A data security specialist by Swiss Post

Main section

22.06.2023

New standard for e-mail certificates in August 2023

The CA/Browser Forum, the standardization body for certificates on the Internet, defined a new standard for e-mail certificates at the beginning of the year, the so-called "Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates" (S/MIME BR). This standard must be fulfilled from September 1, 2023 on at the latest.
 

SwissSign will make the transition to this new standard as of August 2023. The detailed dates will be published in our news feed.
 

What is going to change as of August 2023?

It is very important to us to keep the impact on our customers as low as possible. The following changes will be publicly visible:
 

  • Password creation: It is still permitted to have the private key for an e-mail certificate generated by SwissSign. Until now, the operators of an MPKI could define the password for protecting the private key themselves. In the future, SwissSign must generate this password.
  • Domain validation: As for SSL/TLS certificates, the domain must be revalidated annually. This adjustment has already been implemented on our new CA platform. Customers who have already migrated will not notice any difference. Customers who have not yet migrated will need to revalidate their email domain – so we recommend moving to the new platform as soon as possible.
  • Certificate profiles: Email certificates will have a slightly different look after the migration. For example, the Pro S/MIME E-Mail ID Gold certificates will contain the commercial register number (or a similar entry, e.g. to designate registration offices). A new attribute called "OrganizationIdentifier" is added for this purpose.
     

Mid-term changes

The S/MIME BR is a standard that is continuously evolving. Therefore, further changes are foreseeable in the mid-term, but they do not yet have to be implemented on September 1, 2023. However, as advance information, we would like to point out the following future adjustments:
 

  • CAs: New CA certificates will have to be created for the issuance of e-mail certificates. There is currently no need for action.
  • Duration: The maximum duration will be reduced from three to two years in the future.
  • First name and last name: Per S/MIME E-Mail ID Gold certificates will have to contain the first name and last name (or pseudonym) as separate attributes.


More information on these developments and when new standards come into effect will follow at a later date.