Tag Archives: CAB Forum

Your Audit Report has Expired

March 27, 2014 by Bruce Morton     No Comments

Here is an interesting theme of questions we receive all the time. Why has your CA audit report expired? Or, when will your audit report be brought up to date? The answer? The audit report is up to date and a new audit report will be provided within three months of the end of the [Read More...]

Filed Under: SSL Tagged With: CAB Forum, SSL, WebTrust

Moving to 2048-bit Keys

July 22, 2013 by Bruce Morton     2 Comments

In the last few months, I have been reading blog posts (e.g., Google and Evernote) about certificate subscribers changing their keys from 1024-bit to 2048-bit RSA. I suppose congratulations may be in order. But, on the other hand, what’s been the delay? I’ve post a couple of blogs about key size policy back in 2010 [Read More...]

Filed Under: SSL, SSL Deployment Tagged With: CAB Forum, NIST, SSL

Perfect Forward Secrecy

July 17, 2013 by Bruce Morton     7 Comments

The topic of perfect forward secrecy has come up due to the alleged actions of NSA and PRISM. It has been reported the NSA has been able to trap website communications and then are able to search and review those communications at a future time. Users that use SSL were assuming their communications were secure. [Read More...]

Filed Under: SSL, SSL Deployment Tagged With: CAB Forum, DHE, Diffie-Hellman

Some Comments on Web Security

June 14, 2013 by Bruce Morton     No Comments

Web security is a topic important to health and viability of the internet. It is crucial for privacy, integrity and authenticity of sites and users alike.

Self-Signed Certificates don’t deliver Trust

April 4, 2013 by Bruce Morton     No Comments

We’ve heard the argument that website operators could just use self-sign certificates. They are easy to issue and they are “free.” Before issuing self-signed certificates, it’s a good idea to examine the trust and security model. You should also compare self-signed certificates to the publicly trusted certification authority (CA) model; and then make your own decision.

Mozilla Endorses SSL Baseline Requirements

February 27, 2013 by Bruce Morton     2 Comments

The CA/Browser Forum SSL Baseline Requirements have been endorsed by Mozilla and have been included in their certificate authority (CA) certificate policy.

SSL Certificates without Non-FQDNs

February 21, 2013 by Bruce Morton     1 Comment

The CA/Browser Forum decided to mitigate the risk by deprecating the issuance of certificates with non-FQDNs.

Certificate Authority Security Council

February 14, 2013 by Bruce Morton     No Comments

Today, the leading global certification authorities (CA) launched the Certificate Authority Security Council (CASC). The CASC is made up of publicly trusted CAs that issue SSL certificate to protect more than 95 percent of the global websites.

SSL – Privacy, Integrity, Authenticity

November 29, 2012 by Bruce Morton     No Comments

I was recently reminded by a couple of security researchers that SSL provides privacy, integrity and authenticity.

SSL News from Black Hat and DEF CON

August 28, 2012 by Bruce Morton     No Comments

I like to follow up each year with the SSL news from Black Hat USA and DEF CON 20. I was just looking for my 2011 follow-up and found out that I never released it. Unfortunately, I started the write up just before the DigiNotar fiasco and never finished it. So what SSL presentations occurred [Read More...]