Baseline Requirements for Publicly Trusted Certificates
I would like to bring to your attention the initiative of the CA/Browser Forum (of which Entrust is a member) to develop baseline requirements for the issuance and management of publicly trusted certificates. The CAB Forum developed the guidelines for issuance and management of Extended Validation (EV) certificates in 2006 with the first EV SSL certificates being issued in early 2007.
The initiative to develop baseline requirements for ALL publicly trusted certificates has been ongoing for the better part of two years. The reasoning is that other than EV, there are no documented industry best-practices for the issuance and management of publicly trusted certificates. The hope is that once the baseline requirements are finalized, they will be adopted by the browsers into their root-embedding programs. This also could extend to bodies such as AICPA/CICA (WebTrust) and ETSI — as well as their audit programs. The result would be a strengthening of the foundation of the browser security model.
The CAB Forum announced a 45-day public review period of the current draft of the baseline requirements ending in May 2011. Interested parties are encouraged to read the draft and provide comments through the Mozilla Dev-Security-Policy discussion list. Details regarding the review period and how you can comment are included in the announcement. If you want to go straight to the draft, click here.