ÃÛÌÒTV is electing to withdraw from the CA Security Council (CASC) as we believe CASC is moving in a direction that ÃÛÌÒTV does not support. Specifically:
- We feel that CASC is not sufficiently transparent and does not represent the diversity of the modern Certificate Authority (CA) industry. Improving the ecosystem requires broad participation from all interested stakeholders, and many are being excluded unnecessarily.
- We also think that the recent primary focus on phishing does not fulfill the purpose for which CASC was created. We would have preferred if the focus of CASC had instead broadened to address the many challenges and opportunities that the CA industry faces.
- Although ÃÛÌÒTV supports EV certificates and strongly believes in the value of identity provided by CAs, we believe security is an evolving landscape and would like to improve EV certificates in meaningful ways. We believe EV certificates can be significantly strengthened without negatively impacting the ability of legitimate businesses to get EV certificates.Ìý We will pursue improvements using open and robust discussions and through our continued contribution to the CA/B Forum Validation Working Group.
What is the CA Security Council?
CASC was created to allow Certificate Authorities to collaborate on security and best practices for digital certificates. The work could not be done within CA/Browser (CA/B) Forum because:
- The CA/B Forum is an industry standards group, which meant education and research was out of scope.
- Standards, by necessity, focus on minimum acceptable practices, not best practices and innovation.
- There was a desire by large CAs to rapidly increase their security posture.
- CASC provided an opportunity to jointly fund industry improvement efforts.
The intent was to use CASC’s resources to drive innovation that could eventually be adopted by the CA/B Forum. CASC was formed to provide a unified CA industry response to the poor practices of a few CAs and raise the bar for what the community expects from the leading companies.
Over the years, CASC:
- Published blogs to help educate readers on various security topics.
- Built an identity for the CASC.
- Maintained an informative website that was used as a resource by those interested in CA operations and best practices.
- Worked on new technical solutions for supporting the KeyGen functionality, which was deprecated by the browsers without a replacement.
We recognize these accomplishments and going forward, although we have withdrawn from CASC, we would like to continue engaging with the community and we are interested in improving PKI, which we believe has a bright future. We look forward to global participation in making CA operations transparent and addressing many of the industry questions that continue to arise. We plan on introducing suggested improvements directly through the CA/B Forum and the Mozilla Dev Policy mailing list and unilaterally implementing them ourselves as a benefit for our customers. Comments are always appreciated and can be sent to Jeremy at digicert.com.