Security, Privacy & Data Protection should be top priorities for all Certificate Authorities (CAs) – As with all best practices, the strength of a solution is only as strong as the weakest link. Unfortunately several CA’s have experienced serious operational and security oversights which have diminished trust in the SSL ecosystem. Fortunately up to now the majority of these incidents have been detected and neutralized before significant harm has occurred. The risk and likelihood of future harm and damages underscores the urgency of raising the bar and the voluntary adoption of best practices by CAs.
In response to these threats and by soliciting feedback from CA’s, security experts, relying parties and government agencies, this paper outlines practices that organizations should demand from their CAs. It is important to note that there are other efforts working in parallel that should not be discounted, and require collaboration by operating systems, browser vendors, and the relying party sites. Collectively we have a shared responsibility to improve the protection of the SSL “chain of trust”.
Given the important role of CAs in online trust, it is important for the security public to know the highest industry standards. In this white paper, the OTA surveys the current online trust landscape and presents a collection of CA best practices that enhance trust. Looking a head OTA will be publishing those CA’s who self-assert in writing their commitment and adoption of the practices outlined. While OTA does not endorse any CA, OTA will highlight those CA’s as ” north stars” to serve as an aid for businesses when considering and seeing a CA committed to security and privacy best practices.
Future SSL papers will address other best practices. Some of these promising solutions include Certificate Transparency, Certificate Pinning, Always on SSL. Other recommended practices like hard failing the SSL connection when revocation checking fails, DNSSEC with Certification Authority Authorization Resource Records, and OCSP Stapling will be reviewed and recommended. These new approaches call for a holistic approach to protecting the PKI/CA/SSL ecosystem, from tools and hardware to process and procedures.
