Who is in the CA/B Forum?

CA/Browser Forum Update
Dean Coclin
CA/B Forum Co-Chair
1
What do you know about the CA/B Forum?
TRUE OR FALSE:
– The CA/B Forum is a formal organization
– The CA/B Forum is a Standards setting body
– The CA/B Forum membership is composed of all the CAs and Browsers
– Non CA/B Forum CAs have to comply with the CA/B forum Baseline
Requirements
– The CA/B Forum publishes its agenda/minutes/proceedings to a public list
– The CA/B Forum is composed of only CAs and Browsers
2
CAB Forum: A Brief History
2006






2008
2010
2012
2014
CABF starts as a loose association of CAs and browsers to draft
guidelines for EV SSL Certificates
Membership expands globally, currently 36 CAs and 5 browsers
EV Guidelines generated and approved
Baseline Requirements formulated and passed
Network Security document created and finalized
All publicly trusted CAs, whether members of CABF or not, must
adhere to guidelines!
3
CA/B Forum members
4
Who is in the CA/B Forum?
• CAs:
– AS Sertifitseerimiskeskus (Estonia), Buypass (Norway), Certum (Poland), Chungwa
Telecom, Comodo, D-Trust (Germany), DanID, Digicert, Digidentity, Disig, E-Tugra
(Turkey), Firmaprofessional, Globalsign, GoDaddy, Izenpe (Spain), Japan Cert Services,
Kamu Sertifikasyon Merkezi, Keynectis (France), KPN Corporate Market (Netherlands),
Logius PKIOverheid, Prvni Certifikacni Autorita (Czech Republic), Network Solutions,
QuoVadis (Bermuda), SECOM (Japan), Skaitmeninio sertifikavimo centras, Startcom
(Israel), Swisscom (Switzerland), TurkTrust, Symantec, Trend Micro, Trustwave, Trustis,
Taiwan CA, Wells Fargo, WoSign (China)
– 28 Non-US Members
• Browsers
– Apple, Google, Microsoft, Opera, Mozilla
• Associate Members (no vote)
– Paypal, ETSI, WebTrust, US Federal PKI, ICANN
5
General Updates
•
•
•
•
•
•
•
•
Baseline Requirements 1.0: Passed (1.1 added)
EV Guidelines 1.4, including EV Code Signing: Passed
Network Security Requirements: Passed
IPR policy: Passed
Various Errata: Passed
Governance Reform: New proposal passed
WebTrust audit criteria for BRs finalized
Baseline Requirements are included in Draft ETSI TS 102 042 V2.2.3 (2012-10)
and referenced as “PTC-BR Publicly-Trusted Certificate- Baseline Requirements”
 CAB Forum is moving forward to effect positive changes to improve Internet
security
6
CA/Browser Forum Baseline Requirements
•
•
•
•
Forum had been working on Baseline Requirements for 2+ years
Version 1.0 released in Fall 2011 (after Diginotar/Comodo)
1.0 did not address physical/network security
Separate document developed for network security which may become part
of Baseline Requirements
• CABF released V1.16 to include updates and improvements to 1.0
moving to
Version 1.0
Fall 2011
• Now added to audit regime!
Version 1.16
Sept 2013
Network Security
Requirements
7
Current Topics
• 1024 bit certificates
– Phase out of 1024 certs by 12/31/13
• gTLDs and private names
– CA/B Forum concerns expressed to ICANN
– https://cabforum.org/internal-names/
– https://cabforum.org/wp-content/uploads/Guidance-DeprecatedInternal-Names.pdf
• Revocation discussions
– Browsers are not consistent in using revocation methods
8
Current Topics (Working Groups)
• Code Signing Working Group
– Reduce the incidence of malware on Windows and Java platforms
• Private Key Protection
• Stronger Vetting
• Information Sharing
• EV Revisions Working Group
– Review EV Guidelines now that several years of experience are behind
– Definitions
– Validation steps
• Performance Working Group
– Produce a document which provides best practices for getting the optimal
performance from an SSL deployment
9
How can you participate?
• Depends on who you are! (if not a CA or Browser)
• Associate Members
– Must be invited by Forum. (i.e. WebTrust, ETSI, ICANN). Cannot vote and
must sign IPR. Can attend meetings
• Interested Parties
– Open to anyone. Can participate in Working Groups but cannot vote.
Must sign IPR
• Invited Guests
– For a limited time, can attend meetings where applicable. No IPR
agreement required
10
CA/B Forum Website Updated
• https://www.cabforum.org
11
Thank you!
Copyright © 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,
are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
12