Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Standard For Issuance of SSL/TLS Certificates

Posted by Soulskill on from the new-model-new-flaws dept.

wiredmikey writes "In light of the many security breaches and incidents that have undermined the faith the IT industry has in Certificate Authorities (CAs) and their wares, the CA/Browser Forum, an organization of leading CAs and other software vendors, has released the 'Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates,' an industry-wide baseline standard for the operation of CAs issuing SSL/TLS digital certificates natively trusted by the browser. The CA/Browser Forum is requesting Web browser and operating system vendors adopt the requirements (PDF) as part of their conditions to distribute CA root certificates in their software. According to the forum, the Baseline Requirements are based on best practices from across the SSL/TLS sector and touch on a number of subjects, such as the verification of identity, certificate content and profiles, CA security and revocation mechanisms. The requirements become effective July 1, 2012, and will continue to evolve to address new risks and threats."

1 of 62 comments (clear)

  1. Sure you can. by khasim · · Score: 4, Interesting

    You can't have encryption without authentication, ...

    Sure you can. Encryption by itself does not mean secure communications. Bruce Schneier has a great book on the subject, "Practical Cryptography".

    ... otherwise anyone can stand between you and the endpoint and impersonate the other end.

    That does not mean that the transmissions are not encrypted. Just that the communications channel is compromised. But transmission between you and the MitM are encrypted. As are communications between the MitM and the site you think you're connected to.

    Which gets to the core problem. The way it is currently set up depends upon too many points of failure with no way to validate any of the connections.

    How do you KNOW that the site you've connected to is your bank in the USofA? Are you going to check to see that the CA issuing that certificate is not based out of Romania?

    And the reason that it is set up this way is because it is EASIER for the banks to pass on any losses to the customer or business. Change that and you'll see fixes happening.

    Right now your computer accepts a SINGLE source for encryption and "authentication". There should be at least 2 or 3 different checks.