At the recently held RSA Conference 2013, the new CA Security Council (CASC) was launched, with Trend Micro as one of the seven charter members of this grouping of certificate authorities (CAs). What is the CASC, and what do we hope to achieve by joining CASC?
The CA/Browser Forum and CASC’s Role
Trend Micro has been involved in the SSL business since it acquired AffirmTrust in August 2011. Why was the CASC formed when there are already existing groups like the CA/Browser Forum (which Trend Micro is also a member of) where CAs can already make their opinions heard? It was formed because it will fill a need that existing industry groups are unable to fill.
While some Trend Micro employees have been involved with the CA/Browser Forum since its founding, this particular group has some issues. Because its membership includes browser vendors as well as CAs, it cannot advocate for CAs alone or their causes. There are also times when CAs and browser vendors don’t agree on specific issues. Because of this, CAs need a platform where they can spread their message directly outside of the Forum.
Creation of the CA Security Council
To create a new voice for CAs and a central information source about SSL security for journalists and the public, Trend Micro and six other CAs founded the CA Security Council (CASC). The other six members are: Comodo, Digicert, Entrust, GlobalSign, GoDaddy, and Symantec. Together, CASC members are responsible for 95 percent or more of trusted SSL certificates in the world. CASC’s mission statement is:
The CASC’s mission is to advance internet security by promoting deployments and enhancements to publicly trusted certificates and through public education, collaboration, and advocacy. The CASC strives for the adoption of digital certificate best practices and the proper issuance and use of digital certificates by CAs, browsers, and other interested parties.
CASC is also meant to provide a rapid response to articles and questions about CAs and SSL in general. Good examples of situations where CASC would be able to respond was the 2011 breach of Dutch CA Diginotar, as well as the breach later that year of a Comodo reseller.
Following stories like these, people in the security community have rightly asked “Is SSL broken?” (No.) and “Can CAs be trusted?” (Yes.) CASC is working with CAs as a group so we can respond when new SSL questions arise; CASC members and experts are already being treated as the “go-to” source for technology journalists.