Transparency, Collaboration Are Essential to Advancing Certificate Industry
The CA Security Council (CASC) was originally conceived as a group that would focus on CA advocacy and education, while emphasizing CA collaboration on key issues regarding certificate use, certificate issues, and best practices and security. This was to be done outside of the CA/Browser Forum primarily because:
- The CA/B Forum is an industry standards group, which meant education and research related to digital certificates was out of scope
- The CA/B Forum lacked the funding to accomplish some of the joint industry improvement efforts
- There was an obvious and urgent need to rapidly increase the security posture of large public CAs
- The CA/B Forum is focused on minimum standards and not new innovation and improvements in the CA industry and no other organization existed to discuss these improvements
- Sometimes there are issues that only impact CAs, not browsers, which makes the CA/B Forum an inappropriate place for the discussion
The intent was to collaborate with the Forum and work with the members there using the CASC budget to advance certificate security and innovation. CASC was formed to provide a unified CA industry response to the poor practices of a few CAs and to raise the bar for what the community could expect from the leading companies.
Over the years, CASC has:
- Published blogs to help educate readers on various security topics
- Built an identity for the CASC
- Maintained an informative website that was used as a resource by those interested in CA operations and best practices
- Worked on solutions for supporting the KeyGen functionality that was deprecated by the browsers
Recently, CASC has drifted in a direction that DigiCert does not support. DigiCert has always promoted increased diversity in membership and more public transparency. Instead of increasing membership by inviting all CAs, CASC has not welcomed new participants.
We also think that the recent and sole focus on Identity does not fulfil the purpose for which CASC was created. DigiCert has always supported EV certificates and we strongly believe in the value of identity provided by CAs. However, we also value continuous improvement to the entire ecosystem which does include improving EV certificates through an open process in the CA/B Forum Validation Working Group, but also includes other aspects of security to build our credibility as an organization.
Making meaningful improvements to EV requires a collaborative approach and outside input from all stakeholders to create the best solution. EV should include technical and business improvements that meaningfully convey security and identity information to relying parties. While some of the proposed improvements are a step in the right direction, more needs to be done to ensure EV is available for legitimate businesses, easier to get and more secure for relying parties. We believe this should be a community-driven and public effort as opposed to one developed behind closed doors in CASC.
DigiCert strongly feels a return to CASC’s original goals will enhance its reputation and the value of CASC’s material. For CASC to become the industry leader we’d hoped, CASC needs to:
- Permit all CAs to join
- Shift its focus from solely defending EV SSL certificates to tools and research that provide a non-biased improvement to user knowledge and ease of certificate use
- Provide transparency and become a resource by engaging actively and directly with the security community to address concerns and incorporate user feedback
DigiCert believes these items are key to improving certificate use and security. We want to create a community of entities interested in PKI from a use and improvement position to complement the CA/B Forum’s focus on industry standards. We look forward to global participation in making CA operations transparent and addressing many of the industry questions that continue to arise.