CA/B-Forum – ‘In the News’

Dipl. Wirtsch.-Ing. Arno Fiedler Nimbus Technologieberatung GmbH, Berlin

Page 2

Some CA/B Forum Member News

→Symantec is out of PKI Business

→Digicert has acquired website security and PKI solutions it

→Let’s Encrypt: Free SSL everywhere, but without identity

→Comodo was split in two

→WoSign is distrusted (has tried hard to come back)

→Microsoft has a new team

→Apple will support CT and reduce the number of CAs

And more gossip later…

Page 3

→ Governance Change Working Group

→ Validation Working Group

→ Policy Review Working Group

→ Network Security Working Group

→ DNS Certification Authority Authorization (CAA) (in prep.)

CA/B Forum Working Groups

Page 4

CA/Browser Forum Ballots:

→Ballot 208 – dnQualifiers →Ballot 214 – CAA Discovery CNAME Errata →Ballot 190 – BR 3.2.2.4 Validation Methods →Ballot 207 – ASN.1 Jurisdiction in EV Guidelines →Ballot 206 – Changes to IPR Policy and Bylaws re Formation of Work Groups →Ballot 209 – EV Liability →Ballot 213 – Revocation Timeline Extension →Ballot 216 – Chartering of CAA Working Group →Ballot XXX – Require CPS in RFC 3647 format →Ballot XXX – Remove "Any Other Method" from IP Address Validation →Ballot XXX – Remove requirement to obey latest version of the BRs

Page 5

Meeting 41 Berlin, Germany June 2017 D-Trust

Meeting 42 Taipei, Taiwan Oct 2017 Chunghwa Telecom

Meeting 43 Herndon, VA, USA March 2018 Amazon

Meeting 44 London, UK June 2018 Comodo

Meeting 45 Shanghai, China Oct 2018 CFCA

CA/B Forum Meetings

Page 6

Meeting 41 Berlin,

Germany June 2017 D-Trust

Meeting 42 Taipei, Taiwan Oct 2017 Chunghwa

Telecom

Meeting 43 Herndon, VA,

USA March 2018 Amazon

Meeting 44 London, UK June 2018 Comodo

Meeting 45 Shanghai,

China Oct 2018 CFCA

CA/B Forum Meetings: Berlin

Mozilla is building its own policy

Mozilla Root Store Policy 2.5:

→Detailed audit report conditions (caused by poor ETSI CPs-based audits)

→Technically constrained CAs

→Strict requirements for incident reportings

→CP publicly-disclosed and audited

→CCADB: Complete database of CA status (now supported by MS and Apple, used by Google)

→“Forbidden and Required Practices” https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Page 7

Google is building its own world

→For SSL/TLS: Certificate Transparency since 2012:

→Supports control CA and “Digital Pillories” (www.crt.sh)

→…lots of logs… a few “un-qualified”

→For S/MIME: Key Transparency since 2016: “Our goal is to evolve Key Transparency into an open-source, generic, scalable, and interoperable directory of public keys with an ecosystem of mutually auditing directories.”

https://security.googleblog.com/2017/01/security-through-transparency.html

Page 8

CT- Log CT- Log

CCA DB

CCA DB

CRT. SH

CRT. SH

One-CRL One-CRL

Process to control CAs

Page 9

Matrix: First Try

eIDAS Norm

eIDAS Qualified

CA/B-F Publicly Trusted

CA/B-F Publicly Trusted

extended

Mozilla CP

Google CT-CP

DIGSIG 319411-1 319411-2 BR - CP 2.5

S/MIME (keytransp)

SERVER-AUTH-TLS

319411-1 319411-2 QWACs

BR EV CP 2.5 CT-CP

CODE-SIGNING

- - - EV- Code-

Signing - ?

Page 10

A

Audited by CAB

ETSI EN 319 411

-1 and -2

EU Qualified Website

Authentication Certificates

ETSI QC-w-Statement

TSP included in national TSL

Requirements for QWACs

Requirements for PTC TLS

B

CA/B-EVC-Guide+

ETSI EN 319 411-1 or WebTrust+

Mozilla/Google/Apple/MS CPs

CA/B Forum EV Certificates

CA/B-EVC-OID:

Publicly trusted by browser

+Mozilla CP 2.5

+ Certificate transparency

A+

B

Requirements for PT-QWACs

Branch- specific

Country-specific

Standard-specific

Application-specific

TSP

Policy Taxonomy

Too many CPs cause pain for TSP

Page 15

eIDAS + ETSI + CEN

CA/B-Forum + Browser

Google CT

National+ Branch

Is Trust Visible?

Page 16

https://casecurity.org/wp-content/uploads/2017/03/CASC-Browser-UI-Security-Indicators.pdf

Is Trust Visible?

Page 17 https://casecurity.org/wp-content/uploads/2017/03/CASC-Browser-UI-Security-Indicators.pdf

ETSI Audit Issues

A coordinated response is needed:

→Communication between ETSI-audited PTC-TSP

→ETSI New Work Item on EN 319 403 update

→ACABc statement on audit report best practises

→Training for auditors?

→“Whitelisting” the audit bodies?

→Ballot on proposed text for audit requirements

→. . . Page 18

Questions? Dipl. Wirtsch.- Ing. Arno Fiedler Nimbus Technologieberatung GmbH Reichensteiner Weg 17 14195 Berlin arno.fiedler@nimbus-berlin.com Mobile: +49-172-3053272