The CA/Browser Forum has completed release 1.0 of the Baseline Requirements for the Issuance and Management of Publicly Trusted (SSL) Certificates. This document, fondly referred to as the BRs, is a major step forward for the SSL certificate industry. The leading browser vendors and the SSL CAs have come together to set a minimum standard for the issuance of SSL certificates. It will act as the benchmark for all SSL certificate issuance moving forward, once it becomes effective on July 1, 2012.
Prior to the BRs, there was no common standard for the issuance of SSL certificates. Microsoft and Mozilla have their stated requirements and policies that must be considered. The AICPA/CICA has WebTrust for CA and, of course, there are “industry best practices.” Industry best practices? Try to find those; well, now you can. The BRs have considered the browser policy requirements and have been reviewed by the WebTrust auditor community.
Over the years, security researchers and hackers have found cracks in SSL certificate issuance practices. Mike Zusman defeated the common practice of using email addresses to confirm domain control in the issuance of Domain Validated (DV) certificates. The ComodoHacker issued fraudulent certificates by attacking third-party registration authorities. Most recently, due to a spear-phishing attack, some SSL CAs were found to be issuing certificates with weak 512-bit keys. All of these short-comings have either been addressed directly or mitigated in the BRs.
The CAB/Forum acknowledges that the BRs are not a panacea for all SSL certificate issues. Nonetheless, the BRs establish a baseline from which more improvements can be made.