Industry group creates guidelines for issuing SSL certs
The standard follows a series of embarrassing attacks this year against CAs, or companies that sell the digital SSL or TLS certificates, which are used by websites to validate their identity to visitors. The document, “Baseline Requirement for the Issuance and Management of Publicly Trusted Certificates,” released by the CA/Browser Forum, is described as the first international standard for the operation of CAs that issue digital certs.
"SSL/TLS certificates are a critical part of the internet's security infrastructure," Tim Moses, chairman of the CA/Browser Forum, said in a news release. "The new baseline requirements will improve the reliability and accountability of SSL/TLS issuance.”
The standard is based on best practices across the SSL/TLS sector, and address a number of aspects including the verification of identity, certificate content, CA security, revocation mechanisms, use of algorithms and key sizes, audit requirements, liability, privacy and confidentiality.
The standard is the result of a multiyear effort by more than 50 companies, including web browser makers, CAs, representatives from internet standards bodies, and audit and legal experts. The guidelines are set to go into effect on July 1, 2012 to give CAs time adhere to them, and will be revised in the future to address new threats.
The standard is not mandatory, however, unless software vendors adopt and enforce them. The CA/Browser Forum has called on internet browser and operating system companies to make the standard compulsaory as part of their conditions to distribute CA root certificates in their products.
A number of major CAs have already committed to implementing the guidance prior to the standard becoming effective, including Symantec, Comodo, GlobalSign, DigiCert, among others.
Numerous security experts this year have said the SSL certificate system is badly broken and in need of not standards but an overhaul. When asked by email on Thursday if the standards would help matters, Moxie Marlinspike, who released a tool at the Black Hat conference last summer that replaces the traditional CA system, simply said "nope."
Marlinspike has said that the existing CA protocol lacks the ability for users to easily revise which companies they trust.
“When we look at the CA infrastructure, it really is a tangled web of trust,” Roel Schouwenberg, senior researcher at Kaspersky Lab, told SCMagazineUS.com earlier this year.
For starters, he said, when the CA system was invented, the internet was a fraction of its current size, and only a few sites required secure communications.
In March, Comodo, a Jersey City, N.J.-based CA, revealed that hackers gained access to its system and fabricated nine certs for some top-tier sites. Then, in August, the Dutch-based CA, DigiNotar, said hackers breached its infrastructure and issued hundreds of counterfeit credentials. Experts believe the Iranian government carried out the Comodo and DigiNotar attacks to spy on private communications.
In September, GlobalSign, a Portsmouth, N.H.-based CA, said it discovered that the web server hosting its site was compromised by hackers. The company this week, however, said its investigation revealed that no rogue digital certificates had been issued and no customer data was exposed.