Assessing the London Protocol

The London Protocol was originally proposed as a potential joint effort by CA Security Council members to combat phishing. All large commercial CAs revoke certificates for phishing websites when they are brought to their attention, but they do not proactively monitor their customers sites, and generally do not share information about misuse of certificates with each other. When it was announced in London, the scope was expanded to include all CAs that wish to participate.

The sharing of information between CAs for security purposes was previously extensively discussed at the CA/Browser Forum’s Information Sharing Working Group, which envisioned CAs consuming high-quality threat intelligence from a variety of sources using automated and standardized protocols. In the end, nothing came of the discussion, largely because of concerns about legal liability with regards to the shared data. The goals of the London Protocol are much less ambitious, with ad hoc data being shared among participants strictly focused on the problem of phishing.

We would prefer that if CAs are going to engage in website monitoring and information sharing, that it would address the full spectrum of fraud and abuse that exists. We would also like to see more details and clarity around how the protocol will function in practice, including how it will address concerns about the trustworthiness of information that is being shared. The protocol has a phased implementation, and if these concerns are addressed during the implementation phases, we will be able to join.

Whether CAs have a role in combating phishing has at times been controversial, with some CAs believing they have no responsibility to take any action against phishing. We disagree. Phishing activity is a clear violation of our Subscriber Agreement (1.4 (iii) “make misrepresentations about your Certificate, yourself, or your affiliation with any entity, or breach the confidence of a third party”). We think CAs proactively monitoring their customers for these kinds of dangerous violations and alerting them is a positive development for the industry as a whole. For customers that are unwilling or unable to remove such non-compliant content from their sites, revocation of the site’s certificate is a reasonable response.

We are very encouraged that the protocol includes public transparency about the protocol’s impact, and look forward to hearing more at the CA/Browser Forum meeting in Shanghai in October.

Posted in Best Practices, Certificate Management, Enterprise Security