The CA/B Forum has approved the use of CAA records for S/MIME certificates

The CA/B Forum, the regulatory body for the SSL certificate industry, has adopted changes to introduce CAA records for issuing S/MIME certificates. CAA records are now supported for email domains as defined in RFC 9495.

CAA records enable domain owners to use the DNS to specify which certificate authorities (CAs) can issue TLS certificates for a given domain. A CAA record provides the owner with additional control over the use of their domain and reduces the risk of mistakenly issuing a certificate.

Certification Authorities must adhere to CAA verification for TLS certificates according to CA/B rules, and many domains already utilize CAA records to specify one or more trusted CAs for TLS certificates.

The case of S/MIME differs sufficiently from TLS that separate CAA definitions have been introduced for it. For instance, an organisation may permit certain CAs to issue TLS certificates for their domains, but the list of CAs for issuing S/MIME certificates will differ.

CAA processing for email domains is performed as follows: a new CAA label "issuemail" is specified for use in the S/MIME context. By utilizing these labels, domain owners can indicate approved CAs to issue S/MIME certificates for email domains.

CAA verification for S/MIME is now obligatory for CAs prior to certificate issuance.

Stay updated with all SSL and online security advancements by subscribing to our updates.