- 15 December 2011 14:31
CA/Browser Forum Approves Baseline Requirements for SSL/TLS Certificates
The CA/Browser Forum has released the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates,” the first international baseline standard for the operation of Certification Authorities (CAs) issuing SSL/TLS digital certificates natively trusted in browser software.
SSL/TLS digital certificates are used to authenticate the ownership of websites and other online resources, as well as to encrypt information for privacy as it crosses the Internet and other networks.
“SSL/TLS certificates are a critical part of the Internet’s security infrastructure, combining proven technical standards with the capability to scale to handle millions of websites and the wide array of user software,” said Tim Moses, Chairman of the CA/Browser Forum.
“The new Baseline Requirements will improve the reliability and accountability of SSL/TLS issuance for relying parties by establishing baseline standards for all types of SSL/TLS certificates from all publicly-trusted CAs.”
The Baseline Requirements draw upon best practices from across the SSL/TLS sector to provide clear standards for CAs on important subjects including verification of identity, certificate content and profiles, CA security, revocation mechanisms, use of algorithms and key sizes, audit requirements, liability, privacy and confidentiality, and delegation (including external sub-CAs and registration authorities).
The Baseline Requirements become effective on July 1, 2012 allowing CAs time to bring their SSL/TLS policies and practices into compliance with the standard. The CA/B Forum intends to continue development of the Baseline Requirements to address the evolving risks and threats involving the issuance or use of SSL/TLS certificates.
The CA/Browser Forum was formed in 2006 and previously created the “Extended Validation” (EV) standard for SSL/TLS. EV was designed for banks and other high profile websites providing enhanced confirmation of the legitimacy of a website and the identity of its owner, consistent across all EV-issuing CAs.
“With the Baseline Requirements, for the first time we will have a consistent international standard for the issuance of all SSL/TLS, including the many variations of Domain Validation and Organisation Validation,” said Eddy Nigg of the StartCom CA. “This has been a multiyear effort involving more than 50 organisations including the major browser suppliers and CAs from around the world, as well as representatives from the Internet standards and audit/legal community along with major relying parties that use SSL/TLS.”
Certification Authority members of the CA/Browser Forum range from the large multinational CAs to smaller issuers focused on geographic regions or specific industries. Major CAs have already voiced their commitment to implement the Baseline Requirements targeting the 2012 effective date. These include CA/Browser Forum members Symantec, Go Daddy, Comodo, GlobalSign, DigiCert, Entrust, StartCom, TrustWave, QuoVadis, Certum, T‑Systems, Izenpe, and BuyPass representing more than 94% of all valid public SSL/TLS according to the independent Netcraft survey.
The CA/Browser Forum has requested that internet browsers and operating systems adopt the Baseline Requirements among their conditions to distribute CA root certificates in their software.
According to Kathleen Wilson of Mozilla, “Four years ago the CA/Browser Forum released the Extended Validation guidelines that established consistent standards for identity validation. The Baseline Requirements provide a foundation for best practices across the industry by defining a single, consolidated set of essential standards for all SSL/TLS certificates for the first time.”
The CA/B Forum has also requested that the major audit regimes used by CAs, WebTrust and ETSI, develop audit criteria to assess compliance with the Baseline Requirements.
Further information on the CA/Browser Forum and the Baseline Requirements may be found at http://cabforum.org/
Additional Support for the CAB/Forum Baseline Requirements
“Today marks a big step forward for Internet security,” said Fran Rosch, Vice President of Identity and Authentication Services at Symantec. “This new SSL/TLS standard for trusted Certification Authorities is a particularly important development right now considering the increasingly dangerous cyber threat landscape. Symantec is dedicated to supporting this industry effort and we look forward to helping move this initiative to the next level.”
“Comodo see the Baseline Requirements as both raising the bar on certification practice and beginning a process of unifying previously disparate policy requirements on Certification Authorities,” said Robin Alden, CTO of Comodo CA Ltd. “When these requirements come into force they will surely simplify the mapping between browser policy and CA policy and also ensure the auditability of the CA’s practice in order that auditors may reliably check that the operation of CAs meets the required standards and thereby increase CA integrity and the perception of CA integrity.”
"The Baseline Requirements and associated best practices will add new clarity and understanding around SSL/TLS technology and its critical role in modern Internet society," said Steve Roylance, Business Development Director at GlobalSign.
“The Baseline Requirements will provide a consistent security footing for the variety of SSL/TLS products available from different CAs around the world, said Ken Bretschneider, CEO of DigiCert. “While the Extended Validation standard helped protect the most visible targets of phishing, the ongoing Baseline initiative will benefit all users of SSL/TLS certificates and the https security they provide.”
“Prior to the CA/Browser Forum Baseline Requirements, there really was not a common standard for the issuance of SSL certificates,” said Entrust Certificate Services general manager David Rockvam. “The Baseline Requirements draw upon years of SSL/TLSE experience, from a wide selection of CAs and other stakeholders, to provide critical guidelines for the secure future of SSL/TLS issuance, verification, and revocation. It’s an instrumental step in ensuring the integrity of the Internet trust infrastructure.”
“Previously Certification Authorities had to interpret overlapping standards from different software providers, regulators, and audit regimes,” said Roman Brunner, CEO of QuoVadis. “With the Baseline Requirements the core standards are integrated in one document, clarifying responsibilities and increasing accountability for trusted CAs that issue SSL/TLS digital certificates.”
About the CA/Browser Forum
The CA/Browser Forum is a voluntary organization of Certification Authorities and suppliers of Internet browser and other software applications that use digital certificates. CA/Browser Forum membership includes:
· A-Trust GmbH
· AC Camerfirma SA
· Buypass AS
· Comodo CA Ltd
· D-TRUST GmbH
· DanID A/S
· DigiCert, Inc.
· Digidentity BV
· Echoworx Corporation
· Entrust, Inc.
· GeoTrust, Inc.
· Getronics PinkRoccade
· IdenTrust, Inc.
· ipsCA, IPS Certification Authority s.l.
· Izenpe S.A.
· Japan Certification Services, Inc.
· Kamu Sertifikasyon Merkezi
· Logius PKIoverheid
· Network Solutions, LLC
· QuoVadis Limited
· RSA Security, Inc.
· SECOM Trust Systems CO., Ltd.
· Skaitmeninio sertifikavimo centras (SSC)
· StartCom Certification Authority
· SwissSign AG
· Symantec Corporation
· T-Systems International GmbH.
· TC TrustCenter GmbH
· Thawte, Inc.
· Trustis Limited
· Wells Fargo Bank, N.A.
Relying-Party Application Software Suppliers
· Google Inc.
· Microsoft Corporation
· Opera Software ASA
· Research in Motion Limited
· The Mozilla Foundation
Other groups that have participated in the development of the Baseline Requirements include the AICPA/CICA WebTrust for Certification Authorities task force, the European Telecommunications Standards Institute (ETSI) Electronic Signature Initiative, and t.Scheme (UK).
Sign up now »
Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).
- Have an incident response plan.
- Pre-define your incident response team
- Define your approach: watch and learn or contain and recover.
- Pre-distribute call cards.
- Forensic and incident response data capture.
- Get your users on-side.
- Know how to report crimes and engage law enforcement.
- Practice makes perfect.
I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.