CA/B Forum Update on EV Certificate Improvements

DigiCert actively participates in several industry standards groups and discussions. This year many in-person events have been canceled due to COVID-19 restrictions, which makes it harder to build relationships through side conversations that foster advancement. However, we remain committed to improving internet security, whether through in-person or virtual discussions. The CA/Browser (CA/B) Forum held a virtual face-to-face event two weeks ago, where browsers and CAs considered several important initiatives. Here are a few highlights.

Potential EV Enhancements

DigiCert remains focused on the importance of identity in online transactions and, at last week’s CA/B Forum, we summarized our work on EV improvements since we introduced four new ideas for improving EV certificates at the meeting in Greece last June. We also highlighted additional ideas to help relying parties determine that the subject of the certificate is, in fact, the organization they expect, like:

  • how long the company has been in business (to distinguish sites that have been in business for many years from newly created ones),
  • where it is headquartered and
  • what the business category is.

It was pointed out that this information need not be contained in the certificate itself, which is something we agree with. The certificate could contain a globally unique identifier for the organization, allowing more detailed information to be stored elsewhere. In fact, this is exactly the strategy that banks rely on when they use Legal Entity Identifiers (LEIs) to identify organizations. DigiCert still supports the inclusion of LEIs in certificates and thinks they could be used to allow relying parties to have a much richer set of information in their hands when making trust decisions.

DigiCert will continue to speak with interested parties from across the internet spectrum to gather their feedback on which EV improvements would enhance trust and security on the web, and then we’ll bring those ideas forward to the CA/B Forum. We also may unilaterally implement the best proposals where possible.

S/MIME Ballot Passed

The CA/B Forum recently passed a ballot to create a new working group on minimum security standards for publicly trusted S/MIME certificates. The first two priorities of the S/MIME working group are certificate profiles for S/MIME certificates and uniform validation rules for email addresses, whether by confirming control over the address itself or the entire domain. The S/MIME working group charter also explicitly calls out the importance of real-world identities in digital certificates and allows requirements for them to be discussed. We look forward to this important work to strengthen email encryption and security.

Sharing Compromised Key Databases

Recently, there has been a lot of discussion about whether it is appropriate to issue certificates for key pairs that are known to be compromised, as these certificates do not provide the security guarantees expected from a digital certificate. The consensus in the ecosystem is that, at the very least, certificate authorities (CAs) should not issue certificates for keys that have been previously reported to them as compromised.

Of course, for the same reasons, it would be better if CAs also do not issue certificates for keys that are known to be compromised by other CAs. For that reason, during this forum, DigiCert announced that other CAs will be allowed to query our compromised key database and submit their own compromised keys.

Working With ETSI

At the latest meeting, the European Telecommunications Standards Institute (ETSI) officially approved DigiCert’s membership application from last year. ETSI is responsible for setting the standards for digital certificates and signatures in Europe. ETSI, as well as European law, has long recognized the value of real-world identities in public key infrastructures. DigiCert has been working closely with ETSI for a while and has now been approved as a member of the standards organization. This will help us strengthen our efforts to support and improve digital certificate standards for Europe.

Future Discussion Items

The CA/B Forum continues to look at updates to the EV Code Signing guidelines and the Network Security Guidelines. Elsewhere, DigiCert also remains involved with defining standards for post-quantum certificates and with ANSI X9 regarding a new public key infrastructure for financial use cases. Look for future updates from us on these topics and more.

Posted in CA/Browser Forum, EV UI Changes, HTTPS