Sometimes it takes a very public breach for the shockwaves to force an industry to tighten up security. I welcome the news that the Certificate Authority (CA) industry body that initially specified the standard for Extended Validation (EV) certificates has now published requirements (or standards of due care), for the issuance of publically trusted certificates.
Certificate authorities that have signed up to the new requirements have 6 months to comply. Specific requirements that stand out include:
- Mandating the use of larger/stronger cryptographic keys (e.g. no use of 1024bit RSA keys)
- Mandating that CA signing keys must be protected in a FIPS 140-2 level 3 certified Hardware Security Module (or Common Criteria equivalent)
- Placing liability on the CA to defend any browser vendor who suffers losses or claims as a result of a CA breach
- The CA must enforce the use of multi-factor authentication for all accounts capable of causing certificate issuance
Attackers usually target the weakest defences in any security chain. I hope the CA industry will now start to recommend similar standards of care to help their subscribers, but why wait? The theft of a digital certificate can amount to corporate identity theft. Just as we as individuals all have a responsibility to protect our personal identities (and can suffer a lot of expense and embarrassment if our identities are stolen), organisations need to enforce internal standards of care to ensure they don’t become the victims of cybercrime. The only difference with corporate identity theft is the potential scale and impact of the losses.