At the recently held RSA Conference 2013, the new CA Security Council (CASC) was launched, with Trend Micro as one of the seven charter members of this grouping of certificate authorities (CAs). What is the CASC, and what do we hope to achieve by joining CASC?
The CA/Browser Forum and CASC’s Role
Trend Micro has been involved in the SSL business since it acquired AffirmTrust in August 2011. Why was the CASC formed when there are already existing groups like the CA/Browser Forum (which Trend Micro is also a member of) where CAs can already make their opinions heard? It was formed because it will fill a need that existing industry groups are unable to fill.
While some Trend Micro employees have been involved with the CA/Browser Forum since its founding, this particular group has some issues. Because its membership includes browser vendors as well as CAs, it cannot advocate for CAs alone or their causes. There are also times when CAs and browser vendors don’t agree on specific issues. Because of this, CAs need a platform where they can spread their message directly outside of the Forum.
Creation of the CA Security Council
To create a new voice for CAs and a central information source about SSL security for journalists and the public, Trend Micro and six other CAs founded the CA Security Council (CASC). The other six members are: Comodo, Digicert, Entrust, GlobalSign, GoDaddy, and Symantec. Together, CASC members are responsible for 95 percent or more of trusted SSL certificates in the world. CASC’s mission statement is:
The CASC’s mission is to advance internet security by promoting deployments and enhancements to publicly trusted certificates and through public education, collaboration, and advocacy. The CASC strives for the adoption of digital certificate best practices and the proper issuance and use of digital certificates by CAs, browsers, and other interested parties.
CASC is also meant to provide a rapid response to articles and questions about CAs and SSL in general. Good examples of situations where CASC would be able to respond was the 2011 breach of Dutch CA Diginotar, as well as the breach later that year of a Comodo reseller.
Following stories like these, people in the security community have rightly asked “Is SSL broken?” (No.) and “Can CAs be trusted?” (Yes.) CASC is working with CAs as a group so we can respond when new SSL questions arise; CASC members and experts are already being treated as the “go-to” source for technology journalists.
Education and Myth Busting
CASC’s work doesn’t stop there. Its first major project is to educate the technology community on the importance of certificate revocation checking – at all times. (Some major browsers and applications are skipping revocation checking of end-entity certificates or intermediate certificates in an SSL chain, which could be disastrous for their users.)
CASC is promoting OCSP stapling (a way of securely transmitting a revocation checking response to the client at the time the initial encryption “handshake” occurs) to major users of SSL, including applications and server manufacturers.
CASC is also posting weekly blogs on best practices and also “myth-busting” around SSL and CAs. There’s also an introductory “What’s Behind the Padlock?” graphic and article to help users understand how CAs keep SSL traffic secure. Members are also coordinating their participation in other technology meetings so the CAs’ point of view will be well represented.
Trend Micro is proud to be a charter member of the CA Security Council and become part of the discussion surrounding SSL and CA security in the coming years.