Certificate Authorities Form Web Security Standard Advocacy Group
Several global certificate authorities have joined forces to create the Certificate Authority Security Council (CASC).
The organization includes Comodo, DigiCert, Entrust, GlobalSign, GoDaddy, Symantec and Trend Micro. As certificate authorities (CAs), these companies issue digital certificates used for authentication.
The group’s goal is to bring together leading certificate authorities to establish security standards, promote best practices and improve the security of the SSL ecosystem, which has sustained a number of assaults on its credibility.
This work will start with a series of educational and advocacy efforts aimed at Web server administrators and others that focus on online certificate status checking and revocation—specifically, the benefits of online certificate status protocol (OCSP) stapling.
According to the CASC, OCSP stapling is an enhancement to the standard OCSP protocol that delivers OCSP responses from the server with the certificate, thereby eliminating the need for relying parties to check OCSP responses with the issuing CA. In OCSP stapling, the Web server caches the response from the CA that issued the certificate.
When a SSL/TLS (Secure Sockets Layer/Transport Layer Security) handshake is initiated, the response is returned by the Web server to the client by attaching the cached OCSP response to the Certificate Status message, the CASC explained. To use OCSP stapling, a client must include the “status_request” extension with its SSL/TSL Client “Hello” message.
If implemented, OCSP stapling reduces bandwidth, improves perceived site performance and increases security for everyone involved in establishing the secure session.
There are two important things that need to happen to so that OCSP stapling is adopted more widely, said Ryan Hurst, CTO at GlobalSign. The first is that administrators need to update to more recent versions of their web servers that support this feature. The other, he said, is that the open-source Web servers begin enabling this feature by default.
"Microsoft enabled OCSP stapling by default in Windows Server 2008," he said. "This shows that it is possible for a server to be built in such a way that this can be enabled by default and we would like to see this be the case in Apache and Nginx as well."
"Beyond our current effort to advance SSL best practices we imagine working across a spectrum of problems where our expertise and location in the ecosystem makes us well suited to help. Two areas [in which] I expect us to do additional work includes evangelizing best practices for using code signing and developing applications with public key infrastructure," he added.
The CASC will also support the efforts of industry standards bodies such as the CA/Browser Forum, which in 2011 released the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" to guide the operation of CAs issuing SSL/TLS digital certificates natively trusted by the browser.
"SSL remains today the most widely deployed and successful cryptography system in the world," said Dean Coclin, a member of the Steering Committee for the CASC, in a statement. "As a unified group of the world’s leading SSL providers, we’re collaborating on matters of highest priority, while also recognizing the value of previous and recent work to continually evolve the standards, and create an industry that understands the issues involved and is committed to making the necessary enhancements."