SlideShare a Scribd company logo

CA Day 2014

Download as PPTX, PDF
CASCouncil
CASCouncil

This document summarizes developments within the CA/Browser Forum in 2014. It discusses new working groups on code signing and policy/information sharing. Key topics of discussion included the SHA-1 deprecation timeline, the Heartbleed vulnerability, and how to define the scope and requirements of SSL certificates. Current discussions focus on issues like certificate authority authorization records and the proposed retirement of SHA-1 in browsers.

Technology
1 of 13
Ben Wilson Chair Emeritus Report Prepared for ETSI CA Day Berlin, Tuesday, 4 November 2014
Outline  Internal CA / Browser Forum Developments of 2014  Newsworthy Events of 2014  Key Discussions that have occurred within the Forum  Update on CA/B Forum Working Groups  Code Signing Working Group  Policy Review Working Group  Security Information Sharing Working Group  Current Discussions  Future Developments
Forum Developments  New CA/Browser Forum Website plus Bugzilla Tracking  Membership has grown substantially  New Chair (Dean Coclin) and Vice Chair (Kirk Hall)  We’ve revisited / discussed scope of CA/B Forum activity  CA/B Forum Baseline Requirements Implementation by CAs, Auditors, and Browsers (with Network Security)  More gTLDs have been added to the registry by ICANN
News of 2014  Implementation of Certificate Transparency (CT) in 2015  SHA-1 Deprecation and Transition Away from It by 2017  Heartbleed vulnerability in OpenSSL and lack of advanced warning that CAs might need to reissue  Indian Sub CA Compromised raising concern about audit and oversight of government-run CAs  Elimination of SSL v.3 and move toward full TLS in response to POODLE
2014 Discussions  What is an SSL Certificate for purposes of applying the Baseline Requirements?  Does use of the id-kp-serverAuth EKU determine?  Is a poison certificate extension a way to exempt?  How can subordinate CAs be technically constrained?  How fresh or stale should information be to renew?  Should CAs issuing EV certificates carry insurance?  Browsers programmatically screen for violations, leave procedural and management controls to auditors
Working Groups  Code Signing Baseline Requirements  Extended Validation Review – revised definitions and tightened up language used to describe vetting processes  Certificate Policy Review  Security Information Sharing Working Group  SSL Performance Working Group (disbanded)
Code Signing Baseline Requirements  Better Key Protection  Threat: Key Compromise, Takeover Attack  Section 16.3 Levels– 1- TPM, 2-FIPS Level 2/EAL4, 3-USB  Sec. 11.7 - strike 1: no USB, strike 2: Audit, 3: Permission  Unique, Registration-based Identifier or non-sequential unique ID generated by CA > 20 bits of entropy  Better Communication about Malware w/ AV Vendors  High-Risk Regions (Geographic Locations) - Blank  Database / Blacklist -> Security Info Sharing W.G.  Signing Service Platforms
Policy and Info Sharing WGs  Policy Review Working Group  Review CA/B Forum guideline documents with an eye toward conformity, coordination and consistency  Identifying gaps in CA/Browser Forum policies by  Reviewing NIST IR 7924 and Network Security Requirements  Mapping ETSI and WebTrust audit criteria  Security Information Sharing Working Group  Structure a system that minimizes potential for legal liability (e.g. libel, unfairness/lack of due process, etc.) when reporting or maintaining data or listings
Current Discussions  Policy Object Identifiers (OIDs) and OID processing  Should standard OIDs identify publicly trusted SSL?  72-Hour Certificates without Revocation Pointers  Who blinks first? Can’t browsers build a work-around?  Omitting S= and L= in Subject DNs where C is small  Taiwan, BVI, Vatican, Singapore, Bermuda, etc.  Scope of SHA1 Deprecation (e.g. private PKIs, OCSP)  Financial responsibility requirements for CAs  Current Assets greater than Current Liabilities, etc.
Insurance and Liability  Insurance covers accidental loss but not moral hazards (indifference to safety and security standards )  Auditing compliance with standards leads to reduced risk, insurability, and affordable insurance  Insurance and auditing create market-based regulation  Risk assumed by party best in position to reduce risk  TSPs and Assessors may be liable for providing false sense of security due to information asymmetry
The More Things Change …  Certificate Authority (CAA) Records – April 15, 2015  OCSP Stapling –Working on Must-Staple OID  Browser processing and UI display  Better understanding of how things work  SHA1 Deprecation -- Microsoft, Mozilla and Google  Better planning coordination and advance communication of plans  Heartbleed - Better notification of threats in the future
References and Resources  Outsourcing Regulation: How Insurance Reduces Moral Hazard-http:// repository.law.umich.edu/law_econ_current/art47  Tort Liability to Those Injured by Negligent Accreditation Decisions, Peter Schuck (1994) http://www.jstor.org/stable/1192062  The Liability of Private Certification Bodies for Pure Economic Loss: Comparing English and Italian Law, Matteo Ferrari (2010) 1 JETL 266, http://dx.doi.org/10.1515/jetl.2010.266
Thanks! Ben Wilson

Recommended

ConklinResume2
ConklinResume2ConklinResume2
ConklinResume2Telisha Conklin
 
Vulnerability assessment and penetration testing service.
Vulnerability assessment and penetration testing service.Vulnerability assessment and penetration testing service.
Vulnerability assessment and penetration testing service.
Mindtree Ltd.
 
Evaluación de riesgos asociados al puesto de trabajo: empleados, externos, vi...
Evaluación de riesgos asociados al puesto de trabajo: empleados, externos, vi...Evaluación de riesgos asociados al puesto de trabajo: empleados, externos, vi...
Evaluación de riesgos asociados al puesto de trabajo: empleados, externos, vi...
Nextel S.A.
 
Is Government Data as Safe as it Could Be?
Is Government Data as Safe as it Could Be?Is Government Data as Safe as it Could Be?
Is Government Data as Safe as it Could Be?
Samsung SDS America
 
2017 Predictions: Identity and Security
2017 Predictions: Identity and Security 2017 Predictions: Identity and Security
2017 Predictions: Identity and Security
SecureAuth
 
Priviledged Identity Management
Priviledged Identity ManagementPriviledged Identity Management
Priviledged Identity Management
rver21
 
Security Testing: What Testers Can Do
Security Testing: What Testers Can DoSecurity Testing: What Testers Can Do
Security Testing: What Testers Can Do
TechWell
 
Data Sheet For Erg
Data Sheet For ErgData Sheet For Erg
Data Sheet For Erg
mjschreck
 

Recommended

ConklinResume2
ConklinResume2ConklinResume2
ConklinResume2Telisha Conklin
 
Vulnerability assessment and penetration testing service.
Vulnerability assessment and penetration testing service.Vulnerability assessment and penetration testing service.
Vulnerability assessment and penetration testing service.
Mindtree Ltd.
 
Evaluación de riesgos asociados al puesto de trabajo: empleados, externos, vi...
Evaluación de riesgos asociados al puesto de trabajo: empleados, externos, vi...Evaluación de riesgos asociados al puesto de trabajo: empleados, externos, vi...
Evaluación de riesgos asociados al puesto de trabajo: empleados, externos, vi...
Nextel S.A.
 
Is Government Data as Safe as it Could Be?
Is Government Data as Safe as it Could Be?Is Government Data as Safe as it Could Be?
Is Government Data as Safe as it Could Be?
Samsung SDS America
 
2017 Predictions: Identity and Security
2017 Predictions: Identity and Security 2017 Predictions: Identity and Security
2017 Predictions: Identity and Security
SecureAuth
 
Priviledged Identity Management
Priviledged Identity ManagementPriviledged Identity Management
Priviledged Identity Management
rver21
 
Security Testing: What Testers Can Do
Security Testing: What Testers Can DoSecurity Testing: What Testers Can Do
Security Testing: What Testers Can Do
TechWell
 
Data Sheet For Erg
Data Sheet For ErgData Sheet For Erg
Data Sheet For Erg
mjschreck
 
APT & What we can do TODAY
APT & What we can do TODAYAPT & What we can do TODAY
APT & What we can do TODAY
James Ryan, CSyP, EA, PMP
 
Resume
ResumeResume
Resumemanean.kvs manean.kvs
 
Bank World 2008 Kamens 04 29 08
Bank World 2008 Kamens 04 29 08Bank World 2008 Kamens 04 29 08
Bank World 2008 Kamens 04 29 08kamensm02
 
Connected vehicles: An Overview on Security, Vulnerabilities and Remedies
Connected vehicles: An Overview on Security, Vulnerabilities and RemediesConnected vehicles: An Overview on Security, Vulnerabilities and Remedies
Connected vehicles: An Overview on Security, Vulnerabilities and Remedies
Madhur Gupta
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
lgcdcpas
 
Strong Authentication Trends in Government
Strong Authentication Trends in GovernmentStrong Authentication Trends in Government
Strong Authentication Trends in Government
FIDO Alliance
 
Octree securapro mauleverer case study
Octree securapro mauleverer case studyOctree securapro mauleverer case study
Octree securapro mauleverer case studyTony Richardson CISSP
 
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
West Monroe Partners
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Source Conference
 
FIDO Based Consumer Authentication
FIDO Based Consumer AuthenticationFIDO Based Consumer Authentication
FIDO Based Consumer Authentication
FIDO Alliance
 
The how and why of patch management by N-able
The how and why of patch management by N-able The how and why of patch management by N-able
The how and why of patch management by N-able
Solarwinds N-able
 
Face detection & recognition
Face detection & recognitionFace detection & recognition
Face detection & recognition
Madhuri Negi
 
[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...
[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...
[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...
Rea & Associates
 
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for QualysQualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for QualysRisk Analysis Consultants, s.r.o.
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
Lancope, Inc.
 
3 steps to 4x the risk coverage of CA ControlMinder
3 steps to 4x the risk coverage of CA ControlMinder3 steps to 4x the risk coverage of CA ControlMinder
3 steps to 4x the risk coverage of CA ControlMinder
ObserveIT
 
PCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMROPCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMROFitCEO, Inc. (FCI)
 
Ppt I S H 2010
Ppt I S H 2010Ppt I S H 2010
Ppt I S H 2010
Massimo Penco
 
Cie
CieCie
Cie
Massimo Penco
 
L’immortalità digitale
L’immortalità digitaleL’immortalità digitale
L’immortalità digitaleMassimo Penco
 
Dopo Vent'anni il trapianto d'organi decolla senza CIE
Dopo Vent'anni il trapianto d'organi decolla senza CIEDopo Vent'anni il trapianto d'organi decolla senza CIE
Dopo Vent'anni il trapianto d'organi decolla senza CIE
Massimo Penco
 

More Related Content

What's hot

APT & What we can do TODAY
APT & What we can do TODAYAPT & What we can do TODAY
APT & What we can do TODAY
James Ryan, CSyP, EA, PMP
 
Bank World 2008 Kamens 04 29 08
Bank World 2008 Kamens 04 29 08Bank World 2008 Kamens 04 29 08
Bank World 2008 Kamens 04 29 08kamensm02
 
Connected vehicles: An Overview on Security, Vulnerabilities and Remedies
Connected vehicles: An Overview on Security, Vulnerabilities and RemediesConnected vehicles: An Overview on Security, Vulnerabilities and Remedies
Connected vehicles: An Overview on Security, Vulnerabilities and Remedies
Madhur Gupta
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
lgcdcpas
 
Strong Authentication Trends in Government
Strong Authentication Trends in GovernmentStrong Authentication Trends in Government
Strong Authentication Trends in Government
FIDO Alliance
 
Octree securapro mauleverer case study
Octree securapro mauleverer case studyOctree securapro mauleverer case study
Octree securapro mauleverer case studyTony Richardson CISSP
 
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
West Monroe Partners
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Source Conference
 
FIDO Based Consumer Authentication
FIDO Based Consumer AuthenticationFIDO Based Consumer Authentication
FIDO Based Consumer Authentication
FIDO Alliance
 
The how and why of patch management by N-able
The how and why of patch management by N-able The how and why of patch management by N-able
The how and why of patch management by N-able
Solarwinds N-able
 
Face detection & recognition
Face detection & recognitionFace detection & recognition
Face detection & recognition
Madhuri Negi
 
[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...
[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...
[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...
Rea & Associates
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
Lancope, Inc.
 
3 steps to 4x the risk coverage of CA ControlMinder
3 steps to 4x the risk coverage of CA ControlMinder3 steps to 4x the risk coverage of CA ControlMinder
3 steps to 4x the risk coverage of CA ControlMinder
ObserveIT
 
PCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMROPCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMROFitCEO, Inc. (FCI)
 

What's hot (18)

APT & What we can do TODAY
APT & What we can do TODAYAPT & What we can do TODAY
APT & What we can do TODAY
 
Resume
ResumeResume
Resume
 
Bank World 2008 Kamens 04 29 08
Bank World 2008 Kamens 04 29 08Bank World 2008 Kamens 04 29 08
Bank World 2008 Kamens 04 29 08
 
Connected vehicles: An Overview on Security, Vulnerabilities and Remedies
Connected vehicles: An Overview on Security, Vulnerabilities and RemediesConnected vehicles: An Overview on Security, Vulnerabilities and Remedies
Connected vehicles: An Overview on Security, Vulnerabilities and Remedies
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
 
Strong Authentication Trends in Government
Strong Authentication Trends in GovernmentStrong Authentication Trends in Government
Strong Authentication Trends in Government
 
Octree securapro mauleverer case study
Octree securapro mauleverer case studyOctree securapro mauleverer case study
Octree securapro mauleverer case study
 
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
 
FIDO Based Consumer Authentication
FIDO Based Consumer AuthenticationFIDO Based Consumer Authentication
FIDO Based Consumer Authentication
 
The how and why of patch management by N-able
The how and why of patch management by N-able The how and why of patch management by N-able
The how and why of patch management by N-able
 
Face detection & recognition
Face detection & recognitionFace detection & recognition
Face detection & recognition
 
[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...
[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...
[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...
 
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for QualysQualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
 
3 steps to 4x the risk coverage of CA ControlMinder
3 steps to 4x the risk coverage of CA ControlMinder3 steps to 4x the risk coverage of CA ControlMinder
3 steps to 4x the risk coverage of CA ControlMinder
 
PCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMROPCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMRO
 

Viewers also liked

Ppt I S H 2010
Ppt I S H 2010Ppt I S H 2010
Ppt I S H 2010
Massimo Penco
 
Cie
CieCie
Cie
Massimo Penco
 
L’immortalità digitale
L’immortalità digitaleL’immortalità digitale
L’immortalità digitaleMassimo Penco
 
Dopo Vent'anni il trapianto d'organi decolla senza CIE
Dopo Vent'anni il trapianto d'organi decolla senza CIEDopo Vent'anni il trapianto d'organi decolla senza CIE
Dopo Vent'anni il trapianto d'organi decolla senza CIE
Massimo Penco
 
Cie e trapianto organi
Cie e trapianto organiCie e trapianto organi
Cie e trapianto organi
Massimo Penco
 
Lebanon
LebanonLebanon
Lebanon
rawya
 

Viewers also liked (7)

Ppt I S H 2010
Ppt I S H 2010Ppt I S H 2010
Ppt I S H 2010
 
Cie
CieCie
Cie
 
L’immortalità digitale
L’immortalità digitaleL’immortalità digitale
L’immortalità digitale
 
Dopo Vent'anni il trapianto d'organi decolla senza CIE
Dopo Vent'anni il trapianto d'organi decolla senza CIEDopo Vent'anni il trapianto d'organi decolla senza CIE
Dopo Vent'anni il trapianto d'organi decolla senza CIE
 
PKI
PKIPKI
PKI
 
Cie e trapianto organi
Cie e trapianto organiCie e trapianto organi
Cie e trapianto organi
 
Lebanon
LebanonLebanon
Lebanon
 

Similar to CA Day 2014

CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self Regulation
CASCouncil
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser Forum
CASCouncil
 
21 cfr part 11 compliance for software validation and saa s
21 cfr part 11 compliance for software validation and saa s21 cfr part 11 compliance for software validation and saa s
21 cfr part 11 compliance for software validation and saa s
GlobalCompliancePanel
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11
Michael Ofarrell
 
Verderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIVerderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCI
Ben Rothke
 
Mulin Holstein PKI-strategy
Mulin Holstein PKI-strategyMulin Holstein PKI-strategy
Mulin Holstein PKI-strategyfEngel
 
Automating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceAutomating Policy Compliance and IT Governance
Automating Policy Compliance and IT Governance
Sasha Nunke
 
Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1
Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1
Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1David Spinks
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 sucesuminas
 
Sunera business & technology risk consulting services -slide share
Sunera business & technology risk consulting services -slide shareSunera business & technology risk consulting services -slide share
Sunera business & technology risk consulting services -slide shareSunera
 
Sunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Happiest Minds Technologies
 
CSA NY Metro Inaugural Event 5 17 2011 Final
CSA NY Metro Inaugural Event 5 17 2011 FinalCSA NY Metro Inaugural Event 5 17 2011 Final
CSA NY Metro Inaugural Event 5 17 2011 FinalPeister
 
DevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps for Highly Regulated Environments
DevOps for Highly Regulated Environments
DevOps.com
 
Software Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerSoftware Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey Hightower
Anchore
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...
Brianna Johnson
 
What Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorWhat Every Organization Should Log And Monitor
What Every Organization Should Log And Monitor
Anton Chuvakin
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
Michelle Singh
 
Information security trends and concerns
Information security trends and concernsInformation security trends and concerns
Information security trends and concerns
John Napier
 

Similar to CA Day 2014 (20)

CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self Regulation
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser Forum
 
21 cfr part 11 compliance for software validation and saa s
21 cfr part 11 compliance for software validation and saa s21 cfr part 11 compliance for software validation and saa s
21 cfr part 11 compliance for software validation and saa s
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11
 
Verderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIVerderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCI
 
David Whitaker: Managing Your Vendors
David Whitaker: Managing Your VendorsDavid Whitaker: Managing Your Vendors
David Whitaker: Managing Your Vendors
 
Mulin Holstein PKI-strategy
Mulin Holstein PKI-strategyMulin Holstein PKI-strategy
Mulin Holstein PKI-strategy
 
Automating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceAutomating Policy Compliance and IT Governance
Automating Policy Compliance and IT Governance
 
Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1
Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1
Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
 
Sunera business & technology risk consulting services -slide share
Sunera business & technology risk consulting services -slide shareSunera business & technology risk consulting services -slide share
Sunera business & technology risk consulting services -slide share
 
Sunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera Business & Technology Risk Consulting
Sunera Business & Technology Risk Consulting
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
 
CSA NY Metro Inaugural Event 5 17 2011 Final
CSA NY Metro Inaugural Event 5 17 2011 FinalCSA NY Metro Inaugural Event 5 17 2011 Final
CSA NY Metro Inaugural Event 5 17 2011 Final
 
DevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps for Highly Regulated Environments
DevOps for Highly Regulated Environments
 
Software Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerSoftware Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey Hightower
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...
 
What Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorWhat Every Organization Should Log And Monitor
What Every Organization Should Log And Monitor
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
Information security trends and concerns
Information security trends and concernsInformation security trends and concerns
Information security trends and concerns
 

More from CASCouncil

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
CASCouncil
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the Past
CASCouncil
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?
CASCouncil
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to know
CASCouncil
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly
CASCouncil
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll
CASCouncil
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
CASCouncil
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security
CASCouncil
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds Trust
CASCouncil
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
CASCouncil
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
CASCouncil
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure Web
CASCouncil
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
CASCouncil
 
State of the Web
State of the WebState of the Web
State of the Web
CASCouncil
 
Trust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesTrust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory Processes
CASCouncil
 
Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!
CASCouncil
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm Shift
CASCouncil
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of Opportunity
CASCouncil
 
Nation-State Attacks On PKI
Nation-State Attacks On PKI Nation-State Attacks On PKI
Nation-State Attacks On PKI
CASCouncil
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebCASCouncil
 

More from CASCouncil (20)

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the Past
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to know
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds Trust
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure Web
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
 
State of the Web
State of the WebState of the Web
State of the Web
 
Trust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesTrust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory Processes
 
Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm Shift
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of Opportunity
 
Nation-State Attacks On PKI
Nation-State Attacks On PKI Nation-State Attacks On PKI
Nation-State Attacks On PKI
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure Web
 

Recently uploaded

20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 

Recently uploaded (20)

20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 

CA Day 2014

  • 1. Ben Wilson Chair Emeritus Report Prepared for ETSI CA Day Berlin, Tuesday, 4 November 2014
  • 2. Outline  Internal CA / Browser Forum Developments of 2014  Newsworthy Events of 2014  Key Discussions that have occurred within the Forum  Update on CA/B Forum Working Groups  Code Signing Working Group  Policy Review Working Group  Security Information Sharing Working Group  Current Discussions  Future Developments
  • 3. Forum Developments  New CA/Browser Forum Website plus Bugzilla Tracking  Membership has grown substantially  New Chair (Dean Coclin) and Vice Chair (Kirk Hall)  We’ve revisited / discussed scope of CA/B Forum activity  CA/B Forum Baseline Requirements Implementation by CAs, Auditors, and Browsers (with Network Security)  More gTLDs have been added to the registry by ICANN
  • 4. News of 2014  Implementation of Certificate Transparency (CT) in 2015  SHA-1 Deprecation and Transition Away from It by 2017  Heartbleed vulnerability in OpenSSL and lack of advanced warning that CAs might need to reissue  Indian Sub CA Compromised raising concern about audit and oversight of government-run CAs  Elimination of SSL v.3 and move toward full TLS in response to POODLE
  • 5. 2014 Discussions  What is an SSL Certificate for purposes of applying the Baseline Requirements?  Does use of the id-kp-serverAuth EKU determine?  Is a poison certificate extension a way to exempt?  How can subordinate CAs be technically constrained?  How fresh or stale should information be to renew?  Should CAs issuing EV certificates carry insurance?  Browsers programmatically screen for violations, leave procedural and management controls to auditors
  • 6. Working Groups  Code Signing Baseline Requirements  Extended Validation Review – revised definitions and tightened up language used to describe vetting processes  Certificate Policy Review  Security Information Sharing Working Group  SSL Performance Working Group (disbanded)
  • 7. Code Signing Baseline Requirements  Better Key Protection  Threat: Key Compromise, Takeover Attack  Section 16.3 Levels– 1- TPM, 2-FIPS Level 2/EAL4, 3-USB  Sec. 11.7 - strike 1: no USB, strike 2: Audit, 3: Permission  Unique, Registration-based Identifier or non-sequential unique ID generated by CA > 20 bits of entropy  Better Communication about Malware w/ AV Vendors  High-Risk Regions (Geographic Locations) - Blank  Database / Blacklist -> Security Info Sharing W.G.  Signing Service Platforms
  • 8. Policy and Info Sharing WGs  Policy Review Working Group  Review CA/B Forum guideline documents with an eye toward conformity, coordination and consistency  Identifying gaps in CA/Browser Forum policies by  Reviewing NIST IR 7924 and Network Security Requirements  Mapping ETSI and WebTrust audit criteria  Security Information Sharing Working Group  Structure a system that minimizes potential for legal liability (e.g. libel, unfairness/lack of due process, etc.) when reporting or maintaining data or listings
  • 9. Current Discussions  Policy Object Identifiers (OIDs) and OID processing  Should standard OIDs identify publicly trusted SSL?  72-Hour Certificates without Revocation Pointers  Who blinks first? Can’t browsers build a work-around?  Omitting S= and L= in Subject DNs where C is small  Taiwan, BVI, Vatican, Singapore, Bermuda, etc.  Scope of SHA1 Deprecation (e.g. private PKIs, OCSP)  Financial responsibility requirements for CAs  Current Assets greater than Current Liabilities, etc.
  • 10. Insurance and Liability  Insurance covers accidental loss but not moral hazards (indifference to safety and security standards )  Auditing compliance with standards leads to reduced risk, insurability, and affordable insurance  Insurance and auditing create market-based regulation  Risk assumed by party best in position to reduce risk  TSPs and Assessors may be liable for providing false sense of security due to information asymmetry
  • 11. The More Things Change …  Certificate Authority (CAA) Records – April 15, 2015  OCSP Stapling –Working on Must-Staple OID  Browser processing and UI display  Better understanding of how things work  SHA1 Deprecation -- Microsoft, Mozilla and Google  Better planning coordination and advance communication of plans  Heartbleed - Better notification of threats in the future
  • 12. References and Resources  Outsourcing Regulation: How Insurance Reduces Moral Hazard-http:// repository.law.umich.edu/law_econ_current/art47  Tort Liability to Those Injured by Negligent Accreditation Decisions, Peter Schuck (1994) http://www.jstor.org/stable/1192062  The Liability of Private Certification Bodies for Pure Economic Loss: Comparing English and Italian Law, Matteo Ferrari (2010) 1 JETL 266, http://dx.doi.org/10.1515/jetl.2010.266

Editor's Notes

  1. There was discussion early in the year on Pre-Certificates and Number of Trusted Logs Mid-year it became more apparent that Google was not waiting for RFC 6962-bis