Our seminar ”Electronic signing, PKI Management and SSL certificates” on Feb-6 2019 was attended by over 40 professionals with lots of experience about cyber security. The seminar was streamed on-line to the net and it is still available as recordings. This article provides the links to the recordings and the material as well as highlights from the third session.
Session 1: Electronic signing, digital signing, eIDAS, PadES
Presenter: Robert Hann, Sales Director, Entrust Datacard
Facilitator: Antti Larvala, Director for development eSign for Visma Solutions
Session 3: SSL/TLS certificates – what lies ahead?
Presenter: Chris Bailey, VP Strategy and Business Development, Entrust Datacard
Facilitator: Harri Tuuva, CTO, Wesentra
Some highlights from session: SSL/TLS certificates – what lies ahead?
The CA/Browser Forum began in 2005 as part of an effort among certification authorities and browser software vendors to provide greater assurance to Internet users about the web sites they visit by leveraging the capabilities of SSL/TLS certificates. CA/B Forum has been forced to take actions regarding certificate regulations at an increasing pace.
Chris went through different certificate types. The DV certificate does not give information of the organization which provides the web site. The purchaser of the certificate just needs to show sufficient control over the domain and the certificate only provides encryption. For an OV certificate a trustworthy third party (CA) has verified the organization and its desire to get the certificate. The visitor on the web site can see this info by finding the certificate. For an EV certificate the CA has performed the strongest verification process and the information of the organization can be seen on the banner (typically in green). This gives a strong electronic identity.
During last three years the number of DV certificates has ten folded, the number of OV certificates has five folded and the number of EV certificates has increased with 50%. One reason for such rapid growth of DV certificates is Google’s program to get encryption on all web sites.
At the same time the number of phishing incidents has increased alarmingly. When organizations ask sensible information from the users of their web sites, they often see phishing sites emerging with almost the same URL addresses. These are also encrypted with SSL and almost always the phishing sites are protected with DV certificates as it is so easy to get them. The purpose of Google’s program “Encryption Everywhere” is good but has is turned to “Encryption is Everything” ? Is the program forgetting the user’s need to be sure that he/she is on the intended web site?
When organizations were asked about their expectations for the SSL certificates the provision of an electronic identity was seen as the most important feature. The encryption comes second.
Some browser vendors are seeking ways to improve the security of the users by showing information certified by the CA. This movement seems opposite to Google’s current policies and it may extend as the security needs of organizations and the web users increase. This may also grow the role of EV certificates.
EU has also taken an opposite direction and requires strong electronic identities from organizations. In practice this can be seen in September 2019 when the PSD2 regulation for EU’s financial organizations takes effect. The organizations need to start using Qualified Trust Services and Qualified Web Authentication Certificates (QWAC). As this is also demanded from organizations doing business with EU’s financial organizations, the need for QWACs may expand.
QWACs may be provided by Qualified Trust Service Providers (TSP) which have been certified by EU. The list of QTSPs in different EU countries can be found here. It is sufficient that a vendor has been certified in one EU country. For example Entrust Datacard is working to be able to deliver QWACs during spring 2019.
In practice the coordination between EU and CA/Browser Forum has not been optimal. The ETSI association providing standards for EU has for example added such data fields to the QWAC definition, which at the moment are not legal according to the definitions by CA/B Forum. So a normal EV certificate provided by a TSP is not QWAC at the moment.
Harri Tuuva from Wesentra told (in the beginning of the session) about Wesentra and its service as Europe’s largest certificate distributor for Entrust Datacard and as one of the four global partners who are allowed to do local verification under supervision by Entrust Datacard. Harri also stated that the market share of Entrust Datacard OV/EV certificates in Finland has now climbed to 20%.
Several questions were made to the presenter, one of them being: “When the browser vendors lead by Google removed the trust from Symantec certificates, did the CA/B Forum define the schedule?” Chris stated that each browser vendor decided of the schedule for the corresponding browser. He also presented his opinion that this approach taken by Google was very severe. It caused a tremendous amount of work and pain. Perhaps the process could have been handled more delicately.
This was the last blog post covering the sessions of this seminar.
More information: info (at) wesentra.com or https://www.wesentra.com/eng/