Categories: SecurityWorkspace

Certificate Authority Group Formed To Push Web Security Standards

Several global certificate authorities have joined forces to create the Certificate Authority Security Council (CASC). The organisation includes Comodo, DigiCert, Entrust, GlobalSign, GoDaddy, Symantec and Trend Micro.

As certificate authorities (CAs), these companies issue digital certificates used for authentication. The group’s goal is to bring together leading certificate authorities to establish security standards, promote best practices and improve the security of the SSL ecosystem, which has sustained a number of assaults on its credibility.

Educational efforts

This work will start with a series of educational and advocacy efforts aimed at web server administrators and others that focus on online certificate status checking and revocation – specifically, the benefits of online certificate status protocol (OCSP) stapling.

According to the CASC, OCSP stapling is an enhancement to the standard OCSP protocol that delivers OCSP responses from the server with the certificate, thereby eliminating the need for relying parties to check OCSP responses with the issuing CA.

In OCSP stapling, the web server caches the response from the CA that issued the certificate.

When a SSL/TLS (Secure Sockets Layer/Transport Layer Security) handshake is initiated, the response is returned by the web server to the client by attaching the cached OCSP response to the Certificate Status message, the CASC explained.

To use OCSP stapling, a client must include the “status_request” extension with its SSL/TSL Client “Hello” message. If implemented, OCSP stapling reduces bandwidth, improves perceived site performance and increases security for everyone involved in establishing the secure session.

Wider adoption needed

There are two important things that need to happen to so that OCSP stapling is adopted more widely, said Ryan Hurst, CTO at GlobalSign. The first is that administrators need to update to more recent versions of their web servers that support this feature.

The other, he said, is that the open-source web servers begin enabling this feature by default.

“Microsoft enabled OCSP stapling by default in Windows Server 2008,” he said. “This shows that it is possible for a server to be built in such a way that this can be enabled by default and we would like to see this be the case in Apache and Nginx as well.”

“Beyond our current effort to advance SSL best practices we imagine working across a spectrum of problems where our expertise and location in the ecosystem makes us well suited to help. Two areas [in which] I expect us to do additional work includes evangelising best practices for using code signing and developing applications with public key infrastructure,” he added.

Support for other standards bodies

The CASC will also support the efforts of industry standards bodies such as the CA/Browser Forum, which in 2011 released the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” to guide the operation of CAs issuing SSL/TLS digital certificates natively trusted by the browser.

“SSL remains today the most widely deployed and successful cryptography system in the world,” said Dean Coclin, a member of the Steering Committee for the CASC, in a statement. “As a unified group of the world’s leading SSL providers, we’re collaborating on matters of highest priority, while also recognising the value of previous and recent work to continually evolve the standards, and create an industry that understands the issues involved and is committed to making the necessary enhancements.”

Are you a security pro? Try our quiz!

Originally published on eWeek.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

12 mins ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

2 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

17 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

20 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

21 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

22 hours ago