CA/Browser Forum Update Dean Coclin CA/B Forum Co-Chair 1 What do you know about the CA/B Forum? TRUE OR FALSE: – The CA/B Forum is a formal organization – The CA/B Forum is a Standards setting body – The CA/B Forum membership is composed of all the CAs and Browsers – Non CA/B Forum CAs have to comply with the CA/B forum Baseline Requirements – The CA/B Forum publishes its agenda/minutes/proceedings to a public list – The CA/B Forum is composed of only CAs and Browsers 2 CAB Forum: A Brief History 2006       2008 2010 2012 2014 CABF starts as a loose association of CAs and browsers to draft guidelines for EV SSL Certificates Membership expands globally, currently 36 CAs and 5 browsers EV Guidelines generated and approved Baseline Requirements formulated and passed Network Security document created and finalized All publicly trusted CAs, whether members of CABF or not, must adhere to guidelines! 3 CA/B Forum members 4 Who is in the CA/B Forum? • CAs: – AS Sertifitseerimiskeskus (Estonia), Buypass (Norway), Certum (Poland), Chungwa Telecom, Comodo, D-Trust (Germany), DanID, Digicert, Digidentity, Disig, E-Tugra (Turkey), Firmaprofessional, Globalsign, GoDaddy, Izenpe (Spain), Japan Cert Services, Kamu Sertifikasyon Merkezi, Keynectis (France), KPN Corporate Market (Netherlands), Logius PKIOverheid, Prvni Certifikacni Autorita (Czech Republic), Network Solutions, QuoVadis (Bermuda), SECOM (Japan), Skaitmeninio sertifikavimo centras, Startcom (Israel), Swisscom (Switzerland), TurkTrust, Symantec, Trend Micro, Trustwave, Trustis, Taiwan CA, Wells Fargo, WoSign (China) – 28 Non-US Members • Browsers – Apple, Google, Microsoft, Opera, Mozilla • Associate Members (no vote) – Paypal, ETSI, WebTrust, US Federal PKI, ICANN 5 General Updates • • • • • • • • Baseline Requirements 1.0: Passed (1.1 added) EV Guidelines 1.4, including EV Code Signing: Passed Network Security Requirements: Passed IPR policy: Passed Various Errata: Passed Governance Reform: New proposal passed WebTrust audit criteria for BRs finalized Baseline Requirements are included in Draft ETSI TS 102 042 V2.2.3 (2012-10) and referenced as “PTC-BR Publicly-Trusted Certificate- Baseline Requirements”  CAB Forum is moving forward to effect positive changes to improve Internet security 6 CA/Browser Forum Baseline Requirements • • • • Forum had been working on Baseline Requirements for 2+ years Version 1.0 released in Fall 2011 (after Diginotar/Comodo) 1.0 did not address physical/network security Separate document developed for network security which may become part of Baseline Requirements • CABF released V1.16 to include updates and improvements to 1.0 moving to Version 1.0 Fall 2011 • Now added to audit regime! Version 1.16 Sept 2013 Network Security Requirements 7 Current Topics • 1024 bit certificates – Phase out of 1024 certs by 12/31/13 • gTLDs and private names – CA/B Forum concerns expressed to ICANN – https://cabforum.org/internal-names/ – https://cabforum.org/wp-content/uploads/Guidance-DeprecatedInternal-Names.pdf • Revocation discussions – Browsers are not consistent in using revocation methods 8 Current Topics (Working Groups) • Code Signing Working Group – Reduce the incidence of malware on Windows and Java platforms • Private Key Protection • Stronger Vetting • Information Sharing • EV Revisions Working Group – Review EV Guidelines now that several years of experience are behind – Definitions – Validation steps • Performance Working Group – Produce a document which provides best practices for getting the optimal performance from an SSL deployment 9 How can you participate? • Depends on who you are! (if not a CA or Browser) • Associate Members – Must be invited by Forum. (i.e. WebTrust, ETSI, ICANN). Cannot vote and must sign IPR. Can attend meetings • Interested Parties – Open to anyone. Can participate in Working Groups but cannot vote. Must sign IPR • Invited Guests – For a limited time, can attend meetings where applicable. No IPR agreement required 10 CA/B Forum Website Updated • https://www.cabforum.org 11 Thank you! Copyright © 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. 12