In October, the CA/B Forum successfully held the last meeting of this year. Several updates were proposed at this month’s meeting, including issues related to Apple’s new root program, new baseline requirements for S/MIME certificates and code signing certificate files, and an announcement of eIDAS 2.0.
The details are as follows:
Apple’s new root program
Apple announced a newS/MIME mail certificateThe document requirements are expected to be implemented in April next year. Apple claims that starting from April 1, 2022, it will shorten the validity period of S/MIME certificates to two years and require all certificate authorities (ie, CAs) to disclose all certificatesAppleThe CA certificate of the related chain of the root certificate list.
In addition, Apple also requires S/MIME certificates:
ü Including emailProtection EKU;
ü Include at least one user optional name rFC822Name value that contains email address;
ü The validity period does not exceed 825 days;
ü Use encryption strength ≥ SHA-256 signature algorithm;
ü Meet the following key size requirements:
• If the RSA encryption algorithm is used, the key size must be at least 2048 bits and must be divisible by 8.
If the ECDSA algorithm is used, the key must represent a valid point on the NIST P-256, NIST P-384 or NIST P-521 named elliptic curve.
Change SSL/TLS certificate file
In the past two years or so, the Verification Subcommittee has been working to explain more clearly and clearly what content can be displayed in a publicly trusted SSL/TLS certificate, and what content may not appear in the certificate. Although we strongly support clear requirements, stricter information requirements may cause confusion for some customers. Many updated suggestions were put forward in this meeting, most of which may be adopted in 2022 and be required to be implemented in 2023.
eIDAS 2.0 preview
At the meeting, Enrico Entschew summarized the implementation of eIDAS (European Union Electronic Signature and Trust System Regulation) updates in Europe. According to the current proposal, browsers will be required to comply with the EU trust list and provide visual indicators for European certificates (called QWAC). In addition, he emphasized the importance of digital identity in eIDAS 2.0, and said that there is still a lot of work to be done in terms of digital wallets and next-generation digital identities.
S/MIME certificate baseline requirements
The S/MIME working group is developing a new set of S/MIME baseline requirements. Although these requirements will not be finalized until 2022, and may not take effect until 2023 or later, the organization has completed discussions on the draft S/MIME document and reached a preliminary consensus. There are some bright spots in the strategic requirements that deserve attention: First, it has a traditional profile, which basically includes a systematic introduction to existing practices in the industry, and also allows existing CAs to quickly adopt and promote new S/MIME baselines. Require. In addition, it also includes a path to upgrade to more valuable certificate types, including those that contain verified identity information. Finally, the most demanding clause will be downgraded to strict regulations, so that those who think this clause is useful can continue to use it, if they think it is useless, they can choose to ignore it.
Improve code signing service requirements
Finally, the code signing working group is improvingCode signingServices, which may greatly improve the security and availability of digital tokens held by individuals. The work of the working group is still in the early stages, and the current requirements are not clear, but we hope that the code signing service can quickly improve the security and usability of digital signature assets.
As earlier this year, the CA/B Forum announcedChange the minimum key length of the code signing certificate to 3072 bitsSimilarly, its purpose is to improve the security of digital signatures.
According to the above meeting summary, it can be seen that both the CA/B Forum and Apple are beginning to study the new requirements for S/MIME certificates and code signing certificates. With the widespread application of public PKI, Ruicheng Information believes that in the near future, more and more users will pay attention to identity authentication and digital signatures, which means that the Internet security industry needs to improve digital Certificate compliance standards allow a wide range of user groups to use convenient and fast certificates to ensure their data security.