Connect with us

Hi, what are you looking for?


Network Security

CA Industry Group Creates New Standard for Issuance of SSL/TLS Certificates

Industry Organization Approves Industry-wide Standard for The Issuance and Management of SSL/TLS Digital Certificates

SSL certificates are supposed to be a mechanism for authenticating the ownership of Websites.

Industry Organization Approves Industry-wide Standard for The Issuance and Management of SSL/TLS Digital Certificates

SSL certificates are supposed to be a mechanism for authenticating the ownership of Websites.

However, numerous incidents this year have undermined the faith the IT industry has in Certificate Authorities (CAs) and their wares.

In light of this, the CA/Browser Forum, an organization of leading CAs and other software vendors, has released the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates,” an industry-wide baseline standard for the operation of CAs issuing SSL/TLS digital certificates natively trusted by the browser.

SSL/TLS Certificate Standards“SSL/TLS certificates are a critical part of the Internet’s security infrastructure, combining proven technical standards with the capability to scale to handle millions of websites and the wide array of user software,” said Tim Moses, chairman of the CA/Browser Forum, in a statement. “The new Baseline Requirements will improve the reliability and accountability of SSL/TLS issuance for relying parties by establishing baseline standards for all types of SSL/TLS certificates from all publicly-trusted CAs.”

The CA/Browser Forum is requesting Web browser and operating systems vendors adopt the requirements as part of their conditions to distribute CA root certificates in their software. According to the forum, the Baseline Requirements are based on best practices from across the SSL/TLS sector and touch on a number of subjects, such as the verification of identity, certificate content and profiles, CA security and revocation mechanisms. The requirements become effective July 1, 2012, and will continue to evolve to address new risks and threats.

“The establishment of this new set of industry standards truly raises the bar on the level of security and assurance all parties can now expect from publicly-trusted CAs,” said Entrust President and CEO Bill Conner.

The CA/B Forum has also called for the development of audit criteria to assess compliance with the requirements.

Advertisement. Scroll to continue reading.

“Previously Certification Authorities had to interpret overlapping standards from different software providers, regulators, and audit regimes,” said Roman Brunner, CEO of QuoVadis, in a statement. “With the Baseline Requirements the core standards are integrated in one document, clarifying responsibilities and increasing accountability for trusted CAs that issue SSL/TLS digital certificates.”

The publication of the standards came on Dec. 14, the day after CA GlobalSign announced that its investigation into a security breach earlier this year revealed that no rogue digital certificates had been issued and no customer data was exposed. The investigation was initiated in September after a hacker compromised a GlobalSign server and claimed to have gotten access to – among other things – the private key of the company’s domain.

In its report, GlobalSign noted that the breached Web server was not part of the certificate issuance infrastructure. Publicly available HTML pages and PDFs however were exposed, and the SSL certificate and key for were deemed compromised and subsequently revoked.

“This new SSL/TLS standard for trusted Certification Authorities is a particularly important development right now considering the increasingly dangerous cyber threat landscape,” said Fran Rosch, vice president of Identity and Authentication Services at Symantec, in a statement about the new requirements. “Symantec is dedicated to supporting this industry effort and we look forward to helping move this initiative to the next level.”

The document outlining the list of baseline requirements is available here.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...