The Certificate Authority Security Council (CASC) announced at the CA/Browser Forum event in London the launch of the London Protocol – an initiative to improve identity assurance and minimize the possibility of phishing activity on websites encrypted with organization validated (OV) and extended validation (EV) certificates, which contain organization identity information (Identity Certificates).
Following the recent rise in phishing attacks, the London Protocol was developed to reinforce the distinction between Identity Websites and websites encrypted by domain validated (DV) certificates, which lack organization identity.
The London Protocol will be implemented through voluntary action plan by public certification authorities (CAs). The CAs will work together and share data to:
- Actively monitor phishing reports for websites encrypted by the CA’s own OV and EV certificates;
- Notify the affected website owner that phishing content was found and provide remediation instructions as well as prevention methods;
- Contribute to a common database to help reduce future phishing content. This data will be available to other participating CAs so that each CA can conduct additional due diligence before issuing new OV or EV certificates to the website; and
- Develop a name collision system to attempt to prevent the “Stripe” threat vector.
Although affordable and often automatic, issuing DV certificates does not require CAs to verify the organization identity. Many DV certificates are issued anonymously without legitimate contact information making it easy for phishers to get them for fraudulent purposes.
For OV and EV certificates, CAs are required to verify the organization information using verifiable documents, such as a government-issued business license, providing an additional layer of validation to the process. To improve internet security and awareness of the OV and EV certificates, participating CAs, will collaborate on the London Protocol to find best security practices for identity assurance and minimize phishing on identity websites.
The London Protocol will be implemented in multiple phases:
Phase 1 (June – August 2018): Participating CAs develop Protocol details and research feasibility of implementation and may begin to implement some basic procedures.
Phase 2 (September – November 2018): Participating CAs apply Protocol concepts to their own customers’ Identity Websites according to their own policies and procedures, share feedback with other participating CAs, refine Protocol as warranted by experience.
Phase 3 (December 2018 – February 2019): Participating CAs update Protocol policies and procedures and approve plan for uniform policies and procedures to be applied by all participating CAs on a voluntary basis.
Phase 4 (March 2019): Participating CAs forward report and recommendations to CA/Browser Forum for possible changes to Baseline Requirements.
At its core, the London Protocol is designed to get back to the root of what OV and EV certificates were created for – providing online consumers better trust and assurance.