We are excited about hosting the CA/Browser Forum meeting this week in Mountain View and have a great set of attendees from the leading browser vendors and Certificate Authorities as well as several other interested third parties. At Symantec, we believe that the CA/B Forum efforts to improve the SSL ecosystem have become even more important given the breaches and attacks over the past year. The agenda this week is packed with some important topics including:
- Standards for improving the security related to CA operations
- Intellectual Property Sharing Policy
- Discussion on how we can evolve the CA/B Forum decision making process and how we can include the feedback from external third parties including Relying Parties
- Higher Authenticated Code Signing Certificates
- Certificate invalidation methods
One other topic sure to be discussed is the role of Domain Validated SSL certs in our industry. Symantec’s goal in the DV discussion is to ensure the best safety for the broadest range of Internet users. We are anxious to listen to the other attendees and brainstorm an adjusted DV cert strategy.
Our initial perspective is that while DV certificates do not provide organizational authentication they have driven broader adoption of SSL technology and encryption on the Internet. More than 60% of SSL certificates in use today are DV certificates and encrypting this volume of traffic on the Internet is a good thing for consumers. Symantec is concerned that if the industry requires all ecommerce sites to deploy EV or OV certs (in place of the DV certs currently deployed) which require additional authentication steps and documentation, some companies may opt to go without SSL altogether reducing security on the Internet.
However, Symantec is interested in participating in a dialog on encouraging the use of EV and OV certs in place of DV certs. We are also interested in discussing how we can eliminate the use of DV certs in certain applications where authentication is important and where we believe companies will not drop the use of SSL altogether. Symantec believes that the CA/B Forum needs to consider the following issues carefully before taking action:
- Can we limit the use of DV certs without inadvertently reducing the overall use of SSL certs and the commensurate level of security/encryption on the internet.
- How would the industry address sites who can't pass auth (due to lack of business entity), chose not to subject themselves to the higher authentication or won’t incur the higher fees associated with EV and OV certs?
- How often do fraudsters actually use DV certificates for criminal purposes (compared to EV and OV) and is this the most impactful step that we can take to reducing online fraud?
- What type of migration plan could we establish for the 60% of SSL certificates that are DV today?
- Could the browsers implement any changes in the UI so consumers can distinguish between OV and DV certs?
- If DV certs are acceptable for certain applications, how would the CA’s police the certificate enrollments and objectively determine when a DV certificate is not an acceptable option? The industry would need to develop very clear and objective guidelines.
- Are there ways to increase the authentication and security of DV certs in place of restricting their use? This could include enforcing a second level of authentication (e.g., a telephone call, or requiring a change to the DNS record and/or publishing code to the website listed in the certificate request for verification).
- Could the industry develop requirements for DV issuers to do fraud checks on applicants when requesting certs for high profile sites, financial institutions, social networks and email providers.
Symantec looks forward to a productive dialog during the CA/B Forum meeting this week on the best use of DV certs in the context of improving overall security and encryption on the Internet.