Dipl. Wirtsch.-Ing. Arno Fiedler Nimbus ... · →Comodo was split in two →WoSign is distrusted...
Transcript of Dipl. Wirtsch.-Ing. Arno Fiedler Nimbus ... · →Comodo was split in two →WoSign is distrusted...
CA/B-Forum – ‘In the News’
Dipl. Wirtsch.-Ing. Arno Fiedler Nimbus Technologieberatung GmbH, Berlin
Page 2
Some CA/B Forum Member News
→Symantec is out of PKI Business
→Digicert has acquired website security and PKI solutions it
→Let’s Encrypt: Free SSL everywhere, but without identity
→Comodo was split in two
→WoSign is distrusted (has tried hard to come back)
→Microsoft has a new team
→Apple will support CT and reduce the number of CAs
And more gossip later…
Page 3
→ Governance Change Working Group
→ Validation Working Group
→ Policy Review Working Group
→ Network Security Working Group
→ DNS Certification Authority Authorization (CAA) (in prep.)
CA/B Forum Working Groups
Page 4
CA/Browser Forum Ballots:
→Ballot 208 – dnQualifiers →Ballot 214 – CAA Discovery CNAME Errata →Ballot 190 – BR 3.2.2.4 Validation Methods →Ballot 207 – ASN.1 Jurisdiction in EV Guidelines →Ballot 206 – Changes to IPR Policy and Bylaws re Formation of Work Groups →Ballot 209 – EV Liability →Ballot 213 – Revocation Timeline Extension →Ballot 216 – Chartering of CAA Working Group →Ballot XXX – Require CPS in RFC 3647 format →Ballot XXX – Remove "Any Other Method" from IP Address Validation →Ballot XXX – Remove requirement to obey latest version of the BRs
Page 5
Meeting 41 Berlin, Germany June 2017 D-Trust
Meeting 42 Taipei, Taiwan Oct 2017 Chunghwa Telecom
Meeting 43 Herndon, VA, USA March 2018 Amazon
Meeting 44 London, UK June 2018 Comodo
Meeting 45 Shanghai, China Oct 2018 CFCA
CA/B Forum Meetings
Page 6
Meeting 41 Berlin,
Germany June 2017 D-Trust
Meeting 42 Taipei, Taiwan Oct 2017 Chunghwa
Telecom
Meeting 43 Herndon, VA,
USA March 2018 Amazon
Meeting 44 London, UK June 2018 Comodo
Meeting 45 Shanghai,
China Oct 2018 CFCA
CA/B Forum Meetings: Berlin
Mozilla is building its own policy
Mozilla Root Store Policy 2.5:
→Detailed audit report conditions (caused by poor ETSI CPs-based audits)
→Technically constrained CAs
→Strict requirements for incident reportings
→CP publicly-disclosed and audited
→CCADB: Complete database of CA status (now supported by MS and Apple, used by Google)
→“Forbidden and Required Practices” https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Page 7
Google is building its own world
→For SSL/TLS: Certificate Transparency since 2012:
→Supports control CA and “Digital Pillories” (www.crt.sh)
→…lots of logs… a few “un-qualified”
→For S/MIME: Key Transparency since 2016: “Our goal is to evolve Key Transparency into an open-source, generic, scalable, and interoperable directory of public keys with an ecosystem of mutually auditing directories.”
https://security.googleblog.com/2017/01/security-through-transparency.html
Page 8
CT- Log CT- Log
CCA DB
CCA DB
CRT. SH
CRT. SH
One-CRL One-CRL
Process to control CAs
Page 9
Matrix: First Try
eIDAS Norm
eIDAS Qualified
CA/B-F Publicly Trusted
CA/B-F Publicly Trusted
extended
Mozilla CP
Google CT-CP
DIGSIG 319411-1 319411-2 BR - CP 2.5
S/MIME (keytransp)
SERVER-AUTH-TLS
319411-1 319411-2 QWACs
BR EV CP 2.5 CT-CP
CODE-SIGNING
- - - EV- Code-
Signing - ?
Page 10
A
Audited by CAB
ETSI EN 319 411
-1 and -2
EU Qualified Website
Authentication Certificates
ETSI QC-w-Statement
TSP included in national TSL
Requirements for QWACs
Requirements for PTC TLS
B
CA/B-EVC-Guide+
ETSI EN 319 411-1 or WebTrust+
Mozilla/Google/Apple/MS CPs
CA/B Forum EV Certificates
CA/B-EVC-OID:
Publicly trusted by browser
+Mozilla CP 2.5
+ Certificate transparency
A+
B
Requirements for PT-QWACs
Branch- specific
Country-specific
Standard-specific
Application-specific
TSP
Policy Taxonomy
Too many CPs cause pain for TSP
Page 15
eIDAS + ETSI + CEN
CA/B-Forum + Browser
Google CT
National+ Branch
Is Trust Visible?
Page 16
https://casecurity.org/wp-content/uploads/2017/03/CASC-Browser-UI-Security-Indicators.pdf
Is Trust Visible?
Page 17 https://casecurity.org/wp-content/uploads/2017/03/CASC-Browser-UI-Security-Indicators.pdf
ETSI Audit Issues
A coordinated response is needed:
→Communication between ETSI-audited PTC-TSP
→ETSI New Work Item on EN 319 403 update
→ACABc statement on audit report best practises
→Training for auditors?
→“Whitelisting” the audit bodies?
→Ballot on proposed text for audit requirements
→. . . Page 18
Questions? Dipl. Wirtsch.- Ing. Arno Fiedler Nimbus Technologieberatung GmbH Reichensteiner Weg 17 14195 Berlin [email protected] Mobile: +49-172-3053272