issue [Vol.69 no. 20] page 61)
For more than 2 years now, the Mozilla project has been part of an organisation called the CA/Browser Forum, which is an industry body made up of the major Certificate Authorities (CAs) and the major browser vendors – Microsoft, the Mozilla Foundation, Opera and KDE (but not Apple, for reasons best known to them).
A CA is a body who issues certificates, such as those for email or web servers (SSL); most of them control “roots” in our certificate store – that is, Firefox or Thunderbird will accept their certificates without warning. (Some are in other certificate stores but not ours.) Large CAs include Verisign/GeoTrust/Thawte, Comodo and GoDaddy, but there are a host of smaller ones too. The Forum currently has 26 members who are CAs, and that number keeps increasing.
The Forum was constituted to look at ways to fix the undeniable problem that the system was beginning to show cracks. In the originally-envisaged model, a certificate was intended to perform two functions. Firstly, it provides an encrypted connection to the destination. Secondly, it tells you who the destination is, to make sure you aren’t talking to the wrong person.
The rise of Domain Validation (DV) certificates, which are issued quickly and cheaply after checking only that the applicant controls the domain in question (and nothing about who they are) meant that certificates were being issued to anonymous entities. So you had encryption but not identity. Such certificates are useful in some cases, but if your bank has one, you ought to be concerned. In other words, on some occasions, it’s important to know if someone else on the Internet is a dog. Yet the browser UI showed no difference between the different types.
However, there was also no sane way for the browser makers to sort the CAs into two buckets – “not enough identity validation” (DV) and “sufficient identity validation” (IV or OV, for Organisational Validation) because the processes of each CA were mostly secret – and even if they weren’t, it would be an enormous task to compare dozens of sets of widely different procedures, and keep the assessments up to date.
So the Forum has spent the last 2 years, via email and a large number of face-to-face meetings, hammering out a minimum standard for identity validation, to try and make sure that certificates issued under them contain reliable information. This standard is called Extended Validation (EV), and compliance by CAs is enforced by audit. It must be said that at the beginning, there were several diverging opinions on how this should work, and what sort of level of validation was required. Interestingly enough, those CAs who issued domain-control only certificates (those with the lowest level of validation) often wanted stronger controls than those who already did some checking, who tended to believe that their existing processes were adequate.
However, with a little help and encouragement from the browser vendors, some of whom had a clear idea of what they wanted, consensus began to form around a set of guidelines which are significantly stronger than anything any CA deploys for non-EV certificates today.
It took a long while to break down the institutional aversion of several forum participants to working in public, with the result that the drafts of the Guidelines were only made public starting at Draft 11. Comments were solicited from the Mozilla security community on Draft 13, and were recorded, submitted, and dealt with by the Forum’s processes (with results that can be seen on the referenced web page). Since then, there have been several more rounds of improvements and tweaks. A couple of times we’ve thought we were there, but another issue raised its head at the last minute.
However, at long last, a vote was called proposing that Draft 20 (500k .doc) of the Guidelines be blessed as version 1.0. With our concerns addressed to a satisfactory level, The Mozilla Foundation voted Yes. It’s good enough to spot the dog.
I have just heard that the Guidelines have been unanimously approved. See cabforum.org for the press release. Of course, we won’t be stopping there. The Forum will continue to maintain and update the guidelines as conditions change, and if weaknesses are found. I recently drafted a document suggesting how a Forum Security Committee, which would have responsibility for reacting to problems in the vetting procedures discovered by the CAs or by third parties, might work.
I hope that Window Snyder, the Mozilla Corporation’s Chief Security Something-or-other, will soon have a post on what this means for Firefox and Thunderbird.