X.509 (SSL) certificates, the standard for a public key infrastructure and privilege management infrastructure (PMI) -- are everywhere. They’re on nearly every website, and there are millions of PKI implementations all over the world. In fact, it would be safe to say that most organizations take these certificates and their supporting infrastructure for granted.
And therein lies the rub. We have recently seen several compromises involving certificate authorities, easily the most important part of any X.509 implementation. What happened? And what can enterprises do to protect themselves?
If we go back and examine how CAs have been compromised of late, it’s apparent that in nearly every case -- including the high-profile breaches of certificate authorities Comodo and Diginotar -- infrastructure security was breached or bypassed. The protocols used with X.509 certificates and the certificates themselves operated as designed and expected.
Industry leaders are employing or providing a number of products and services to help protect customers using PKI technologies. There are a couple of big problems to tackle: First, we need to be absolutely sure that the requesting entity is who it says it is -- the core of authentication.
Certification Authority Authorization (CAA), a joint effort between Google and Comodo, may go a long way toward adding some security and sanity to the CA and key management process. CAA allows a DNS domain name holder to specify the CAs that can issue certificates for that domain. This puts at least some control over certificate issuance back in the hands of the domain owner and will help prevent accidental or purposeful issuance of duplicate or fraudulent certificates. The CAA model also allows for validation of new requests with existing certificates: Before a CA issues a certificate, a compliant CA checks for publication of similar certificates and validates that the new certificate is consistent with existing certificates.
Extended Validation is a standard developed by the CA/Browser Forum to shore up certificate technology. Before an EV certificate is issued, the issuing authority establishes the legal identity and the operational and physical presence of a website. In addition, the CA vendor establishes that the applicant is the domain name owner or has exclusive control over the domain name. The CA will validate the identity and authority of the individuals acting for the website owner. Because of the extensive validation they require, EV certificates can significantly increase the trust level of the certificate holder.
Some companies are opting to bring their keys in-house. Fifty-five percent of the respondents to InformationWeek’s 2012 Data Encryption Survey have already brought one core encryption capability in-house by using their own internal CAs; an additional 15 percent plan to do so within 24 months. This may be especially important as the use of cloud services increases, according to the report.
To find out what your enterprise can do about the certificate authority issue -- and how the technology itself is changing -- download the free report on the evolution of certificate technology.
Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.