picture of tbs certificates
picture of tbs certificates
Our products range

20230602 - Creation of the Baseline Requirements for S/MIME certificates

In 2012, the CA/B Forum edited the first version of its Baseline Requirements regulating the SSL certificates issuance and management.

The Baseline Requirements are a set of standards passed by a consortium of certification authorities and browser's editors that defines a strict framework regarding SSL certificates audit processes, lifetime cycle or the technologies to be used.

On January 1st, 2023 the CA/B Forum published a first version of Baseline Requirements specifically written for S/MIME (Secure/Multipurpose Internet Mail Extension) certificates.

For which certificates?

They will apply to all publicly trusted digital certificates that include the Extended Key Usage (EKU) extension for id-kp-emailProtection (OID: or that include an email address in the SAN (subjectAltName) extension.

Those certificates are mainly used to sign and encipher e-mails, to do strong authentication or to sign documents.

When will they take effect?

The Baseline Requirements will come into effect on September 1st, 2023. The S/MIME certificates issued prior to this date won't be impacted and will work properly until their expiration date.

What's in the BR?

The BR will help harmonize several processes, notably:

  • The type of certificates
  • Their lifetime cycle
  • The audit rules
  • The certificates management, CRLs and OCSP profiles
  • The security standards and the technologies used for the certificates issuance

The types of certificates

The BR define 4 types of S/MIME certificates:

  • The "Mailbox-Validate": The certificate subject is limited to an e-mail address or a serial number
  • The "Organization‐validated": The subject only includes information regarding a legal entity
  • The "Individual‐validated": The subject only includes information regarding a natural person (the certificate holder)
  • The "Sponsor‐validated": The subject includes both information regarding a natural person (the certificate holder) and a moral person

What are the changes to be expected?

This first version of the S/MIME BR only formalizes the standards already in use by all the stakeholders of the sector. There won't be a big change in September.

The following versions will probably bring more novelties such as the CAA checking for example. To be continued!

Useful links