Baseline Requirements for Publicly Trusted Certificates

Bruce Morton

I would like to bring to your attention the initiative of the CA/Browser Forum (of which Entrust is a member) to develop baseline requirements for the issuance and management of publicly trusted certificates. The CAB Forum developed the guidelines for issuance and management of Extended Validation (EV) certificates in 2006 with the first EV SSL certificates being issued in early 2007.

The initiative to develop baseline requirements for ALL publicly trusted certificates has been ongoing for the better part of two years. The reasoning is that other than EV, there are no documented industry best-practices for the issuance and management of publicly trusted certificates. The hope is that once the baseline requirements are finalized, they will be adopted by the browsers into their root-embedding programs. This also could extend to bodies such as AICPA/CICA (WebTrust) and ETSI — as well as their audit programs. The result would be a strengthening of the foundation of the browser security model.

The CAB Forum announced a 45-day public review period of the current draft of the baseline requirements ending in May 2011. Interested parties are encouraged to read the draft and provide comments through the Mozilla Dev-Security-Policy discussion list. Details regarding the review period and how you can comment are included in the announcement. If you want to go straight to the draft, click here.

Considering the findings of the EFF SSL Observatory [1] [2] and SSL Labs and the recent attack on Comodo, baseline requirements are more necessary than ever.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


Add to the Conversation