Logo

PKI Consortium blog

Posts by author Dean Coclin

    CA/Browser Forum Governance Reform
    May 18, 2018 by Dean Coclin Apple CA/Browser Forum Code Signing Policy S/MIME SSL/TLS

    In March 2016, the CA/Browser Forum formed a working group to review potential ways to restructure the forum. The primary goal was to examine ideas so the Forum could work on other types of standards besides TLS. Ben Wilson and I chaired this group with excellent participation from a cross functional team of browser and certificate authority representatives as well as interested parties. After 2 years of efforts, the working group produced Ballot 206 which passed in April 2017. This created new bylaws which will go into effect on July 3, 2018.

    Quantum Computing: Real or Exaggerated Threat to the Web PKI?
    August 30, 2017 by Dean Coclin, Tim Hollebeek Encryption PKI Quantum RSA SSL/TLS Web PKI

    Twenty years ago, paying your phone or electric bill involved receiving it in the mail, writing a check and mailing it back to the company. Today, that has largely been replaced by email and web-based payment submittals. All of this is secured by digital certificates and encryption, which provide privacy and authentication of information transiting the open Internet (aka Web PKI).

    The web PKI is predominantly secured by RSA encryption algorithms; mathematical theorems which have been improved over time. These algorithms depend on the difficulty of computers in factoring large prime numbers in a reasonable time. The current state of binary computers would require 6.4 quadrillion (See: https://www.digicert.com/TimeTravel/math.htm) years to solve this mathematical problem and subsequently decrypt a message.

    The Web Is Moving From HTTP to HTTPS
    November 21, 2016 by Dean Coclin Chrome Encryption Google SSL/TLS

    The four letters, “http”, are known to technical and non-technical users alike as the beginning of any web address. These have been ubiquitous for many years. But things are about to change. Pretty soon, you won’t be able to go to many popular websites just by using those 4 letters. You will need to add an “s” at the end (https). Why is this happening? What are the reasons for this change?

    Trust on the Public Web – The Consequences of Covert Action
    November 11, 2016 by Dean Coclin Apple Chrome Firefox Mis-issued Mozilla SSL/TLS

    You may have heard in the news that the Chinese Certificate Authority, WoSign, was caught backdating SHA-1 certificates to make it look like they were issued before the December 31, 2015 deadline. Why is this newsworthy?  For web-based security to remain an integral part of an ecosystem used every day by millions of people around the world, it all comes down to Trust; trust in the organization issuing the certificates, trust in the browsers that validate and display certificate information to the user, and trust by relying parties browsing web pages secured by certificates. Without trust, worldwide commerce and security on the web are at risk.

    CA/B Forum Istanbul 2015
    November 10, 2015 by Dean Coclin Chrome eIDAS Qualified Root Program WebTrust

    While some face to face meetings can be rather mundane and boring, that can’t be said about October’s CA/B Forum meeting in Istanbul, Turkey.  Guest speaker Andrea Servida from the European Commission gave an overview of the new eIDAS regulation on electronic identification and trust services. While not everyone in the room agreed with his points, all were made aware that this has now become the law in the EU and certificate authorities which plan to issue the new EU Qualified website certificates must comply with it. Unfortunately, the law appears to make it a requirement that the Certificate Authority (or Trust Service Provider-TSP as spelled out in the regulation) must be based in the EU or in a country that has an agreement with the EU. This could limit CA choices for EU website owners to only smaller CAs located in the EU, and potentially drive up certificate prices. A link to Mr. Servida’s presentation is here: https://cabforum.org/wp-content/uploads/eIDAS-Istanbul-Servida.pdf

    Think Twice Before Using DV for E-Commerce
    March 12, 2014 by Dean Coclin DV Encryption EV OV Phishing SSL/TLS

    In a previous blog (What Are the Different Types of SSL Certificates?), we described the various types of SSL certificates available from publicly trusted Certificate Authorities (CAs).  CAs are often asked by their customers which certificate type should be used for websites conducting E-Commerce, rather than for just encryption of sensitive data. For the latter case, a Domain Validated (DV) certificate will work fine. A DV cert allows for encryption to take place between the browser and the server. However, because DV certificates do not contain any identification information, they SHOULD NOT BE USED for E-Commerce.  Why? Let’s look deeper at the differences between these certificates.

    CA Day in Berlin
    January 24, 2014 by Dean Coclin eIDAS ETSI EV Microsoft PKI Qualified Root Program RSA SSL/TLS TSP

    “CA Day” (also known as CA Conformity Assessment) was hosted by the German company TuVIT in Berlin on January 16, 2014. In attendance were approximately 100 people from mostly European CAs. Under the European regulatory framework, CAs are included in a group referred to as “Trust Service Providers” or “TSPs.” CASC members in attendance at CA Day were Symantec, Digicert and Comodo. The dominant theme for this CA Day was the draft Regulation on Electronic identification and trust services for electronic transactions in the internal market (eIDAS) and upcoming changes in EU regulations for Qualified Certificates, which was briefed by Gerard Galler from the European Commission and discussed in greater detail by several European TSPs. eIDAS includes a proposal for EU Qualified Website certificates (i.e. SSL) using the Extended Validation certificate as a regulatory baseline. Under proposed Article 37, qualified website certificates could only be issued by EU Qualified CAs which have been audited according to ETSI (European Telecommunications Standards Institute) standards by an approved auditor. If promulgated by the European Parliament, the Commission would be empowered to give EU Qualified EV SSL certificates the “backing” of EU law.

    What Are the Different Types of SSL Certificates?
    August 7, 2013 by Dean Coclin DV Encryption EV Identity Phishing SSL/TLS

    Domain Validation (DV)

    A Domain Validated SSL certificate is issued after proof that the owner has the right to use their domain is established. This is typically done by the CA sending an email to the domain owner (as listed in a WHOIS database). Once the owner responds, the certificate is issued. Many CAs perform additional fraud checks to minimize issuance of a certificate to a domain which may be similar to a high value domain (i.e. Micros0ft.com, g00gle.com, b0fay.com). The certificate only contains the domain name. Because of the minimal checks performed, this certificate is typically issued quicker than other types of certificates. While the browser displays a padlock, examination of the certificate will not show the company name as this was not validated.

    Participate in our community discussions and/or join the consortium