{"id":18629,"date":"2025-08-11T15:31:57","date_gmt":"2025-08-11T19:31:57","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=18629"},"modified":"2025-08-28T12:55:59","modified_gmt":"2025-08-28T16:55:59","slug":"email-certificate-standards-updated-to-support-acme-automation-future-pqc-security","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/email-certificate-standards-updated-to-support-acme-automation-future-pqc-security\/","title":{"rendered":"Email Certificate Standards Updated to Support ACME Automation &amp; Future PQC Security"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-changes-to-the-s-mime-certificate-baseline-requirements-add-support-for-automated-mailbox-validation-via-the-acme-protocol-and-post-quantum-cryptography-algorithm-testing\">Changes to the S\/MIME Certificate Baseline Requirements add support for automated mailbox validation (via the ACME protocol) and post-quantum cryptography algorithm testing <\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">July 2025 was a busy period in the CA\/Brower Forum\u2019s (CABF) S\/MIME Certificate Working Group (SMCWG). There are two key ballots relating to S\/MIME certificates that have been approved (SMC013) or adopted (SMC012) in the last month:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/cabforum.org\/2025\/05\/19\/ballot-smc-012\/\">SMC012: Introduce ACME for S\/MIME<\/a> was officially adopted as part of the S\/MIME Baseline Requirements on July 2.<\/strong> This ballot provides <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-a-certificate-authority-ca-and-what-do-they-do\/\">certification authorities<\/a> (CAs) with a standardized and automated way to respond to mailbox control validation requests using the ACME protocol. This offers another automation-friendly method for CAs to validate mailbox addresses.<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/cabforum.org\/2025\/07\/02\/ballot-smc-013\/\">SMC013: Enable PQC Algorithms for S\/MIME<\/a> entered a 30-day review period that\u2019s set to end Aug. 20.<\/strong> This ballot aims to add the use of two <a href=\"https:\/\/www.thesslstore.com\/blog\/post-quantum-cryptography-10-things-you-need-to-know\/\">post-quantum cryptography<\/a> (PQC) algorithms into the S\/MIME Baseline Requirements. These certificates are intended for testing (by CAs and clients) and wouldn&#8217;t be generally available. However, this move marks yet another step that on the road that ultimately leads to PQC adoption and usage on public networks.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">So, what\u2019s the deal with these two ballots and how are they intended to enhance email security and mailbox domain validations? <strong>While these changes won\u2019t directly impact your organization in terms of preparations, our goal is to keep you apprised of the latest S\/MIME industry developments.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n<span style=\"--tl-form-height-m:140.667px;--tl-form-height-t:118.1042px;--tl-form-height-d:118.1042px;\" class=\"tl-placeholder-f-type-shortcode_12779 tl-preload-form\"><span><\/span><\/span>\n\n\n<h2 class=\"wp-block-heading\">TL;DR: An Overview of the S\/MIME Changes<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><\/td><td><strong>SMC012 (ACME Automation for S\/MIME)<\/strong><\/td><td><strong>SMC013 (Introduction of PQC to S\/MIME)<\/strong><\/td><\/tr><tr><td>What It Is<\/td><td>A ballot standardizing the use of ACME tokens for email domain &amp; mailbox validation<\/td><td>A ballot introducing two quantum-resistant algorithms for CA\/CABF member testing<\/td><\/tr><tr><td>What the Ballot Does<\/td><td>Enables CAs and ACME clients to automate validation using the ACME protocol<\/td><td>Enables the creation of single-key\/non-hybrid PQC certificates that do not rely upon pre-quantum algorithms for testing<\/td><\/tr><tr><td>When the Changes Will Take Place<\/td><td>They kicked into effect July 2, 2025<\/td><td>They will take effect after the IPR review has concluded Aug. 20, 2025<\/td><\/tr><tr><td>Why It Matters<\/td><td>Adds a modern automation option for S\/MIME validation<\/td><td>One of the first steps toward the use of PQC certificates on open networks<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Breaking Down SMC012: ACME Automation Extends to Email Validation<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The adoption of automation is one of the most pressing topics in our industry today, whether for efficiency gains, or as preparation for the day that PQC arrives, forcing rapid upgrades to keys and certificates. Everything is moving towards automation (for good reason), and email mailbox validation is no different.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You see, email domain and mailbox validation have long relied on <a href=\"https:\/\/cabforum.org\/working-groups\/smime\/requirements\/#322-validation-of-mailbox-authorization-or-control\">three existing methods<\/a>, which are predominantly based on server certificate (SSL\/TLS certificate) validation methods. (Think of using validation tokens that are shared via email or are utilized in HTTP- and DNS-based validation methods that prove the requestor controls the domain in question.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This new ACME-based validation method for S\/MIME gives CAs another way to go about verifying email domain or mailbox control that\u2019s already been standardized by the Internet Engineering Task Force (IETF). The method is dependent on both the CA and the client software being able to support ACME for S\/MIME.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How It Works: CAs Can Use ACME Randomized Tokens in POST Responses<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The recent changes to mailbox control validation, seen in the addition of <a href=\"https:\/\/cabforum.org\/working-groups\/smime\/requirements\/#3224-validating-control-over-mailbox-using-acme-extensions\">section 3.2.2.4<\/a> to the S\/MIME Baseline Requirements, enable CAs to generate and use short-lived (i.e., up to 24 hours), one-time use ACME Random Value tokens in response to POST requests. The tokens must:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>comprise two parts, each of which must contain 128+ bits of entropy<\/li>\n\n\n\n<li>be used for that specific mailbox\u2019s validation only and must not be reused for other certificate requests.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">CAs, which send these token values via SMTP and to the email addresses being validated, then wait to receive responses utilizing the shared Random Value token. (All of this is in accordance with the processes described in <a href=\"https:\/\/datatracker.ietf.org\/doc\/rfc8823\/\">RFC 8823<\/a> and is similar to how ACME works in domain validation for TLS certificates.)<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"446\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/08\/how-acme-email-mailbox-validation-works-1024x446.jpg\" alt=\"A basic overview of how email domain validation and mailbox validation work using the ACME protocol\" class=\"wp-image-18631\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/08\/how-acme-email-mailbox-validation-works-1024x446.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/08\/how-acme-email-mailbox-validation-works-300x131.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/08\/how-acme-email-mailbox-validation-works-768x335.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/08\/how-acme-email-mailbox-validation-works-1536x669.jpg 1536w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/08\/how-acme-email-mailbox-validation-works.jpg 1600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Image caption: An illustration demonstrating the basic concept of how S\/MIME email domain or mailbox validation works using ACME random tokens.<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">To help facilitate this new method of validation, section 3.2.2.4 also states that CAs may use ACME External Account Binding (<em>a la<\/em> <a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc8555\/\">RFC 8555<\/a>) to associate a certificate requestor\u2019s ACME account with other information the CA may have validated (such as organization subject details).&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What\u2019s the Benefit?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">If you\u2019re curious why all of this matters, we reached out to <a href=\"https:\/\/www.digicert.com\/blog\/author\/stephen-davidson\">Stephen Davidson<\/a>, Senior Manager in Global Governance, Risk &amp; Compliance at <a href=\"https:\/\/www.digicert.com\/\">DigiCert<\/a>. Davidson is chair of the CABF S\/MIME Certificate Working Group, so we asked him to share his insights:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cHistorically, S\/MIME CAs have relied upon the \u2018domain control\u2019 methods that are defined in the TLS Baseline Requirements. However, the trend has been to deprecate some of these methods and to emphasize others, like ACME, that are very specific to TLS\/website certificates. The S\/MIME Certificate Working Group wishes to encourage the development of automation options that are specific to the needs of S\/MIME, of which this method is a good example.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">As an added bonus, client software with support for the ACME protocol can be used for both proving mailbox control and\/or key management.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now that we know what\u2019s happening in the world of ACME automation, it\u2019s time to shift gears and explore the cryptographic changes that are coming to S\/MIME.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">SMC013: The Inclusion of PQC Algorithms for S\/MIME Certificates<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Simply put, PQC is an area that garners significant interest. Why? Because it\u2019s just a matter of time before a <a href=\"https:\/\/www.splunk.com\/en_us\/blog\/learn\/crqcs-cryptographically-relevant-quantum-computers.html\">cryptographically relevant quantum computer<\/a> (CRQC) eventually makes its debut.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SMC013 is one of the first standards that defines the use of quantum-resistant cryptography in publicly trusted digital certificates. In this ballot, the S\/MIME Certificate Working Group voted to approve the inclusion of two of the <a href=\"https:\/\/www.thesslstore.com\/blog\/nist-pqc-standards-are-out-where-do-we-go-from-here\/\">quantum-resistant cryptographic schemes that NIST approved last year<\/a> in the S\/MIME Baseline Requirements:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/csrc.nist.gov\/pubs\/fips\/204\/final\"><strong>Module Lattice-Based Digital Signature Algorithm (ML-DSA)<\/strong><\/a><strong>,<\/strong> which is a type of quantum-resistant cryptographic scheme (based on CRYSTALS-DILITHIUM) that\u2019s used to generate and verify digital signatures.<\/li>\n\n\n\n<li><a href=\"https:\/\/csrc.nist.gov\/pubs\/fips\/203\/final\"><strong>Module Lattice-Based Key Encapsulation Mechanism (ML-KEM)<\/strong><\/a><strong>,<\/strong> which is a key encapsulation mechanism that\u2019s used to establish a quantum computing-resistant shared secret key in public channels for encryption and authentication.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">At a more technical level, the updates to the BRs provide parameter specifications regarding ML-DSA and ML-KEM (think of key pair sizes, algorithm identifiers, etc.).<\/p>\n\n\n<span style=\"--tl-form-height-m:966.781px;--tl-form-height-t:989px;--tl-form-height-d:989px;\" class=\"tl-placeholder-f-type-shortcode_12768 tl-preload-form\"><span><\/span><\/span>\n\n\n<h3 class=\"wp-block-heading\">What\u2019s Different: These Certificates Will Use Only PQC Algorithms<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Ballot SMC013 defines the use of \u201csingle-key\u201d PQC S\/MIME certificates that do not rely upon pre-quantum algorithms as a first step.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Why? To give industry participants (namely, CAs) a way to test and experiment with \u201cpure\u201d PQC certificates (i.e., non-hybrid or composite certificates). The goal here is to enable industry leaders to find the best alternatives for the RSA- and ECC-based schemes that can ultimately be broken by CRQCs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Where S\/MIME Is Set to Go from Here<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This ballot represents just one of the SMCWG\u2019s first steps toward public trust PQC certificates. \u201cPQC is a totally new category and there is much rule-making still to be done,\u201d said Davidson. \u201cThis SMC013 is a preliminary piece of the puzzle.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Ultimately, the proposed changes to the S\/MIME baseline requirements update leave the door open to the inclusion of other types of hybrid and composite S\/MIME certificates in the future. Currently, DigiCert offers hybrid PKI certificates, but those are for internal (private PKI) uses only and are not chained to public trust hierarchies.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cWe anticipate additional ballots in the SMCWG as work on the underlying IETF RFCs for hybrid certificates and other formats concludes,\u201d said Davidson,<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The ballot\u2019s 30-day review period, which began July 21, 2025, gives Working Group members a chance to give the content a final look over. After that, the changes will roll out in version 1.0.11 of the <a href=\"https:\/\/cabforum.org\/working-groups\/smime\/requirements\/\">S\/MIME Baseline Requirements<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What\u2019s Next on the Agenda<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Other topics being considered by the SMCWG include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>tightening the rules relating to DNS security (DNSSEC) when validating domains and CAA records, in line with changes recently adopted for TLS,<\/li>\n\n\n\n<li>exploring ways to enable the use of electronic identity (eID) and mobile driver\u2019s licenses in personal validation, and<\/li>\n\n\n\n<li>determining better ways to present pseudonyms and \u201crole\u201d names such as \u201cHelp Desk\u201d in certificates.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Changes to the S\/MIME Certificate Baseline Requirements add support for automated mailbox validation (via the ACME protocol) and post-quantum cryptography algorithm testing July 2025 was a busy period in the&#8230;<\/p>\n","protected":false},"author":17,"featured_media":18632,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[13107,17,10200],"tags":[10448,13249,13220],"class_list":["post-18629","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-beyond-hashed-out","category-industry-lowdown","category-monthly-digest","tag-acme","tag-pqc","tag-s-mime-baseline-requirements","post-with-tags"],"views":5667,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/08\/smime-changes-4.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/18629","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=18629"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/18629\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/18632"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=18629"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=18629"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=18629"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}