RECOMMENDATIONS for the PROCESSING of EXTENDED VALIDATION SSL CERTIFICATES January 2, 2014 Version 2.0



Similar documents
CERTIFICATION PRACTICE STATEMENT UPDATE

apple WWDR Certification Practice Statement Version 1.8 June 11, 2012 Apple Inc.

ETSI TR V1.1.1 ( )

Microsoft Trusted Root Certificate: Program Requirements

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

epki Root Certification Authority Certification Practice Statement Version 1.2

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

WEBTRUST FOR CERTIFICATION AUTHORITIES SSL BASELINE REQUIREMENTS AUDIT CRITERIA V.1.1 [Amended 1 ] CA/BROWSER FORUM

CA/Browser Forum. Guidelines For The Issuance And Management Of Extended Validation Code Signing Certificates

CA/Browser Forum. Guidelines For The Issuance And Management Of Extended Validation Certificates

TELSTRA RSS CA Subscriber Agreement (SA)

Gandi CA Certification Practice Statement

WebTrust SM/TM for Certification Authorities WebTrust Principles and Criteria for Certification Authorities Extended Validation Code Signing

ING Public Key Infrastructure Certificate Practice Statement. Version June 2015

StartCom Certification Authority

Statoil Policy Disclosure Statement

Independent Accountants Report

ETSI SR V1.1.2 ( )

thawte Certification Practice Statement

Danske Bank Group Certificate Policy

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

THE RSA ROOT SIGNING SERVICE Certification Practice Statement For RSA Certificate Authorities (CAs) Published By: RSA Security Inc.

TeliaSonera Server Certificate Policy and Certification Practice Statement

ENTRUST CERTIFICATE SERVICES

Trustis FPS PKI Glossary of Terms

ETSI TS V2.4.1 ( )

BUYPASS CLASS 3 SSL CERTIFICATES Effective date:

Bugzilla ID: Bugzilla Summary:

Based on: CA/Browser Forum. Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Version 1.1.

Class 3 Registration Authority Charter

Comodo Certification Practice Statement

Public Certification Authority Certification Practice Statement of Chunghwa Telecom (PublicCA CPS) Version 1.5

e-tuğra CERTIFICATE POLICY E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş. Version: 3.1 Validity Date: September, 2013 Update Date: 30/08/2013

Frequently Asked Questions. Frequently Asked Questions: Prioritizing Trust: Certificate Authority Security Best Practices

Internet Security Research Group (ISRG)

CA Self-Governance: CA / Browser Forum Guidelines and Other Industry Developments. Ben Wilson, Chair, CA / Browser Forum

WEBTRUST FOR CERTIFICATION AUTHORITIES EXTENDED VALIDATION AUDIT CRITERIA Version 1.4 [Amended 1 ] CA/BROWSER FORUM

WebTrust SM/TM for Certification Authorities WebTrust Principles and Criteria for Certification Authorities Extended Validation SSL Version 1.4.

Globe Hosting Certification Authority Globe Hosting, Inc. 501 Silverside Road, Suite 105, Wilmington, DE 19809, County of New Castle, United States

TC TrustCenter GmbH. Certification Practice Statement

Certification Practice Statement

CERTIFICATE POLICY (CP) (For SSL, EV SSL, OSC and similar electronic certificates)

TREND MICRO SSL CERTIFICATION PRACTICE STATEMENT. Version 2.0

Certification Practice Statement

Certification Practice Statement. Internet Security Research Group (ISRG)

Starfield Technologies, LLC. Certificate Policy and Certification Practice Statement (CP/CPS)

Certificate Policy and Certification Practice Statement

EuropeanSSL Secure Certification Practice Statement

ENTRUST CERTIFICATE SERVICES

QUOVADIS ROOT CERTIFICATION AUTHORITY CERTIFICATE POLICY/ CERTIFICATION PRACTICE STATEMENT. OIDs:

Equens Certificate Policy

fulfils all requirements defined in the technical specification The appendix to the certificate is part of the certificate and consists of 6 pages.

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

CERTIFICATION PRACTICE STATEMENT. EV SSL CA Certification Practice Statement

Comodo Extended Validation (EV) Certification Practice Statement

Independent Accountants Report

Ericsson Group Certificate Value Statement

SSL.com Certification Practice Statement

Bangladesh Bank Certification Authority (BBCA) Certification Practice Statement (CPS)

CERTIFICATE. certifies that the. Info&AA v1.0 Attribute Service Provider Software. developed by InfoScope Ltd.

phicert Direct Certificate Policy and Certification Practices Statement

Trust Service Principles and Criteria for Certification Authorities

SECOM Trust.net Root1 CA

ETSI SECURITY WEEK EIDAS Overview CEN/ETSI esignature Standardization including standards for TSP Compliance. ETSI All rights reserved

SAUDI NATIONAL ROOT-CA CERTIFICATE POLICY

Operating a CSP in Switzerland or Playing in the champions league of IT Security

StartCom Certification Authority

Frequently Asked Questions. Frequently Asked Questions: Securing the Future of Trust on the Internet

X.509 Certificate Policy for India PKI

GlobalSign CA Certificate Policy

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

Neutralus Certification Practices Statement

Publicly trusted certification authorities (CAs) confirm signers identities and bind their public key to a code signing certificate.

ING Public Key Infrastructure Technical Certificate Policy

Introduction to Network Security Key Management and Distribution

ETSI TS V1.1.1 ( ) Technical Specification

PostSignum CA Certification Policy applicable to qualified personal certificates

DigiCert Certification Practice Statement

TREND MICRO SSL CERTIFICATION PRACTICE STATEMENT. Version 1.5

National Register of Associations. Number CIF G

INDEPENDENT AUDIT REPORT BASED ON THE REQUIREMENTS OF ETSI TS Aristotle University of Thessaloniki PKI ( WHOM IT MAY CONCERN

HKUST CA. Certification Practice Statement

Extended Validation SSL Certificates

SSL CERTIFICATE POLICY AND CERTIFICATION PRACTICE STATEMENT

Trustwave Holdings, Inc

Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ)

CA/Browser Forum. Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.0

CA/Browser Forum. Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.3

Certification Practice Statement for Extended Validation Certificates

ETSI EN V1.1.1 ( )

E-TUGRA INFORMATIC TECHNOLOGIES AND SERVICES CORP (E-TUGRA)

ECC Certificate Addendum to the Comodo EV Certification Practice Statement v.1.03

CS 356 Lecture 28 Internet Authentication. Spring 2013

Amazon Web Services Certificate Policy. Version 1.0.1

Comodo Certification Practice Statement

WEBTRUST SM/TM FOR CERTIFICATION AUTHORITIES EXTENDED VALIDATION AUDIT CRITERIA Version 1.1 CA/BROWSER FORUM

Programme of Requirements part 3f: Certificate Policy - Extended Validation

Purpose of PKI PUBLIC KEY INFRASTRUCTURE (PKI) Terminology in PKIs. Chain of Certificates

Certificate Policy for. SSL Client & S/MIME Certificates

The name of the Contract Signer (as hereinafter defined) duly authorized by the Applicant to bind the Applicant to this Agreement is.

Transcription:

Forum RECOMMENDATIONS for the PROCESSING of EXTENDED VALIDATION SSL CERTIFICATES January 2, 2014 Version 2.0 Copyright 2007-2014, The CA / Browser Forum, all rights reserved. Verbatim copying and distribution of this entire document is permitted in any medium without royalty, provided this notice is preserved. Upon request, the CA / Browser Forum may grant permission to make a translation of these recommendations into a language other than English. In such circumstance, copyright in the translation remains with the CA / Browser Forum. In the event that a discrepancy arises between interpretations of a translated version and the original English version, the original English version shall govern. A translated version of the document must prominently display the following statement in the language of the translation:- 'Copyright 2007-2014 The CA / Browser Forum, all rights reserved. This document is a translation of the original English version. In the event that a discrepancy arises between interpretations of this version and the original English version, the original English version shall govern.' A request to make a translated version of this document should be submitted to questions@cabforum.org. Recommendations for Processing EV SSL Certificates, v.2.0 Page 1

Table of Contents 1. Foreword... 3 2. Scope... 3 3. Normative references... 3 4. Terms and definitions... 3 5. Introduction... 4 6. Identifying EV entities... 4 6.1. Identifying an EV CSP... 4 6.2. Identifying an EV certificate... 5 7. Root-embedding program... 5 7.1. Notification... 5 7.2. Agreement... 5 7.3. Process description... 5 7.4. Communication... 6 7.5. Schedule... 6 7.6. Membership... 6 7.7. Software Verification... 6 8. CSP Public-Key Integrity Protection... 6 9. Certificate Path Validation... 6 10. Cryptographic Algorithms and Minimum Key Sizes... 7 11. Certificate Contents... 7 12. Policy Identifier... 7 13. Revocation Checking... 7 14. EV Treatment... 7 15. Security considerations... 7 15.1. EV OIDs in Subject Distinguished Name Fields... 8 16. Conclusion... 8 Recommendations for Processing EV SSL Certificates, v.2.0 Page 2

1. Foreword This document contains recommendations by the CA/Browser Forum, for processing and rendering the results of Extended Validation certificates in relying party software applications (e.g., browser software). This document may be revised from time to time, as appropriate, in accordance with procedures adopted by the CA/Browser Forum. Questions concerning this document or suggestions for its improvement may be directed to the CA/Browser Forum at questions@cabforum.org. 2. Scope The EV SSL Certificate Guideline [EVSSL] document establishes minimum requirements for the issuance and management of EV SSL certificates for organizations of various types. It describes processes for validating certificate contents prior to issuance, and requirements for the operation and audit of certification authorities. This document contains recommendations for Application Software Suppliers who create software that processes or displays Extended Validation certificates. 3. Normative references [BRs] Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, CA/Browser Forum. Available at: https://cabforum.org/baselinerequirements-documents/ [EVSSL] "Guidelines for the Issuance and Management of Extended Validation Certificates", CA/Browser Forum. Available at: https://cabforum.org/extended-validation/ [RFC 5280] D. Cooper, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008. [RFC 6960] S. Santesson, et al., X.509 Internet Public Key Infrastructure Online Certificate Status Protocol OCSP, RFC 6960, June 2013. 4. Terms and definitions Application Software Supplier - A supplier of Internet browser software or other relyingparty application software, including certificate verification software and user agents, that processes, uses, or displays Extended Validation Certificates. Certificate Policy (CP) A named set of rules that indicates the applicability of a named certificate to a particular community and/or PKI implementation with common security requirements. Certificate Practices Statement (CPS) - One of several documents forming the governance framework in which Certificates are created, issued, managed, and used Certificate Service Provider (CSP) - A certification authority whose relying parties take no special software installation or configuration steps to establish reliance, e.g. a commercial CA or government CA. In the EU directive (1999/93/CE) "certificationservice-provider" means an entity or a legal or natural person who issues certificates or provides other services related to electronic signatures. Recommendations for Processing EV SSL Certificates, v.2.0 Page 3

Certificate Verification Software Software that performs PKIX verification of certificates substantially conformant to RFC 5280 and RFC 6960. Certificate Viewer Software that converts the ASN.1-formatted certificate, including numeric object identifiers, into human readable form. Extended Validation (EV) - The process of certificate issuance and management defined in [EVSSL]. Extended Validation Certificate: A certificate issued and managed in accordance with [EVSSL] and with contents conforming to [EVSSL]. Relying Party: Any natural person or Legal Entity that relies on a valid certificate. An Application Software Supplier is not considered a Relying Party when software distributed by such Supplier merely displays information relating to a certificate. Root Store a collection of Root CA public keys that applications may use as trust anchors for RFC 5280 certification path validation. Root Store Manager - An entity that manages a Root Store. In some cases, an Application Software Supplier might perform some of the root store management, in which case it is to be considered as a Root Store Manager for those purposes. User Agent Software that retrieves, renders and facilitates end-user interaction with Web content, including but not limited to browsers, media players, web applications, and mobile applications that render web content. 5. Introduction The CA/Browser Forum has defined minimum requirements for the issuance and management of Extended Validation certificates [EVSSL]. These requirements establish a minimum level of assurance in the information contained in a properly validated certificate. Certificates issued in accordance with these requirements are called Extended Validation certificates. In order to achieve the expected level of assurance in the certificate contents, the relying application should also satisfy the recommendations that are laid out in this document. Note that [EVSSL] incorporates by reference the CA/Browser Forum s Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates [BRs]. 6. Identifying EV entities 6.1. Identifying an EV CSP A Root Store Manager shall determine whether a CSP is qualified to issue EV SSL certificates by means of the CSP's audit report. The Root Store Manager should check that the report was issued by an auditor certified to conduct audits in accordance with an audit program specified in [EVSSL]. The report should be current and it should identify no outstanding deficiencies. These checks should be repeated upon expiry of the audit report. It is common for an auditor to take several months to issue his or her report following completion of the audit engagement. Therefore, Root Store Managers should communicate with a CSP around the Recommendations for Processing EV SSL Certificates, v.2.0 Page 4

time of expiry, in order to confirm that the CSP is taking the steps necessary to maintain its EV status. Where the CSP has not operated an EV service for the minimum amount of time required by the audit program, the Root Store Manager should accept a pre-issuance readiness audit in place of an audit report. 6.2. Identifying an EV certificate An EV certificate is distinguishable from a non-ev certificate by the presence of a distinct certificate policy identifier. Each CSP has one or more root certificates designated to issue EV certificates, and has its own EV policy identifier to identify EV certificates issued in accordance with [EVSSL]. Alternatively, the CSP may choose to use the CA/Browser Forum s EV OID: 2.23.140.1.1. The policy identifier for a particular CSP should be confirmed by reference to the CSP's Certificate Policy (CP) or Certification Practices Statement (CPS). The Root Store Manager should store the distinct certificate policy identifier associated with each root certificate, for example, as meta-data. 7. Root-embedding program A Root Store Manager should notify the CA/Browser Forum of their intent to manage a root store. The CA/Browser Forum recommends that the Root Store Manager implement the following procedures. 7.1. Notification Notify the CA/Browser Forum in a message sent to any of the following email addresses: questions@cabforum.org; management@cabforum.org; or public@cabforum.org This is intended to ensure that the CA/Browser Forum is aware of the Root Store and to simplify the effort of identifying all possible CSPs for possible inclusion in the Root Store. The notice should include the terms upon which such CSPs will be included, such as those described in Sections 7.2 through 7.6 below, as appropriate. This requested notice to the CA/Browser Forum is not necessary for subsequent CSPs or root certificates that the Root Store Manager intends to add. 7.2. Agreement A Root Store Manager may wish to enter into an agreement separately with each CSP prior to Root Store acceptance. Reasons for having such an agreement might include: to formalize the requirements of the root-embedding program and compliance with the EV Guidelines, to set forth any other rights or obligations of the parties, to define the governing law and jurisdiction for dispute resolution, and to address any other matter of importance to the parties. Such agreements should be non-discriminatory. 7.3. Process description The notice and/or the agreement should describe the following: a) The Root Store Manager s public-key inclusion process b) The Root Store s certificate distribution and updating process Recommendations for Processing EV SSL Certificates, v.2.0 Page 5

c) General requirements on the CSP d) Documentation requirements on the CSP e) Technical requirements on the CSP f) The process for replacing a CSP public key (if applicable) 7.4. Communication The notice and/or the agreement should describe the expected sequence and method of communication between the Root Store Manager and the CSP (for example: receipt confirmation, status updates, requests for additional information, etc. will be communicated: by e-mail, by online forum, by bulletin board, etc.). 7.5. Schedule The notice and/or the agreement should describe the general schedule, time-frame and deadlines for each milestone of the CSP root certificate-embedding process. Note: this should not commit the Root Store Manager to specific dates or time periods; it should merely provide general guidance on: a) The interval on which new CSP root certificates enter the process (for instance: monthly, on an on-going basis, etc.) b) The typical duration of the complete process c) Deadlines (for instance: code freezes prior to release, etc.) d) The distribution schedule for accepted root certificates (for instance: monthly, with new releases, etc.) 7.6. Membership The Root Store Manager should publicly post a list of the CSPs that are currently participating in its program (i.e. CSPs whose root certificates have been accepted and that are, or will be, relied upon). 7.7. Software Verification CSPs that offer EV certificates are required to provide a mechanism for Root Store Managers to test their certificates. Root Store Managers should make full use of this mechanism to verify the correct operation of their application. 8. CSP Public-Key Integrity Protection Root Store Managers should provide adequate protection against malign threats to the integrity of the application code and the CSP root certificates. 9. Certificate Path Validation Certificate verification software used by Application Software Suppliers shall validate the certificate in accordance with [RFC 5280] Section 6. The EV treatment (see Section 14, EV Treatment, below) must not be granted by user agents to certificates for which the agent knows of any failure in path validation. Recommendations for Processing EV SSL Certificates, v.2.0 Page 6

10. Cryptographic Algorithms and Minimum Key Sizes Certificate verification software used by Application Software Suppliers should be capable of processing the cryptographic algorithms and key sizes listed in [EVSSL]. User agents should not grant the EV treatment (see Section 14, EV Treatment, below) to certificates whose algorithms and keys do not conform to the EV requirements. 11. Certificate Contents Certificate verification software should be capable of processing the certificate fields and extensions containing subject attributes that are described in [EVSSL]. With the exception of the Subject OU attribute, the application should treat all certificate contents as trustworthy. CSPs may populate the Subject OU attribute with unverified, but not misleading, information. Therefore, the Subject OU attribute should not be treated as trustworthy by any Application Software. 12. Policy Identifier The certificate verification software must verify that the EV certificate contains a value in its certificate policies extension that matches the distinct certificate policy identifier associated with the issuing CSP root certificate, as described in Section 6.2, Identifying an EV certificate, above. The user agent must grant the EV treatment (see Section 14, EV Treatment, below) only to certificates that contain the appropriate policy identifier. 13. Revocation Checking Certificate verification software should confirm that the EV certificate has not been revoked as part of its verification process. User agents must not grant the EV treatment (see Section 14, EV Treatment, below) to EV Certificates that are known to have been revoked. Certificate verification software should support both CRL and OCSP services. For HTTP OCSP schemes, the application may use either the GET or POST method, but should try the GET method first. If the application cannot obtain a response using one service, then it should try an alternative service, if available. 14. EV Treatment In cases where the user agent accepts both EV and non-ev certificates, it is recommended that the application's behavior differ in a distinct way for each type of certificate. Application Software Suppliers should consider the EV treatment offered by the user agents of other Application Software Suppliers that also recognize EV certificates and, where practical, provide consistent treatment. 15. Security considerations There are numerous security considerations related to the processing of certificates and reliance on their contents. Here, we confine ourselves to those matters that are specific to EV certificates. Recommendations for Processing EV SSL Certificates, v.2.0 Page 7

Perhaps the most serious threat to the security of extended validation is the possibility that any one of the CSPs upon which the application relies fails to conform, or maintain conformance with, the EV requirements for issuance and management [EVSSL]. The main safeguard against this possibility is the CSP audit. Therefore, it is important that the Root Store Manage confirms (initially, and on an ongoing basis) that the CSP's audit is current, identifies no deficiencies and was conducted by a properly qualified auditor. The audit should be performed in accordance with [BRs] and [EVGs]. 15.1. EV OIDs in Subject Distinguished Name Fields Certificate Viewers should provide text equivalents for any OIDs shown to end users. For example, these EV-specific OIDs used in Subject Distinguished Name fields may be displayed as follows (translated accordingly): subject:businesscategory (2.5.4.15) - Business Category subject:jurisdictionofincorporationlocalityname (1.3.6.1.4.1.311.60.2.1.1) - Incorporation Locality or Inc. Locality subject:jurisdictionofincorporationstateorprovincename (1.3.6.1.4.1.311.60.2.1.2) Incorporation State/Province or Inc. State/Province subject:jurisdictionofincorporationcountryname (1.3.6.1.4.1.311.60.2.1.3) - Incorporation Country or Inc. Country Subject:serialNumber (2.5.4.5) - Serial Number 16. Conclusion Not all certificates are equally trustworthy. Their trustworthiness depends upon the strength of their cryptographic protection. But, it also depends on the policies and practices used in their issuance and management. Historically, some relying parties have been required to assess the suitability of a CSP's policies and practices for the intended usage (e.g. Section 3.3.5 of ITU X.509 (1997-08) defines Certificate Policy as A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. For example, a particular certificate policy might indicate applicability of a type of certificate to the authentication of electronic data interchange transactions for the trading of goods within a given price range ). In 2007 (and with later revisions) public CSPs agreed and browsers participating in the CA/Browser Forum began to collaborate on a common set of policies and practices for CAs that establish a minimum level of assurance deemed suitable for common Internet purposes, such as ecommerce and egovernment. Achieving the intended level of assurance also requires proper behavior by the relying application. Because EV Certificates play an important role in securing the online ecosystem, we provide these recommendations to application developers to help them protect users when visiting EVprotected websites. Recommendations for Processing EV SSL Certificates, v.2.0 Page 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information