The recent DigiNotar and Comodo Certificate Authority (CA) security breaches have once again highlighted the need to create standards for stronger security around SSL business operations and authentication processes. At Symantec, we believe that the industry needs to work together to develop stronger security policies and procedures in three areas and then implement third party monitoring of adherence to these policies by the CA community. These three areas are:
1. CA Infrastructure: Rigorous and diligent upkeep of CA security infrastructure is critical, components of which include:
· Specifically-designed hardened facilities and physical security measures to defend against attacks
· Hardware-based cryptographic signature systems
· Regular third party audits
· Thorough network security and anti-malware defense
· Vendor enforcement of dual control certificate creation, management and issuance.
· Use of authentication/registration best practices to identify ownership
· Use of a layered security model with specific physical, logical, personnel, data and network and cryptographic security controls
· A network infrastructure for running production systems separate from the corporate infrastructure
· Requirement of strong password management for all systems in the infrastructure
· Strict separation of duties by individuals, and separating functions by “need to know” groups
· Allowing only operations personnel log-in access to production level systems
· Employing sound and industry-standard change management processes
· Regular and automatic analysis of changes to the file management system
2. Authentication Process: Symantec believes that the strongest appropriate authentication processes should always be used. In cases such as e-commerce and financial transactions where authentication of websites is critical, we feel that Organizational Validation (OV) and Extended Validation (EV) are the appropriate standards. Domain Validated (DV) Certificates should only be used for websites where only encryption is required. The industry should also consider developing standards for Organizational Validation (OV) Certificates as procedures are not standard across the industry.
3. Breach Notification: No CA is fully impregnable. However, as we have learned from recent incidents, it is critical that impacted CA’s follow agreed upon standards for rapid communication to the industry and that they quickly revoke any improperly issued certificates. Early notification allows the industry to limit the risk to individual consumers and Internet businesses by reducing the window of potential malicious activity.
A secure web requires a strong, reliable, and responsible CA community, and a weak link in the industry weakens the entire system. If an individual CA is not able to meet the industry accepted and audited security requirements related to infrastructure, authentication and notification, then they should not be allowed to issue public SSL Certificates. CA’s must earn the right to issue certificates before they begin operating as an SSL provider.
We as CA’s are in the very serious business of trust, and ensuring the level of trust businesses have with us remains high is critical to the overall success of the CA community.
Browser manufacturers are also starting to chime in on the subject. For example, Mozilla recently mentioned in a group forum that they would be requiring all CAs to take certain steps to ensure against intrusion and compromise. This includes auditing the CA’s PKI, the use of multi factor authentication within the CA’s issuance process and establishing automatic blocks for the issuance of high profile sites, among other steps, with a call to action date of no later than Sept 16th, 2011 (see the entire entry here). We have checked our infrastructure here at Symantec and are confident we’ll meet Mozilla’s requirements by this date.
In the end, the reputable Certificate Authorities must work together as a community to improve practices and build stronger standards. Symantec is committed to continuing our work with the CA/Browser Forum, the Online Trust Alliance (OTA), law enforcement, academic researchers and analysts, and the broader security industry to develop ever improving security practices.