A consortium of companies published a set of security practices they want all web authentication authorities to follow for their secure sockets layer (SSL) certificates for browsers and other software.
The baseline requirements, published this week by the Certification Authority/Browser (CAB) Forum, should prevent security breaches that compromise the tangled web of trust that forms the underpinning of the SSL certificate system. Its release follows years of mismanagement by individual certificate authorities permitted to issue credentials that are trusted by web browsers. Most notable is this year’s breach of DigiNotar, which led to the issuance of a fraudulent certificate used to snoop on 300,000 Gmail users in Iran.
The four dozen or so members of the CAB Forum still have a way to go, since their requirements are meaningless unless the software makers who place their trust in the authorities mandate them.
And it’s not yet clear when that will come to pass. Of five browser makers queried, only Opera has committed to make compliance with the requirements a condition for including an authority’s root certificate in its software. A Mozilla official, meanwhile, said the requirements would be a part of the discussions among developers in online forums.
A Microsoft statement said the company “will work with the industry Auditors and Certificate authorities to get the new guidelines factored into the Microsoft Root Program.” A Google spokesman said Chrome trusts whatever CAs have trust in the underlying operating system. Apple did not respond.
As the terms suggest, the baseline requirements would serve as a set of industry practices each CA would need to follow to remain in good standing. Among other things, they would require them to “develop, implement, and maintain a security plan” to prevent the types of breaches that hit DigiNotar. The guidelines also mandate the reporting of breaches and the revocation of any fraudulently issued certificates that resulted, and require the use of certificates with RSA signing keys of 1024 bits or higher.
As useful as each requirement is, this week’s release only underscores the problems with the SSL system. With some 650 entities around the world authorized to issue certificates trusted by Internet Explorer, Chrome, Firefox, and other browsers, all it takes is the incompetence or malfeasance of one of them to bring the entire system down. Even if the requirements become a condition adopted by all browser makers, it’s not clear they have the will or the ability to adequately enforce the measures.