The CA/Browser Forum has released the “Baseline Requirements for the Issuance and Management of Publicly Trusted Certificates,” the first international baseline standard for the operation of Certification Authorities (CAs) issuing SSL/TLS digital certificates natively trusted in browser software.
SSL/TLS digital certificates are used to authenticate the ownership of websites and other online resources, as well as to encrypt information for privacy as it crosses the Internet and other networks.
“SSL/TLS certificates are a critical part of the Internet’s security infrastructure, combining proven technical standards with the capability to scale to handle millions of websites and the wide array of user software,” said Tim Moses, Chairman of the CA/Browser Forum. “The new Baseline Requirements will improve the reliability and accountability of SSL/TLS issuance for relying parties by establishing baseline standards for all types of SSL/TLS certificates from all publicly-trusted CAs.”
The Baseline Requirements draw upon best practices from across the SSL/TLS sector to provide clear standards for CAs on important subjects including verification of identity, certificate content and profiles, CA security, revocation mechanisms, use of algorithms and key sizes, audit requirements, liability, privacy and confidentiality, and delegation (including external sub-CAs and registration authorities). The Baseline Requirements become effective on July 1, 2012 allowing CAs time to bring their SSL/TLS policies and practices into compliance with the standard. The CA/B Forum intends to continue development of the Baseline Requirements to address the evolving risks and threats involving the issuance or use of SSL/TLS certificates.
The CA/Browser Forum was formed in 2006 and previously created the “Extended Validation” (EV) standard for SSL/TLS. EV was designed for banks and other high profile websites providing enhanced confirmation of the legitimacy of a website and the identity of its owner, consistent across all EV-issuing CAs.
“With the Baseline Requirements, for the first time we will have a consistent international standard for the issuance of all SSL/TLS, including the many variations of Domain Validation and Organisation Validation,” said Eddy Nigg of the StartCom CA. “This has been a multiyear effort involving more than 50 organisations including the major browser suppliers and CAs from around the world, as well as representatives from the Internet standards and audit/legal community along with major relying parties that use SSL/TLS.”
Certification Authority members of the CA/Browser Forum range from the large multinational CAs to smaller issuers focused on geographic regions or specific industries. Major CAs have already voiced their commitment to implement the Baseline Requirements targeting the 2012 effective date. These include CA/Browser Forum members Symantec, Go Daddy, Comodo, GlobalSign, DigiCert, Entrust, StartCom, TrustWave, QuoVadis, Certum, T-Systems, Izenpe, and BuyPass representing more than 94% of all valid public SSL/TLS according to the independent Netcraft survey.
The CA/Browser Forum has requested that internet browsers and operating systems adopt the Baseline Requirements among their conditions to distribute CA root certificates in their software. According to Kathleen Wilson of Mozilla, “Four years ago the CA/Browser Forum released the Extended Validation guidelines that established consistent standards for identity validation. The Baseline Requirements provide a foundation for best practices across the industry by defining a single, consolidated set of essential standards for all SSL/TLS certificates for the first time.”
The CA/B Forum has also requested that the major audit regimes used by CAs, WebTrust and ETSI, develop audit criteria to assess compliance with the Baseline Requirements.