TL;DR: CA/B Forum baseline requirements now standardise S/MIME validation profiles, certificate generations, and organisation identifiers, while limiting how long identity and domain checks remain valid, according to GlobalSign. The practical shift is toward tighter email identity governance, shorter trust windows, and clearer lifecycle controls for sensitive communications.
NHIMG editorial — based on content published by GlobalSign: S/MIME baseline requirements and validation changes
Questions worth separating out
Q: How should organisations manage S/MIME certificates across large user populations?
A: They should treat S/MIME as a lifecycle problem, not a one-time installation.
Q: Why do S/MIME baseline requirements matter for email trust?
A: They reduce the time a certificate can continue to assert an identity that may no longer be current.
Q: What breaks when S/MIME validation evidence is not refreshed?
A: The certificate can remain technically valid even after the mailbox, person, or organisation behind it has changed.
Practitioner guidance
- Align S/MIME issuance with identity lifecycle controls Tie certificate approval, revalidation, and revocation to user status, mailbox control, and organisation ownership checks so certificates cannot outlive the identity evidence behind them.
- Retire legacy S/MIME profiles on a defined schedule Inventory mailbox validated, organisation validated, sponsor validated, and individual validated certificates, then phase out legacy configurations where strict or multiuse profiles are now required.
- Create ownership for organisational identity data Assign clear accountability for OID, LEI, tax ID, or registration number handling so issuance workflows use consistent organisation identity evidence.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- Specific S/MIME baseline requirement changes and how they affect certificate profiles.
- The new generation model for legacy, strict, and multiuse certificate configurations.
- Organisation identifier handling for EPKI verification, including OID, LEI, registration numbers, and tax identifiers.
- Timeline details for the standard changes and intermediate certificate rollout.
👉 Read GlobalSign's article on S/MIME baseline requirements and certificate validation changes →
S/MIME certificate changes: what identity teams need to know?
Explore further
Email identity governance is now a lifecycle problem, not a certificate issue. S/MIME baseline requirements push organisations to treat validation evidence as time-bound identity data rather than static configuration. That matters because mailbox control, organisational authority, and personal identity all change over time, and stale assertions create a trust window for misuse. Security teams should fold S/MIME into identity lifecycle governance, not leave it inside PKI administration.
A question worth separating out:
A: Accountability should sit across identity, PKI, and messaging operations, with clear ownership for certificate lifecycle, organisational identity evidence, and domain authority checks. If those responsibilities are split without a control owner, stale certificates and inconsistent validation are likely to persist. Governance works only when renewal and revocation are explicitly owned.
👉 Read our full editorial: S/MIME baseline requirements tighten email identity governance