To secure the web, certain standards are set that certificate authorities and browsers must meet. The Certificate Authority/Browser (CA/B) Forum is the standards-setting body that collaborates on aspects of website security. Composed of about 50 Certificate Authority (CA) and nine browser members, the CA/B Forum represents key parties in website security. The current industry standard for securing websites is TLS/SSL encryption, but there is much more that goes into online security that the Forum sets.
This post will cover some insight into how the Forum works and DigiCert’s role in it as a CA. First, let’s define what the Forum does.
Simply put, the Forum is a voluntary organization of leading CAs, like DigiCert, and vendors of internet browser software, like Google Chrome and Apple Safari. Since 2006, the Forum has defined standards for the CA industry based on industry best practices. These standards improve the ways that everyone uses TLS certificates, benefiting all internet users and securing their communications.
The Forum produces standards, called Baseline Requirements, which all public CAs, whether members of the Forum or not, must adhere to. CAs undergo audits at least annually to verify compliance with these standards, and the resulting audit reports are provided to browsers. Any deficiencies must be remediated, which may require the revocation of certificates. As a standards-issuing body, the Forum is not involved in enforcing the requirements and has no authority to grant exceptions to its requirements.
The first Forum meeting took place in 2005 and the Forum began to gain popularity and trust by 2006. In 2007, Extended Validation (EV) certificates and EV guidelines were adopted by making improvements to existing identity validation requirements, which were not standardized at the time. CAs and browsers came together informally to come up with industry standards about issuance, revocation and other security decisions. They then published Organization Validation (OV) and Domain Validation (DV) certificate standards. While founded in the U.S., over time, the Forum membership has also grown to include additional members from other regions, including Europe and Asia.
The Forum makes decisions based on knowledge from both browsers and CAs. CAs often collect information and opinions from their customers to make informed decisions and bring updates to the Forum discussions.
DigiCert is on the frontline for our customers and certificate users. We relay informed suggestions and developments to the Forum after listening to your requirements. But this can only work when all members work together and understand that best practices work best when they are based on all of the key stakeholders’ needs.
The standards for website security are not static. They adapt to industry needs and are ever-changing. The Forum revises standards through a balloting process.
Anyone in the Forum can propose an idea or change to the Baseline Requirements. Once a general consensus is reached that the proposal will benefit security or operations, the individual can put forth a ballot with the additions defined, such as with a red line over the old requirement.
The Forum holds an organized discussion around the proposed changes, and the proposer may elect to edit or completely replace the draft text in response to the discussion. Once the proposer thinks the ballot is ready, the ballot moves into the voting period. For a ballot to pass, two-thirds of CAs and a majority of browsers must vote to pass it.
The Forum communicates in a variety of ways through email lists, telephone calls, face-to-face meetings and the CA/B Forum website. The email lists where discussions take place, and minutes of all telephone calls and face to face meetings, are publicly available and can be used to track what’s going on in the Forum.
Participation is also allowed from non-voting interested parties. These interested parties can be anyone that wants to respond to what's going on in the Forum. Interested parties can post to and read mailing lists and reply but cannot vote.
In 2016, the Forum reorganized to allow for additional working groups that could work on specifications for other types of certificates, such as code signing and S/MIME. For these working groups, CAs are referred to as “Certificate Issuers,” and applications and operating systems that trust such certificates are referred to as “Certificate Consumers.” The name CA/Browser Forum is now somewhat anachronistic, as for two out of three classes of certificates, the Certificate Consumers are not browsers.
DigiCert is a co-founding CA member that participates in the Forum to ensure the internet is a safe and secure space for our customers and their users. Additionally, DigiCert employees lead several working groups within the Forum. DigiCert's Dean Coclin is the new Forum chair and chair of the Code Signing Working Group, Tim Hollebeek chairs the validation subcommittee and Stephen Davidson is the S/MIME working group chair.
Here are some of the topics DigiCert has been involved in lately:
Although the entire Forum works towards policies that enable a more secure internet, within the Forum there are differing opinions on how to get there. From DigiCert’s perspective, we advocate for policies that benefit digital security and the security industry.
Decisions made by the Forum manifest themselves in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates.
When making these decisions, there are always plenty of issues and discussions at the Forum meetings. No doubt this complexity will continue into the future. We anticipate further communication around the following:
In this article, we've introduced how the CA/B Forum works. Of course, we've just skimmed the surface. We also post regular updates about the Forum decisions and latest industry trends on the DigiCert blog. So, if you would like to learn more about DigiCert and the CA/B Forum rules and standards, you can keep up-to-date on our blog. If you would like more information on how DigiCert can help you, get in touch.