New Standards Proposed for Certificate Authorities

December 17, 2011

I’ve written here before about the role that Certificate Authorities [CAs] play in supplying credentials used for secure Internet connections via the SSL/TLS protocols, which create an encrypted connection between the user’s browser and the server.  Unfortunately, the existing infrastructure of CAs has its weaknesses, as exemplified by the DigiNotar hack, which involved the creation of a large number of bogus certificates, and ultimately led to DigiNotar’s loss of accreditation.   We have also seen stolen certificates used to generate digital signatures used to sign malicious software.    This has put the browser vendors in an uncomfortable position, since they must decide which CAs should be trusted by default, and led Mozilla to call for an audit of CAs.

Now, according to an article at Security Week, an industry group of CAs and browser vendors, the CA/Browser Forum, has published a new standard for CAs issuing SSL/TLS certificates.

In light of this, the CA/Browser Forum, an organization of leading CAs and other software vendors, has released the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates,” an industry-wide baseline standard for the operation of CAs issuing SSL/TLS digital certificates natively trusted by the browser.

The group is requesting browser and OS vendors to require compliance with the new standards as a condition of acceptance of the CAs’ certificates trusted by their software.  The standards, which can be downloaded here [PDF], are an attempt to codify existing best practice in a number of areas.

… the Baseline Requirements are based on best practices from across the SSL/TLS sector and touch on a number of subjects, such as the verification of identity, certificate content and profiles, CA security and revocation mechanisms. The requirements become effective July 1, 2012, and will continue to evolve to address new risks and threats.

The Forum has also requested the development of audit standards to verify compliance with the new requirements.

It is not realistic to expect that this, or any similar step, will completely block exploits against CAs.  Still, it does seem to be a worthwhile improvement, and indicates that the industry is paying attention.

%d bloggers like this: