CA/Browser Forum

Last updated
CA/Browser Forum
Founded2005
TypeProfessional organization
FocusProvide internet security industry standards for certificate authorities and certificate consumers such as Internet browsers
Website cabforum.org

The Certification Authority Browser Forum, also known as the CA/Browser Forum, is a voluntary consortium of certification authorities, vendors of Internet browser and secure email software, operating systems, and other PKI-enabled applications that promulgates industry guidelines governing the issuance and management of X.509 v.3 digital certificates that chain to a trust anchor embedded in such applications. Its guidelines cover certificates used for the SSL/TLS protocol and code signing, as well as system and network security of certificate authorities.

Contents

As of May 2022, the consortium includes 54 certificate issuers, 11 certificate consumer vendors, and industry standards and audit bodies including the European Accredited Conformity Assessment Bodies’ Council (ACAB’C), the WebTrust Task Force, and the European Telecommunications Standards Institute (ETSI). [1]

Working groups

The CA/Browser Forum has these working groups:

History

In 2005, Melih Abdulhayoglu of the Comodo Group organized [2] the first meeting of CA/Browser Forum. The first meeting was held in New York City. This was followed by a meeting in November 2005 in Kanata, Ontario, and a meeting in December, 2005, in Scottsdale, Arizona with the main objective to enable secure connections between users and websites.

In addition to CA/Browser Forum members, representatives of the Information Security Committee of the American Bar Association Section of Science & Technology, Law and the Canadian Institute of Chartered Accountants participated in developing the standards for issuing and managing Extended Validation SSL/TLS certificates. Version 1.0 of the EV Guidelines was adopted on 7 June 2007. [3]

In November 2011, the CA/Browser Forum adopted version 1.0 of the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" intended to provide minimum security standards for all browser-trusted SSL/TLS certificates. Subsequent versions expanded the Baseline Requirements to directly incorporate requirements from browser root store policy programs such as those of Mozilla and Microsoft.

In January 2013 the CA/Browser Forum's first "Network and Certificate System Security Requirements" took effect defining best practices for the general protection of CA networks and supporting systems.

In February 2013 a new industry group, the Certificate Authority Security Council (CASC), was formed with a mission that includes promoting CA/Browser Forum standards. Membership requires adherence to CA/Browser Forum standards. [4] The CASC's founding members consisted Comodo CA (now Sectigo), Symantec (now DigiCert), [5] Trend Micro (now Entrust), DigiCert, Entrust, [6] GlobalSign [7] and GoDaddy. [8] [9] [10] [11] [12]

In August 2020, the S/MIME Certificate Working Group [13] was chartered to create a baseline requirement applicable to CAs that issue S/MIME certificates used to sign, verify, encrypt, and decrypt email.

In September 2020, the CA/Browser Forum adopted version 2.0 of the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates", which had previously been maintained outside the group.

In January 2023, the CA/Browser Forum adopted version 1.0 of the "Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates", It defined four types of S/MIME certificate standards. Mailbox‐validated, Organization‐validated, Sponsor‐validated and Individual‐validated. [14]

Related Research Articles

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

<span class="mw-page-title-main">Public key infrastructure</span> System that can issue, distribute and verify digital certificates

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes the public key and information about it, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the device examining the certificate trusts the issuer and finds the signature to be a valid signature of that issuer, then it can use the included public key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures.

In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

CAcert.org is a community-driven certificate authority that issues free X.509 public key certificates. CAcert.org relies heavily on automation and therefore issues only Domain-validated certificates.

S/MIME is a standard for public-key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFC 8551. It was originally developed by RSA Data Security, and the original specification used the IETF MIME specification with the de facto industry standard PKCS #7 secure message format. Change control to S/MIME has since been vested in the IETF, and the specification is now layered on Cryptographic Message Syntax (CMS), an IETF specification that is identical in most respects with PKCS #7. S/MIME functionality is built into the majority of modern email software and interoperates between them. Since it is built on CMS, MIME can also hold an advanced digital signature.

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI). Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.

Xcitium, formerly known as Comodo Security Solutions, Inc., is a cybersecurity company headquartered in Bloomfield, New Jersey.

<span class="mw-page-title-main">.onion</span> Pseudo–top-level internet domain

.onion is a special-use top level domain name designating an anonymous onion service, which was formerly known as a "hidden service", reachable via the Tor network. Such addresses are not actual DNS names, and the .onion TLD is not in the Internet DNS root, but with the appropriate proxy software installed, Internet programs such as web browsers can access sites with .onion addresses by sending the request through the Tor network.

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity. Code signing was invented in 1995 by Michael Doyle, as part of the Eolas WebWish browser plug-in, which enabled the use of public-key cryptography to sign downloadable Web app program code using a secret key, so the plug-in code interpreter could then use the corresponding public key to authenticate the code before allowing it access to the code interpreter’s APIs.

<span class="mw-page-title-main">Extended Validation Certificate</span> Certificate for HTTPS websites and software

An Extended Validation Certificate (EV) is a certificate conforming to X.509 that proves the legal entity of the owner and is signed by a certificate authority key that can issue EV certificates. EV certificates can be used in the same manner as any other X.509 certificates, including securing web communications with HTTPS and signing software and documents. Unlike domain-validated certificates and organization-validation certificates, EV certificates can be issued only by a subset of certificate authorities (CAs) and require verification of the requesting entity's legal identity before certificate issuance.

<span class="mw-page-title-main">IdenTrust</span> Digital certificate authority

IdenTrust, part of HID Global and headquartered in Salt Lake City, Utah, is a public key certificate authority that provides digital certificates to financial institutions, healthcare providers, government agencies and enterprises. As a certificate authority (CA), IdenTrust provides public key infrastructure (PKI) and validation for digital certificates, including TLS/SSL certificates, email security via S/MIME certificates, digital signature certificates, code signing certificates and x.509 certificates for protecting network and IoT devices.

GlobalSign is a certificate authority and a provider of internet identity and security products. As of January 2015, Globalsign was the 4th largest certificate authority in the world, according to Netcraft.

<span class="mw-page-title-main">DigiCert</span> Internet security company

DigiCert, Inc. is a digital security company headquartered in Lehi, Utah. As a certificate authority (CA) and trusted third party, DigiCert provides public key infrastructure (PKI) and validation required for issuing digital certificates or TLS/SSL certificates.

StartCom was a certificate authority founded in Eilat, Israel, and later based in Beijing, China, that had three main activities: StartCom Enterprise Linux, StartSSL and MediaHost. StartCom set up branch offices in China, Hong Kong, the United Kingdom and Spain. Due to multiple faults on the company's end, all StartCom certificates were removed from Mozilla Firefox in October 2016 and Google Chrome in March 2017, including certificates previously issued, with similar removals from other browsers expected to follow.

DNS-based Authentication of Named Entities (DANE) is an Internet security protocol to allow X.509 digital certificates, commonly used for Transport Layer Security (TLS), to be bound to domain names using Domain Name System Security Extensions (DNSSEC).

<span class="mw-page-title-main">Certificate Authority Security Council</span>

The Certificate Authority Security Council (CASC) is a multi-vendor industry advocacy group created to conduct research, promote Internet security standards and educate the public on Internet security issues.

Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It is the world's largest certificate authority, used by more than 300 million websites, with the goal of all websites being secure and using HTTPS. The Internet Security Research Group (ISRG), the provider of the service, is a public benefit organization. Major sponsors include the Electronic Frontier Foundation (EFF), the Mozilla Foundation, OVH, Cisco Systems, Facebook, Google Chrome, Internet Society, AWS, NGINX, and Bill and Melinda Gates Foundation. Other partners include the certificate authority IdenTrust, the University of Michigan (U-M), and the Linux Foundation.

DNS Certification Authority Authorization (CAA) is an Internet security policy mechanism that allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. It does this by means of a "CAA" Domain Name System (DNS) resource record.

References

  1. "Members of the CA - Browser Forum - Over 50 CAs and All Major Browsers". CA/Browser Forum. Archived from the original on 2022-05-03. Retrieved 3 May 2022.
  2. "How Can We Improve Code Signing?". 9 May 2008.
  3. "GUIDELINES FOR THE ISSUANCE AND MANAGEMENT OF EXTENDED VALIDATION CERTIFICATES v1.0" (PDF). The CA/Browser Forum.
  4. "About the CA Security Council". 27 January 2013. Archived from the original on 14 July 2017. Retrieved 20 February 2014.
  5. "Let's Build a More Secure Future".
  6. "Entrust Joins World's Leading Certificate Authority".
  7. "GlobalSign joins the Certificate Authority Security Council to upgrade internet security". Archived from the original on 2015-07-02. Retrieved 2013-04-02.
  8. "Get more done with Microsoft Office 365 from GoDaddy". Archived from the original on 2013-11-11. Retrieved 2013-04-02.
  9. "Authentication Security News, Analysis, Discussion, & Community". Archived from the original on 2013-04-10.
  10. "Multivendor power council formed to address digital certificate issues - Network World". Archived from the original on 2013-07-28. Retrieved 2013-04-02.
  11. "Website Certificate Authorities Set Up Security Council for Advocacy, Research".
  12. "SSL Certificate Authority Security Council Takes Root | Electronic Staff". Archived from the original on 2014-07-14. Retrieved 2013-04-02.
  13. CA/Browser Forum S/MIME Certificate Working Group https://cabforum.org/working-groups/smime-certificate-wg/
  14. "CA/Browser Forum S/MIME Baseline Requirements" (PDF). CA/Browser Forum. Retrieved 4 April 2023.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.