PKI Consortium blog
Posts by tag CA/Browser Forum
2015 – Looking Back, Moving Forward
January 6, 2015 by
Bruce Morton
(Entrust)
Apple
Attack
CA/Browser Forum
CAA
Chrome
Code Signing
EV
Firefox
Forward Secrecy
Google
IETF
Malware
Microsoft
MITM
Mozilla
OpenSSL
PKI
Policy
RSA
SHA1
SSL 3.0
SSL/TLS
TLS 1.0
TLS 1.2
TLS 1.3
Vulnerability
Looking Back at 2014
End of 1024-Bit Security
In 2014, the SSL industry moved to issuing a minimum security of 2048-bit RSA certificates. Keys smaller than 2048 are no longer allowed in server certificates. In addition, Microsoft and Mozilla started to remove 1024-bit roots from their certificate stores. Hopefully, the key size change will support users through to 2030.
Code Signing Baseline Requirements
October 20, 2014 by
Jeremy Rowley
CA/Browser Forum
CASC
Code Signing
Malware
Microsoft
Vulnerability
Code signing certificates are used to sign software objects to authenticate that they originated from a verified source, allowing developers to avoid warnings commonly displayed by application software vendors such as Microsoft operating systems and Java. A fraudulent code signing certificate can wreak havoc on networks, spreading malware and adware without restraint. Certificate Authorities are tasked with ensuring that code signing applicants are legitimate entities and provide accountability for use of the certificate.
Who Sets the Rules Governing Certification Authorities?
August 19, 2014 by
Kirk Hall
(Entrust)
CA/Browser Forum
Code Signing
DV
Encryption
ETSI
EV
Google
Hash Function
Identity
IETF
Microsoft
Mozilla
OCSP
Policy
Revocation
Root Program
SSL/TLS
WebTrust
Every time something positive is published about SSL and encryption,such as Google’s recent decision making use of https encryption a favorable rating factor for a website, or negative, such as the Heartbleed issue – bloggers and others always post questions about public Certification Authorities (CAs), including general questions on who sets the rules that govern CAs. Some bloggers seem to assume there are no rules or standards, and that CAs can operate without any requirements or limitations at all — that’s incorrect.
In the Wake of Unauthorized Certificate Issuance by the Indian CA NIC, can Government CAs Still be Considered “Trusted Third Parties”?
July 24, 2014 by
Ben Wilson
CA/Browser Forum
CAA
CASC
Chrome
ETSI
Firefox
Google
Microsoft
Mis-issued
Mozilla
OCSP
PKI
Policy
Revocation
SSL/TLS
Trust List
WebTrust
Short answer: Government CAs can still be considered “trusted third parties,” provided that they follow the rules applicable to commercial CAs.
Introduction
On July 8 Google announced that it had discovered several unauthorized Google certificates issued by the National Informatics Centre of India. It noted that the Indian government CA’s certificates were in the Microsoft Root Store and used by programs on the Windows platform. The Firefox browser on Windows uses its own root store and didn’t have these CA certificates. Other platforms, such as Chrome OS, Android, iOS, and OS X, were not affected. See http://googleonlinesecurity.blogspot.com/2014/07/maintaining-digital-certificate-security.html
What To Do When You Rely on Internal Names in TLS/SSL Certificates
July 18, 2014 by
Wayne Thayer
Attack
CA/Browser Forum
Firefox
IANA
ICANN
Microsoft
MITM
Qualified
SSL/TLS
A deadline set by the CA/Browser Forum for the use of Internal Names is quickly approaching, and many system administrators need to understand how best to adapt to this change. At the same time, hundreds of new top-level domains are being launched, which redefines what constitutes an Internal Name. In this post we’ll explain what the changes are, why they’re being made, and how you can update your systems in response to the problem.
Benefits of Elliptic Curve Cryptography
June 10, 2014 by
Wayne Thayer
CA/Browser Forum
ECC
ECDH
ECDSA
Encryption
RSA
SSL/TLS
Elliptic Curve Cryptography (ECC) has existed since the mid-1980s, but it is still looked on as the newcomer in the world of SSL, and has only begun to gain adoption in the past few years. ECC is a fundamentally different mathematical approach to encryption than the venerable RSA algorithm. An elliptic curve is an algebraic function (y2 = x3 + ax + b) which looks like a symmetrical curve parallel to the x axis when plotted. (See figures below.) As with other forms of public key cryptography, ECC is based on a one-way property in which it is easy to perform a calculation but infeasible to reverse or invert the results of the calculation to find the original numbers. ECC uses different mathematical operations than RSA to achieve this property. The easiest way to explain this math is — for an elliptic curve, a line will only pass through three points along the curve (P, Q, and R), and that by knowing two of the points (P and Q), the other (R) can be calculated easily, but with just R, the other two, P and Q, cannot be derived.
When to Choose an Extended Validation Certificate
March 25, 2014 by
Wayne Thayer
CA/Browser Forum
EV
SSL/TLS
The telltale sign that a business has obtained an EV certificate for their website is commonly referred to as the “green bar” displayed in the browser. The exact form of the indicator varies in different desktop and mobile browsers, but is generally a green background, green font color, or green lock icon in the browser’s address bar. The name of the business entity identified by the certificate is often displayed within the green area. These indicators are meant to convey a high level of assurance to a site’s visitors about the reliability of the information in the certificate.
2014 – Looking Back, Moving Forward
January 6, 2014 by
Bruce Morton
(Entrust)
Attack
BEAST
CA/Browser Forum
CAA
Code Signing
ECC
Encryption
Forward Secrecy
HSTS
ICANN
IETF
Microsoft
MITM
Mozilla
PKI
Policy
RC4
RSA
SHA1
SSL/TLS
TLS 1.2
Looking Back at 2013
Protocol Attacks
The year started with a couple of SSL/TLS protocol attacks: Lucky Thirteen and RC4 attack. Lucky Thirteen allows the decryption of sensitive information, such as passwords and cookies, when using the CBC-mode cipher suite. Lucky Thirteen can be mitigated by implementing software patches or preferring the cipher suite RC4.
ICANN’s Accelerated gTLD Delegation Process and How This Impacts Your Organization
December 18, 2013 by
Jeremy Rowley
Announcement
CA/Browser Forum
CASC
ICANN
MITM
Mozilla
PKI
Policy
Qualified
Revocation
SSL/TLS
Vulnerability
After the CASC’s previous letter addressing ICANN’s proposal to delegate nearly 2000 new gTLDs for use on the public Internet, ICANN identified and initiated an extensive study on two significant security issues. Now, based on the conclusions of the studies, ICANN is moving forward quickly with the delegation process, delegating more than 30 in the last two months alone. With ICANN ramping up the delegation process, nearly all 2000 will be delegated under the new rules, with only .corp and .home reserved as high risk gTLDs. This post serves as an advisory for interested network administrator on how the newest ICANN decisions may affect their networks and certificates.
How Organizations Are Authenticated for SSL Certificates
November 22, 2013 by
Kirk Hall
(Entrust)
CA/Browser Forum
CSR
DV
EV
Identity
OV
Phishing
Policy
SSL/TLS
Certification Authorities (CAs) are trusted third parties that authenticate customers before issuing SSL certificates to secure their servers.
Exactly how do CAs authenticate these organizations? And where are the rules that determine what CAs must do during authentication?
The Rules on Customer Authentication
In the past, there were no common rules applicable to CAs as to minimum steps required to authenticate a customer before issuing an SSL certificate. Instead, each CA was permitted to create its own authentication processes, and was only required to describe the process in general terms in its public Certification Practice Statement (CPS). In many cases, the CPS authentication description was vague and hard to understand, and some CAs were less diligent than others during authentication.
