Building Trust 7 March 2013

Raising the Bar on End-To-End Trust – A Guide for CAs & Their Customers

Security, Privacy & Data Protection should be top priorities for all Certificate Authorities (CAs) – As with all best practices, the strength of a solution is only as strong as the weakest link.  Unfortunately several CA’s have experienced serious operational and security oversights which have diminished trust in the SSL ecosystem. Fortunately up to now the majority of these incidents have been detected and neutralized before significant harm has occurred.  The risk and likelihood of future harm and damages underscores the urgency of raising the bar and the voluntary adoption of best practices by CAs.

In response to these threats and by soliciting feedback from CA’s, security experts, relying parties and government agencies, this paper outlines practices that organizations should demand from their CAs. It is important to note that there are other efforts working in parallel that should not be discounted, and require collaboration by operating systems, browser vendors, and the relying party sites.  Collectively we have a shared responsibility to improve the protection of the SSL “chain of trust”.

Given the important role of CAs in online trust, it is important for the security public to know the highest industry standards. In this white paper, the OTA surveys the current online trust landscape and presents a collection of CA best practices that enhance trust. Looking a head OTA will be publishing those CA’s who self-assert in writing their commitment and adoption of the practices outlined. While OTA does not endorse any CA, OTA will highlight those CA’s as ” north stars” to serve as an aid for businesses when considering and seeing a CA committed to security and privacy best practices.

Future SSL papers will address other best practices.  Some of these promising solutions include Certificate Transparency, Certificate Pinning, Always on SSL. Other recommended practices like hard failing the SSL connection when revocation checking fails, DNSSEC with Certification Authority Authorization Resource Records, and OCSP Stapling will be reviewed and recommended. These new approaches call for a holistic approach to protecting the PKI/CA/SSL ecosystem, from tools and hardware to process and procedures.

Related articles

Building Trust 31 August 2020

Policy Toolkit on IoT Security and Privacy

The Policy Toolkit on IoT Security and Privacy is a practical resource for policymakers and regulators to strengthen the...

Building Trust 1 November 2019

Security Factsheet: Keeping Your Workplace Safe Online

For many of us the Internet is a staple in our day-to-day lives – especially at our jobs. But...

Building Trust 1 November 2019

Security Factsheet: Why Should Municipalities Make Network and Data Security a Priority?

Communities can minimize risk by being intentional about how and by whom networks and devices are used. These are...