requirements introduced for S/MIME vary from the process typically used for SSL certificates – the set of ‘authentic information sources’ that Sectigo has to use for organisation validation is different. Whereas for SSL validation an independent information source may be used, for S/MIME only government agency sources and Legal Entity Identifier (LEI) data references are allowed. There is a detailed process to follow for this that is described for all TCS Managers on the TCS wiki. If you have any doubts, please contact the TCS Service Manager at GÉANT. Unfortunately, the impact of this change is far-reaching. The work required to revalidate any organisation that wishes to order certificates has created a back-log, and it will take longer than usual to revalidate organisations. Any TCS user with an issue should follow the standard escalation processes which should be know by all TCS Managers or “MRAOs” at NRENs.
What’s Next?
The certificate space is changing at a rapid pace, and there are more changes coming up on the horizon that will impact all users of SSL certificates. Google has recently announced that it intends to enforce a 90-day validity period for certificates, and although they say they will work with the CA/B Forum on this change, there is history of changes being introduced without the approval of the Forum. We are advising all NRENs and their organisations to expect to be able to manage 90-day validity certificate changes by October 2024 at the latest. This is a significant change, and will force most organisations to automate their certificate processes using services such as ACME and Certbot in order to avoid service outages. There is a big skills-gap in the community with regard to certificate automation, and the GÉANT TCS team is asking all NRENs to survey their members so we can look to provide training, new features and service support to help manage this change. If you would like to be part of that conversation, please reach out to us.
