Web users commonly encounter security certificates only when they get a notice that a website they intend to visit has an expired certificate. Behind the scenes, dozen of Certificate Authorities (CA) are trusted sources that issue such certificates and help maintain this system. This week, a group of CAs announced that they were creating a Certificate Authority Security Council (CASC) to support their efforts.
The initial members of CASC are Comodo, DigiCert, Entrust, GlobalSign, Go Daddy, Symantec and Trend Micro.
Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are standard protocols that use public key and symmetric cryptography to maintain privacy between an end user and a Web server, and to allow end users to know that the Web server is really who it says it is. These protocols are commonly used to communicate sensitive information, such as credit card numbers, and are indicated by the use of https:// in an address or link.
TLS and SSL require the server to have a digital certificate, usually received from a Certificate Authority. The server sends its certificate to the browser, which validates the certificate and therefore the server, and a secure connection is established.
Jeremy Rowley, Associate General Counsel of DigiCert, told CMSWire that the new organization is focusing on “research, education and advocacy” involving CAs, end users, server software vendors, browsers, website administrators and standards-issuing organizations by becoming a “public resource about SSL certificates.”
From the CASC Web site
Its activities will include advancing security standards, encouraging best practices and improving what the organization describes as “the deployment of a continually trustworthy SSL ecosystem.” Rowley noted that the CASC’s membership accounts for “95 percent of all SSL certificate issued.”
A key aim of the group, he said, is to “get the message out” through education and advocacy efforts about best practices for SSL deployment, such as promoting the importance and improvement of online certificate status checking and revocation in protecting Web users from malicious certificates.
In particular, CASC’s first initiative is to promote the adoption and deployment of Online Certificate Status Protocol (OCSP) stapling as a “practical initiative that can be easily implemented.” OCSP stapling delivers status checking from the server generating the certificate, instead of relying on Web users to check with the issuing CA.
The organization's launch is timely in light of a recent IDG report indicating that many corporations are ill prepared in case of an attack, leading to compromised websites, many of which are customer facing sites.