Baseline requirements for Certification Authorities (CAs) to issue SSL/TLS digital certificates have been drawn up by The CA/Browser Forum.
Following a year of incident for CAs, with the likes of DigiNotar, GlobalSign and Comodo impacted to varying levels, The CA/Browser Forum has released the ‘Baseline requirements for the issuance and management of publicly trusted certificates' – the first international baseline standard for the operation CAs issuing SSL/TLS digital certificates natively trusted in browser software.
Developed over a course of three years and with CA guidance and intervention, the requirements draw upon best practices from across the SSL/TLS sector to provide standards for CAs on subjects including verification of identity, certificate content and profiles, CA security, revocation mechanisms, use of algorithms and key sizes, audit requirements, liability, privacy and confidentiality and delegation (including external sub-CAs and registration authorities).
The requirements become effective on 1 July 2012 to allow CAs time to make their SSL/TLS policies and practices compliant.
Tim Moses, chairman of the forum and director of advance security at Entrust, said the new requirements will improve reliability and accountability by establishing baseline standards for all types of SSL/TLS certificates from all publicly trusted CAs.
Asked if these were produced in response to the CA attacks over recent months, Moses told SC Magazine they had been in development for three years, but "recent incidents have focused our attention".
He said: “This is about getting 40 CAs to agree on common practices. This is a common standard for all SSL certifications as all businesses have realised that they are at acceptable levels, but there have been gaps that are not that common across all businesses.”
The CA/Browser Forum has requested that internet browsers and operating systems adopt the baseline requirements among their conditions to distribute CA root certificates in their software.