SSL/TSL EV Certificates

Size: px

Start display at page:

Download "SSL/TSL EV Certificates"

Andrew Atkinson
6 years ago
Views:

1 SSL/TSL EV Certificates CA/Browser Forum Exploratory seminar on e-signatures for e-business in the South Mediterranean region November 2013, Amman, Jordan Moudrick DADASHOW CEO, Skaitmeninio Sertifikavimo Centras, Lithuania

2 History and development 1991 concept of secure sockets (end-point authentication, data confidentiality and integrity) 1993 SNP - Secure Network Programming (secure network programming for the masses) 1995 SSL - Secure Sockets Layer (a proprietary protocol, by Netscape) 1996 SSL version 3.0 (in 2011 published as RFC 6101) CA/Browser Forum 1999 TLS - Transport Layer Security (an open IETF protocol, ver. 1.0: RFC 2246, ver. 1.2: RFC 5246, 2008)

3 CA/Browser Forum Major characteristics Privacy (based on cryptographic encryption) Integrity (based on digital signature) Application independence (web browsing, , software updating, DB access, VPN and others) Authentication (based on X.509 certificates)

4 CA/Browser Forum Frameworks (BS 7799, EU Recommendation on ITSEC, ABA DS Guidelines) (EU Requirements for TTP - EG , IETF RFC 2527, NIST IR COTS PP) (ANSI X9.79, WebTrust for CAs, ETSI TS / , ABA PKI GL) (CA / Browser Forum EV SSL GL, ISO 27001/ISO 27002) (ETSI EN /3, CA/B Forum BR, NIST IR 7924, ISO 27007/27008)

5 CA/Browser Forum developments CA/Browser Forum Voluntary consortium (37 CAs, 5 OS/Browser vendors, other interested parties, no regulatory or industry powers over its members) Membership Requirements (Members: Issuing/Root CA or OS/Browser supplier. Bylaws, IPR) Interested parties: IPR, Bylaws, PA. Activities: WG/Meetings/Public ML) Work principles (Agenda-setting/Problem-identification, Teleconference/Face to Face meetings, Rules Drafting, Decision Making/Voting, Implementation, Evaluation) Conduct (IPR Policy, Antitrust Laws and Regulations, no product/service promotion or restriction activities)

6 CA/Browser Forum documents CA/Browser Forum EV SSL Certificate Guidelines Version (effective 7/09/2013) Network and CS Security Requirements (effective 1/01/2013) Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Version (effective 7/29/2013) Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates (Draft version)

7 EV SSL Certificate CA/Browser Forum Purpose Subject controls a Web site, encrypted communications Legitimacy of a business operating a Web site EV Certificate doesn't represent or warrant: Subject is actively doing business Subject complies with laws, is trustworthy, honest, or reputable; It is safe to do business with the Subject

8 EV SSL Certificate CA/Browser Forum Certificate Warranties Legal Existence, Identity, Right to Use Domain Name, Authorization for EV Certificate, Accuracy of Information, Subscriber Agreement, Status, Revocation Applicant Warranties Accuracy of Information, Protection of Private Key, Acceptance of Certificate, Use of Certificate, Reporting and Revocation, Termination of Use of Certificate, Responsiveness, Acknowledgment and Acceptance

9 EV SSL Certificate CA/Browser Forum Applicability CA and its Root CA satisfy the requirements, CP/CPS Implementation and Disclosure, Commitment to Comply with EVG: precedence over CA's EV policy document, Insurance) Eligibility (Private, Government, Business and Non-Commercial Entities) Content (EV Certificate Profile, Certificate Request Requirements)

10 EV SSL Certificate CA/Browser Forum Verification Requirements Verification of Applicant s Legal, Physical, Operational Existence Domain Name ownership Authority of Contract Signer and Certificate Approver, Signature on Subscriber Agreement and EV Certificate Requests, Approval of EV Certificate Request Requirements to CAs Certificate Issuance by a Root CA, Certificate Revocation and Status Checking, Employee and third party issues, Trustworthiness and Competence, Delegation of Functions to RAs and Subcontractors Audit Eligible Audit Schemes, Audit Period and Record

11 TSP Security Related Activities 1999 EU Directive Published Directive 1999/93 on Electronic Signatures CEN & ETSI published Technical Specifications in support of Directive including: ETSI TS : Policy requirements for certification authorities issuing qualified certificates ETSI TS : Policy requirements for certification authorities issuing public key certificates (non qualified) Many (but not all) adopted the ETSI Policy requirements document within varying national supervisory schemes ETSI applied TS to CAB Forum Enhanced & Baseline Requirements for Web Certificate Becoming European Norms aiming at proposed regulatory framework for Trust Service Providers 11 ETSI 2013 All rights reserved

12 esignature Standards Framework 6 6 Trusted Lists Providers List of TSP services approved (supervised) by National Bodies (e.g. Trusted Lists) Certificate Authority Time-stamping Signing Servers Validation Services TSPs supporting esignature Trust Application Service Providers Registered Long term preservation Rules & procedures Formats Signature Creation / Validation Protection Profiles 1 1 Signature Creation & Validation XAdES (XML) (ISO ) CAdES (CMS) (ISO ) PAdES (PDF) (ISO ) AdES in Mobile envmts ASiC (containers) (CEN) Common Criteria Protection profiles Smart Cards HSMs Signing services Signature 2 Cryptographic Suites Creation Devices Key generation Hash functions Signature algorithms Key lengths ETSI 2013 All rights reserved

13 Policy Requirements Document Structure EN General Policy Requirements for TSPs EN CA Issuing Qualified Certificates EN CA Issuing Public Key Certificates EN CA Issuing Web Site Certificates. TS & TS republished as European Norms General requirements moved to EN EN = TS (published Jan 2013) EN = TS (published Jan 2013) EN (draft to be published 2014) = Elements TS relating to CAB Guide CAB Forum Web Cert Guide

14 TSP Conformity Assessment New EN under development provides harmonised regime for auditing TSPs against ETSI policy requirements (e.g. EN x) Specifies requirements for: Capabilities of Auditor Procedures for carrying carried out Content of audit report Based on International Standards ISO Requirements for Conformity Assessment Bodies Auditing Services ISO Requirements for Information Security Management System Audit 14 ETSI 2013 All rights reserved

TSP Conformity Assessment Model: Regulatory Adoption Conformity Assessment Body Competence Accredited in line with ISO 17021 / 17065 Based on

15 TSP Conformity Assessment Model: Regulatory Adoption Conformity Assessment Body Competence Accredited in line with ISO / Based on Audit report TSP status Set in Trusted List by National Aut y Audit TSP Against standard criteria (e.g. EN ) 15 ETSI 2013 All rights reserved

17 ETSI Key Points ETSI TSP Standards (TS etc) adopted in EU, as well Southern Mediterranean, South America, Japan, CAB Forum. Available as European Norms EN will provide harmonised audit regime for Regulatory and non-regulatory environments Further Information: Subscribe to the E-SIGNATURES_NEWS mailing list 17 ETSI 2013 All rights reserved

ETSI European CA DAY TRUST SERVICE PROVIDER (TSP) CONFORMITY ASSESSMENT FRAMEWORK. Presented by Nick Pope, ETSI STF 427 Leader

ETSI European CA DAY TRUST SERVICE PROVIDER (TSP) CONFORMITY ASSESSMENT FRAMEWORK Presented by Nick Pope, ETSI STF 427 Leader ETSI 2012 All rights reserved Topics Background ETSI Activities / Link to Mandate