Certificate Authority Security Council

Last updated
Certificate Authority Security Council
AbbreviationCASC
FormationFebruary 2013
TypeIndustry Advocacy Organization
PurposeExploration and promotion of best practices that advance trusted SSL deployment and CA operations as well as the security of the Internet in general
Region served
Worldwide
Membership
7 publicly trusted PKI authorities
Website casecurity.org

The Certificate Authority Security Council (CASC) is a multi-vendor industry advocacy group created to conduct research, promote Internet security standards and educate the public on Internet security issues.

History

The group was founded in February 2013 with the seven largest certificate authorities, issuers of SSL certificatesComodo, Symantec, [1] Trend Micro, DigiCert, Entrust, [2] GlobalSign [3] and GoDaddy. [4] [5] [6] [7] [8] DigiCert withdrew [9] from the group June 15, 2018.

Objectives

The CASC supports the efforts of the CA/Browser Forum and other standards-setting bodies. [10] They support the development of enhancements that improve the Secure Sockets Layer (SSL) and the operations of the certificate authorities (CA). [11] [12]

According to Robin Alden, CTO of Comodo and member of the Council, the CASC will serve as a united front for all of the CAs involved: "While not a standards-setting organization, we’re committed to supplementing standards-setting organizations by providing education, research, and advocacy on the best practices and use of SSL." [13]

Membership requirements

The CASC limits membership to SSL certificate authorities that meet their requirements for reputation, operation, and security. Members are required to undergo an annual audit and to adhere to industry standards, such as the CA/Browser Forum’s Baseline Requirements and Network Security Guidelines. [14]

Industry initiatives

The group works collaboratively to create and define the initiatives to improve the understanding of policies and their impact on Internet infrastructure.

Certificate Revocation and OCSP Stapling

The group's primary focus [15] was promoting an understanding of the importance of certificate revocation checking and the benefits of OCSP stapling. The protocol is intended to ensure that web users are aware when they visit a web site with a revoked or expired SSL certificate. [16]

Securing Software Distribution with Digital Code Signing

The group has also worked to secure software distribution with digital code signing. [17] Code signing certificates play a key role in helping users identify authentic software code from reputable publishers and receive the assurance that the code has not been tampered with beforehand.

Related Research Articles

X.500 is a series of computer networking standards covering electronic directory services. The X.500 series was developed by the Telecommunication Standardization Sector of the International Telecommunication Union (ITU-T). ITU-T was formerly known as the Consultative Committee for International Telephony and Telegraphy (CCITT). X.500 was first approved in 1988. The directory services were developed to support requirements of X.400 electronic mail exchange and name lookup. The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) were partners in developing the standards, incorporating them into the Open Systems Interconnection suite of protocols. ISO/IEC 9594 is the corresponding ISO/IEC identification.

<span class="mw-page-title-main">Public key infrastructure</span> System that can issue, distribute and verify digital certificates

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes the public key and information about it, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the device examining the certificate trusts the issuer and finds the signature to be a valid signature of that issuer, then it can use the included public key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures.

<span class="mw-page-title-main">Root certificate</span> Certificate identifying a root authority

In cryptography and computer security, a root certificate is a public key certificate that identifies a root certificate authority (CA). Root certificates are self-signed and form the basis of an X.509-based public key infrastructure (PKI). Either it has matched Authority Key Identifier with Subject Key Identifier, in some cases there is no Authority Key identifier, then Issuer string should match with Subject string. For instance, the PKIs supporting HTTPS for secure web browsing and electronic signature schemes depend on a set of root certificates.

In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

<span class="mw-page-title-main">Gen Digital</span> Multinational software company

Gen Digital Inc. is a multinational software company co-headquartered in Tempe, Arizona and Prague, Czech Republic. The company provides cybersecurity software and services. Gen is a Fortune 500 company and a member of the S&P 500 stock-market index. The company also has development centers in Pune, Chennai and Bangalore. Its portfolio includes Norton, Avast, LifeLock, Avira, AVG, ReputationDefender, and CCleaner.

CyberTrust was a security services company formed in Virginia in November 2004 from the merger of TruSecure and Betrusted. Betrusted previously acquired GTE Cybertrust. Cybertrust acquired a large stake in Ubizen, a European security services firm based in Belgium, to become one of the largest information security firms in the world. It was acquired by Verizon Business in 2007. In 2015, the CyberTrust root certificates were acquired by DigiCert, Inc., a leading global Certificate Authority (CA) and provider of trusted identity and authentication services.

Thawte Consulting is a certificate authority (CA) for X.509 certificates. Thawte was founded in 1995 by Mark Shuttleworth in South Africa. As of December 30, 2016, its then-parent company, Symantec Group, was collectively the third largest public CA on the Internet with 17.2% market share.

Xcitium, formerly known as Comodo Security Solutions, Inc., is a cybersecurity company headquartered in Bloomfield, New Jersey.

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity. Code signing was invented in 1995 by Michael Doyle, as part of the Eolas WebWish browser plug-in, which enabled the use of public-key cryptography to sign downloadable Web app program code using a secret key, so the plug-in code interpreter could then use the corresponding public key to authenticate the code before allowing it access to the code interpreter's APIs.

GeoTrust is a digital certificate provider. The GeoTrust brand was bought by Symantec from Verisign in 2010, but agreed to sell the certificate business in August 2017 to private equity and growth capital firm Thoma Bravo LLC. GeoTrust was the first certificate authority to use the domain-validated certificate method which accounts for 70 percent of all SSL certificates on the Internet. By 2006, GeoTrust was the 2nd largest certificate authority in the world with 26.7 percent market share according to independent survey company Netcraft.

<span class="mw-page-title-main">Extended Validation Certificate</span> Certificate for HTTPS websites and software

An Extended Validation Certificate (EV) is a certificate conforming to X.509 that proves the legal entity of the owner and is signed by a certificate authority key that can issue EV certificates. EV certificates can be used in the same manner as any other X.509 certificates, including securing web communications with HTTPS and signing software and documents. Unlike domain-validated certificates and organization-validation certificates, EV certificates can be issued only by a subset of certificate authorities (CAs) and require verification of the requesting entity's legal identity before certificate issuance.

The Online Certificate Status Protocol (OCSP) stapling, formally known as the TLS Certificate Status Request extension, is a standard for checking the revocation status of X.509 digital certificates. It allows the presenter of a certificate to bear the resource cost involved in providing Online Certificate Status Protocol (OCSP) responses by appending ("stapling") a time-stamped OCSP response signed by the CA to the initial TLS handshake, eliminating the need for clients to contact the CA, with the aim of improving both security and performance.

GlobalSign is a certificate authority and a provider of internet identity and security products. As of January 2015, Globalsign was the 4th largest certificate authority in the world, according to Netcraft.

<span class="mw-page-title-main">DigiCert</span> Internet security company

DigiCert, Inc. is a digital security company headquartered in Lehi, Utah. As a certificate authority (CA) and trusted third party, DigiCert provides public key infrastructure (PKI) and validation required for issuing digital certificates or TLS/SSL certificates.

The Certification Authority Browser Forum, also known as the CA/Browser Forum, is a voluntary consortium of certification authorities, vendors of Internet browser and secure email software, operating systems, and other PKI-enabled applications that promulgates industry guidelines governing the issuance and management of X.509 v.3 digital certificates that chain to a trust anchor embedded in such applications. Its guidelines cover certificates used for the SSL/TLS protocol and code signing, as well as system and network security of certificate authorities.

DigiNotar was a Dutch certificate authority owned by VASCO Data Security International, Inc.

Certificate Transparency (CT) is an Internet security standard for monitoring and auditing the issuance of digital certificates.

Trustico is a dedicated SSL certificate provider, They are headquartered in the United Kingdom.

References

  1. Let’s Build a More Secure Future | Symantec Connect Community
  2. Entrust Joins World's Leading CAs to Form Certificate Authority Security Council, Advance Internet Security and Trusted SSL Ecosystem - Feb 14, 2013
  3. "The Paypers. Insights in payments". Archived from the original on 2015-07-02. Retrieved 2013-03-15.
  4. "Announcing the Certificate Authority Security Council | Inside GoDaddy.com". Archived from the original on 2013-11-11. Retrieved 2013-03-15.
  5. "Major Certificate Authorities Unite In The Name Of SSL Security - Dark Reading". Archived from the original on 2013-04-10. Retrieved 2013-03-15.
  6. "Multivendor power council formed to address digital certificate issues - Network World". Archived from the original on 2013-07-28. Retrieved 2013-03-15.
  7. Website Certificate Authorities Set Up Security Council for Advocacy, Research
  8. SSL Certificate Authority Security Council Takes Root | Electronic Staff Archived 2014-07-14 at the Wayback Machine
  9. "Notice of Withdrawal from the CA Security Council | DigiCert Blog". DigiCert. 2018-06-15. Retrieved 2018-07-02.
  10. "About the CA Security Council". Archived from the original on 2017-07-14. Retrieved 2013-03-15.
  11. CA Security Council | World’s Leading Certificate Authorities Come Together to Advance Internet Security and the Trusted SSL Ecosystem
  12. Certificate authorities band together to boost security – Network World Archived February 25, 2014, at the Wayback Machine
  13. CAs Form New Alliance to Focus on Security Issues, Education | threatpost Archived March 8, 2013, at the Wayback Machine
  14. "CA Security Council | About the CA Security Council". Archived from the original on 2017-07-14. Retrieved 2013-03-15.
  15. "New Certificate Authorities group promises better revocation checking - Techworld.com". Archived from the original on 2014-02-01. Retrieved 2013-03-15.
  16. Certificate Authorities to push for better certificate-revocation checking - Computerworld
  17. Kerner, Sean Michael. "Code Signing Seen as Effective Way to Safeguard App Security". eWeek.[ permanent dead link ]
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.