More protection for SSL certificates
Three leading European Trust Service Providers – German D-Trust GmbH, SwissSign AG from Switzerland and Spanish Izenpe S.A. – have launched an initiative to develop a pan-European security system for SSL certificates. This is in response to the ‹Certificate Transparency› effort announced by Google which is designed to identify mis-issuance of certificates from Trust Service Providers and to ban them from secure Internet communications.
In July 2014, all certification authorities represented in the ‹Certification Authority Browser Forum› (CA/Browser Forum) already adopted the ‹baseline requirements› as certain fundamental security requirements. One of these requirements is that, as of next spring, the web browsers which are in use world-wide will only accept certificates with a minimum key length of 2,048 bits and a maximum term of validity of five years.
In order to be able to monitor and audit these requirements, Google developed the ‹Certificate Transparency› framework. Its underlying idea is that all certificates used for secure Internet communications have to be registered and managed by log servers in a cryptographically protected log system. Any subsequent modifications of, additions to, or other manipulations of a certificate, once registered, would thus be ruled out or would be immediately detected by every browser. In a comment on the current discussion, Dr. Kim Nguyen, CEO of German D-Trust GmbH, a subsidiary of Bundesdruckerei GmbH, says: «This concept, which is especially driven by Google Chrome, will become an important cornerstone of trusted Internet communications. However, the necessary registration systems – so-called ‹certificate logs› – are so far only available from US providers, and in view of this heavily reputation-based trust model, we consider it to be extremely important that European interests are also taken into consideration.»
Piloting an independent certificate log
Against this background, the stakeholders D-Trust, SwissSign and Izenpe decided to launch a pilot for a separate certificate log which is to support the Certificate Transparency model via a fully independent log infrastructure. «We consider our move primarily as a process of clarifying and possibly expanding the Certificate Transparency model», says Urs Fischer, CEO of SwissSign, explaining the aims of the initiative. The operation of a first test server at Spanish partner Izenpe is expected to provide new insights, thus enabling a more concrete discussion than before about the possibilities of an independent European log infrastructure. It also makes it possible to coordinate this with global web browser providers, such as Google, Apple, Microsoft or Mozilla. The key aims of the initiative will continue to be the green address line (green bar) in the browser bar, which informs the Internet user about the trustworthiness of a connection, as well as to express the interests of all providers represented in the international CA/Browser Forum. Should the US security model prevail, there are concerns that individual certificates could lose the tried-and-tested quality seal of the green Extended Validation logo despite high security standards.