PKI Consortium blog
Posts by tag CA/Browser Forum
One Year Certs
July 9, 2020 by
Patrick Nohe
(GlobalSign)
Apple
CA/Browser Forum
DV
Google
Identity
Microsoft
PKI
Policy
Root Program
SHA1
SHA2
SSL/TLS
Starting on September 1st, SSL/TLS certificates cannot be issued for longer than 13 months (397 days). This change was first announced by Apple at the CA/Browser Forum Spring Face-to-Face event in Bratislava back in March.
Don’t ‘Compromise’ Your Code Amid Malware Mayhem
May 12, 2020 by
Abul Salek
(Sectigo)
CA/Browser Forum
Code Signing
EV
FIPS
HSM
Malware
Microsoft
Phishing
SSL/TLS
Code Signing Certificates demand a price premium in the underground online marketplace. This is no surprise considering that criminals sometimes use them to dupe their potential victims into installing malware in their machine.
The CA Security Council Looks Ahead to 2020 and Beyond
January 9, 2020 by
Patrick Nohe
(GlobalSign),
Doug Beattie
(GlobalSign)
Apple
CA/Browser Forum
Chrome
Edge
Encryption
EV
Firefox
Forward Secrecy
GDPR
Google
Identity
Microsoft
Mozilla
PKI
Policy
Qualified
SSL 3.0
SSL/TLS
TLS 1.0
TLS 1.1
TLS 1.2
TLS 1.3
Web PKI
A whirlwind of activity will cause dramatic shifts across the PKI world in the year ahead
Suffice it to say that 2019 was filled with challenges and contentiousness as Certificate Authorities and Browsers began to watch their shared visions diverge. The debate around Extended Validation continued as CAs pushed for a range of reforms and browsers pushed to strip its visual indicators. And a ballot to shorten maximum certificate validity periods exposed fault-lines at the CAB Forum.
Online Identity Is Important: Let’s Upgrade Extended Validation
October 21, 2019 by
Patrick Nohe
(GlobalSign)
Apple
CA/Browser Forum
Chrome
Code Signing
Encryption
EV
Google
Identity
Mozilla
Phishing
SSL/TLS
It’s time for the CA/Browser Forum to focus on the other half of its mandate
Let’s have a candid discussion about Extended Validation SSL. What’s working. What’s NOT. And what can be done to fix it so that all parties involved are satisfied.
Why Are You Removing Website Identity, Google and Mozilla?
August 27, 2019 by
Kirk Hall
(Entrust),
Tim Callan
(Sectigo)
CA/Browser Forum
Chrome
DV
Encryption
EV
Firefox
GDPR
Google
Identity
Malware
Mozilla
Phishing
SSL/TLS
You can’t have consumer privacy without having strong website identity
Today there’s a huge wave toward protecting consumer privacy – in Congress, with the GDPR, etc. – but how can we protect user privacy on the web without establishing the identity of the websites that are asking for consumer passwords and credit card numbers? Extended Validation (EV) certificates provide this information and can be very useful for consumers.
9 Common Myths About CAs
August 1, 2019 by
Tim Callan
(Sectigo)
CA/Browser Forum
CASC
Code Signing
Encryption
ETSI
Identity
Malware
PKI
Qualified
Revocation
SSL/TLS
Vulnerability
WebTrust
Over the years misconceptions about CAs and the SSL infrastructure have arisen. Below is a list of common myths related to SSL and CAs.
Myth #1: CAs are not regulated
Fact: CAs are subject to various checks and balances, including third-party qualified audits through WebTrust or ETSI and strict criteria set forth by leading browsers, before they are accepted in browser root stores. Similarly, the CA/Browser Forum’s Baseline Requirements and Network Security Guidelines establish global standards for certificate issuance and CA controls that will soon be included in third-party auditing standards. Browsers are free to use these requirements to exclude non-compliant CAs from the root store.
What Are Subordinate CAs and Why Would You Want Your Own?
June 26, 2019 by
Doug Beattie
(GlobalSign)
CA/Browser Forum
Chrome
Code Signing
CRL
ECC
eIDAS
Encryption
EV
HSM
Identity
Microsoft
OCSP
PKI
Policy
Revocation
RSA
S/MIME
SSL/TLS
Digital certificate and PKI adoption has changed quite a bit in recent years. Gone are the days where certificates were only synonymous with SSL/TLS; compliance drivers like stronger authentication requirements and digital signature regulations (e.g. eIDAS) have greatly expanded the role of PKI within the enterprise.
As PKI usage has expanded, conversation has moved beyond just the number and type of certificates needed and onto deeper dialogue about custom PKI deployments. A large part of the conversation is around subordinate CAs, sometimes referred to as Issuing or Intermediate CAs, and why an organization might want their own. Let’s discuss.
2019 – Looking Back, Moving Forward
January 3, 2019 by
Bruce Morton
(Entrust)
Attack
CA/Browser Forum
Certificate Expiry
Chrome
Code Signing
DV
ECC
EV
Forward Secrecy
Identity
Mis-issued
Phishing
PKI
Policy
Qualified
Revocation
RSA
SSL/TLS
TLS 1.0
TLS 1.3
Vulnerability
Looking Back at 2018
2018 was an active year for SSL/TLS. We saw the SSL/TLS certificate validity period drop to 825-days and the mass deployment of Certificate Transparency (CT). TLS 1.3 protocol was finally completed and published; and Chrome status bar security indicators changing to remove “secure” and to concentrate on “not secure.” The CA/Browser Forum has been reformed, the London Protocol was announced and the nearly full distrust of Symantec SSL completed. Here are some details on some of the 2018 happenings in the SSL/TLS ecosystem.
CASC Announces Launch of London Protocol to Improve Identity Assurance and Minimize Phishing on Identity Websites
June 27, 2018 by
CA Security Council
Attack
CA/Browser Forum
CASC
DV
EV
Identity
OV
Phishing
SSL/TLS
LONDON – (June 27, 2018) – The Certificate Authority Security Council (CASC), an advocacy group committed to the advancement of the security of websites and online transactions, announced at the CA/Browser Forum event in London the launch of the London Protocol – an initiative to improve identity assurance and minimize the possibility of phishing activity on websites encrypted with organization validated (OV) and extended validation (EV) certificates, which contain organization identity information (Identity Certificates).
CA/Browser Forum Governance Reform
May 18, 2018 by
Dean Coclin
Apple
CA/Browser Forum
Code Signing
Policy
S/MIME
SSL/TLS
In March 2016, the CA/Browser Forum formed a working group to review potential ways to restructure the forum. The primary goal was to examine ideas so the Forum could work on other types of standards besides TLS. Ben Wilson and I chaired this group with excellent participation from a cross functional team of browser and certificate authority representatives as well as interested parties. After 2 years of efforts, the working group produced Ballot 206 which passed in April 2017. This created new bylaws which will go into effect on July 3, 2018.