DigiNotar looming large, new guidelines clarify certificate authority obligations

Reeling in the wake of hacks that disrupted the certificate authority (CA) industry earlier this year, CA issuers are converging around a new self-imposed standard that sets baseline requirements for the security methods used to identify trusted Web sites online.

The CA/Browser Forum, a voluntary industry body representing 94 percent of public CA issuers, has co-ordinatedover 50 organisations throughout the drafting process and last week released the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates (BRIMPTC) document (PDF) to improve the way member organisations manage SSL/TLS digital certificates that are used to identify trustworthy Web sites to users' browsers.

BRIMPTC, which was this week endorsed by major certificate issuer Entrust, includes clauses that clarify the warranties a CA makes when it issues a certificate — including the right to use a domain name or an IP address, authorisation for a certificate, accuracy of information, a ban on misleading information, requirements for ascertaining applicant identities, the nature of the subscriber agreement, and more.

For example, participating CAs must issue a publicly-available Certificate Policy or Certification Practice Statement, structured in line with RFC 2527 or RFC 3647, that clarifies the CA's commitment to comply with BRIMPTC's requirements and discloses any Cross Certificates that identify the CA as the subject.

CAs must also develop and document formal data security programs and risk assessments, security plans and business continuity programs that ensure the availability of their operations. BRIMPTC specifies 15 criteria that must be addressed within the business continuity plan.

BRIMPTC also covers the information to be collected from applicants for a CA, the structure and minimum standards for the information to be held about them, verification practices, and more. Importantly, section 10.2.4 of the document mandates encryption, prohibits the archiving of the Subscriber Private Key and demands the immediate revocation of any CA that has been "communicated to an unauthorized person".

This last requirement is an explicit acknowledgement of the threat posed by hackers earlier this year, when Dutch certificate authority DigiNotar was compromised and hackers were able to use leaked CA digital certificates to issue their own certificates for a broad range of secure Web sites. DigiNotar was liquidated weeks later after it was found the CA's root certificate had been used to produce over 500 false SSL certificates.

A similar attack hit CA Comodo earlier this year, with the [[xref:http://www.cso.com.au/article/400077/comodo_hacker_taunt_halts_globalsign_ssl_certificates/|'Comodo Hacker' claiming he had also breached DigiNotar's systems]] and had attacked Global Sign, the world's fifth-largest CA issuer. The revelations caused panic as Global Sign stopped issuing certificates and CA authorities circled their wagons to protect their livelihoods.

BRIMPTC is being promoted as an important baseline standard for CA practice, with the guidelines also been pitched to Web browser and operating system makers as a precondition for the distribution of CA root certificates in the software they produce. Future versions may include the handling of certificates for secure communication using VoIP, S/MIME, Web services, instant messaging and other forms of communication.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycertificate authority (CA)CA/Browser Forum

More about CA TechnologiesComodoEntrustPTC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place