Certificate Authority Security Council
   HOME

TheInfoList



Click Here for Items Related To - Certificate Authority Security Council
OR:
Certificate Authority Security Council on:   [Wikipedia]   [Google]   [Amazon]

The Certificate Authority Security Council (CASC) is a multi-vendor industry
advocacy group Advocacy groups, also known as lobby groups, interest groups, special interest groups, pressure groups, or public associations, use various forms of advocacy or lobbying to influence public opinion and ultimately public policy. They play an impor ...
created to conduct research, promote
Internet security Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules ...
standards and educate the public on Internet security issues.


History

The group was founded in February 2013 with the seven largest
certificate authorities In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. Thi ...
, issuers of
SSL certificate In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes the public key and information about it, informa ...
s — Comodo, Symantec,
Trend Micro is an American-Japanese cyber security software company. The company has globally dispersed R&D in 16 locations across every continent excluding Antarctica. The company develops enterprise security software for servers, containers, and cloud ...
,
DigiCert DigiCert, Inc. is a digital security company headquartered in Lehi, Utah. DigiCert provides public key infrastructure (PKI) and validation required for issuing Public key certificate, digital certificates or Transport Layer Security, TLS/SSL cert ...
,
Entrust Entrust Corp., formerly Entrust Datacard, provides software and Electronic hardware, hardware used to issue financial cards, e-passport production, user authentication for those looking to access secure networks or conduct financial transactio ...
,
GlobalSign GlobalSign is a certificate authority and a provider of internet identity and security products. As of January 2015, Globalsign was the 4th largest certificate authority in the world, according to Netcraft. History GlobalSign was founded in Be ...
and
GoDaddy GoDaddy Inc. is an American publicly traded Internet Domain name registry, domain registry, Domain name registrar, domain registrar and web hosting company headquartered in Tempe, Arizona, and incorporated in Delaware. GoDaddy is the world's fif ...
. DigiCert withdrew from the group June 15, 2018.


Objectives

The CASC supports the efforts of the CA/Browser Forum and other standards-setting bodies. They support the development of enhancements that improve the
Secure Sockets Layer Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, ...
(SSL) and the operations of the
certificate authorities In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. Thi ...
(CA). According to Robin Alden, CTO of Comodo and member of the Council, the CASC will serve as a united front for all of the CAs involved: "While not a standards-setting organization, we’re committed to supplementing standards-setting organizations by providing education, research, and advocacy on the best practices and use of SSL."


Membership requirements

The CASC limits membership to SSL certificate authorities that meet their requirements for reputation, operation, and security. Members are required to undergo an annual audit and to adhere to industry standards, such as the CA/Browser Forum’s Baseline Requirements and Network Security Guidelines.


Industry initiatives

The group works collaboratively to create and define the initiatives to improve the understanding of policies and their impact on Internet infrastructure.


Certificate Revocation and OCSP Stapling

The group's primary focus was promoting an understanding of the importance of
certificate revocation In public key cryptography, a public key certificate, certificate may be revoked before it expires, which signals that it is no longer valid. Without revocation, an attacker could exploit such a compromised or misissued certificate until expiry. ...
checking and the benefits of
OCSP stapling The Online Certificate Status Protocol (OCSP) stapling, formally known as the TLS Certificate Status Request extension, is a standard for checking the revocation status of X.509 digital certificates. It allows the presenter of a certificate to be ...
. The protocol is intended to ensure that web users are aware when they visit a web site with a revoked or expired SSL certificate.


Securing Software Distribution with Digital Code Signing

The group has also worked to secure software distribution with digital
code signing Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to va ...
. Code signing certificates play a key role in helping users identify authentic software code from reputable publishers and receive the assurance that the code has not been tampered with beforehand.


References

{{reflist, 2 Internet security Certificate authorities