Reeling in the wake of hacks that disrupted the certificate authority (CA) industry earlier this year, CA issuers are converging around a new self-imposed standard that sets baseline requirements for the security methods used to identify trusted Web sites online.
The CA/Browser Forum, a voluntary industry body representing 94 percent of public CA issuers, has co-ordinatedover 50 organisations throughout the drafting process and last week released the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates (BRIMPTC) document (PDF) to improve the way member organisations manage SSL/TLS digital certificates that are used to identify trustworthy Web sites to users' browsers.
BRIMPTC, which was this week endorsed by major certificate issuer Entrust, includes clauses that clarify the warranties a CA makes when it issues a certificate — including the right to use a domain name or an IP address, authorisation for a certificate, accuracy of information, a ban on misleading information, requirements for ascertaining applicant identities, the nature of the subscriber agreement, and more.
For example, participating CAs must issue a publicly-available Certificate Policy or Certification Practice Statement, structured in line with RFC 2527 or RFC 3647, that clarifies the CA's commitment to comply with BRIMPTC's requirements and discloses any Cross Certificates that identify the CA as the subject.
CAs must also develop and document formal data security programs and risk assessments, security plans and business continuity programs that ensure the availability of their operations. BRIMPTC specifies 15 criteria that must be addressed within the business continuity plan.
BRIMPTC also covers the information to be collected from applicants for a CA, the structure and minimum standards for the information to be held about them, verification practices, and more. Importantly, section 10.2.4 of the document mandates encryption, prohibits the archiving of the Subscriber Private Key and demands the immediate revocation of any CA that has been "communicated to an unauthorized person".
This last requirement is an explicit acknowledgement of the threat posed by hackers earlier this year, when Dutch certificate authority DigiNotar was compromised and hackers were able to use leaked CA digital certificates to issue their own certificates for a broad range of secure Web sites. DigiNotar was liquidated weeks later after it was found the CA's root certificate had been used to produce over 500 false SSL certificates.
A similar attack hit CA Comodo earlier this year, with the [[xref:http://www.cso.com.au/article/400077/comodo_hacker_taunt_halts_globalsign_ssl_certificates/|'Comodo Hacker' claiming he had also breached DigiNotar's systems]] and had attacked Global Sign, the world's fifth-largest CA issuer. The revelations caused panic as Global Sign stopped issuing certificates and CA authorities circled their wagons to protect their livelihoods.
BRIMPTC is being promoted as an important baseline standard for CA practice, with the guidelines also been pitched to Web browser and operating system makers as a precondition for the distribution of CA root certificates in the software they produce. Future versions may include the handling of certificates for secure communication using VoIP, S/MIME, Web services, instant messaging and other forms of communication.