Industry Organization Approves Industry-wide Standard for The Issuance and Management of SSL/TLS Digital Certificates
SSL certificates are supposed to be a mechanism for authenticating the ownership of Websites.
However, numerous incidents this year have undermined the faith the IT industry has in Certificate Authorities (CAs) and their wares.
In light of this, the CA/Browser Forum, an organization of leading CAs and other software vendors, has released the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates,” an industry-wide baseline standard for the operation of CAs issuing SSL/TLS digital certificates natively trusted by the browser.
“SSL/TLS certificates are a critical part of the Internet’s security infrastructure, combining proven technical standards with the capability to scale to handle millions of websites and the wide array of user software,” said Tim Moses, chairman of the CA/Browser Forum, in a statement. “The new Baseline Requirements will improve the reliability and accountability of SSL/TLS issuance for relying parties by establishing baseline standards for all types of SSL/TLS certificates from all publicly-trusted CAs.”
The CA/Browser Forum is requesting Web browser and operating systems vendors adopt the requirements as part of their conditions to distribute CA root certificates in their software. According to the forum, the Baseline Requirements are based on best practices from across the SSL/TLS sector and touch on a number of subjects, such as the verification of identity, certificate content and profiles, CA security and revocation mechanisms. The requirements become effective July 1, 2012, and will continue to evolve to address new risks and threats.
“The establishment of this new set of industry standards truly raises the bar on the level of security and assurance all parties can now expect from publicly-trusted CAs,” said Entrust President and CEO Bill Conner.
The CA/B Forum has also called for the development of audit criteria to assess compliance with the requirements.
“Previously Certification Authorities had to interpret overlapping standards from different software providers, regulators, and audit regimes,” said Roman Brunner, CEO of QuoVadis, in a statement. “With the Baseline Requirements the core standards are integrated in one document, clarifying responsibilities and increasing accountability for trusted CAs that issue SSL/TLS digital certificates.”
The publication of the standards came on Dec. 14, the day after CA GlobalSign announced that its investigation into a security breach earlier this year revealed that no rogue digital certificates had been issued and no customer data was exposed. The investigation was initiated in September after a hacker compromised a GlobalSign server and claimed to have gotten access to – among other things – the private key of the company’s globalsign.com domain.
In its report, GlobalSign noted that the breached Web server was not part of the certificate issuance infrastructure. Publicly available HTML pages and PDFs however were exposed, and the SSL certificate and key for www.globalsign.com were deemed compromised and subsequently revoked.
“This new SSL/TLS standard for trusted Certification Authorities is a particularly important development right now considering the increasingly dangerous cyber threat landscape,” said Fran Rosch, vice president of Identity and Authentication Services at Symantec, in a statement about the new requirements. “Symantec is dedicated to supporting this industry effort and we look forward to helping move this initiative to the next level.”
The document outlining the list of baseline requirements is available here.