Certificate Authority Security Council Explained

Certificate Authority Security Council
Abbreviation:CASC
Type:Industry Advocacy Organization
Formation:February 2013
Purpose:Exploration and promotion of best practices that advance trusted SSL deployment and CA operations as well as the security of the Internet in general
Region Served:Worldwide
Membership:7 publicly trusted PKI authorities

The Certificate Authority Security Council (CASC) is a multi-vendor industry advocacy group created to conduct research, promote Internet security standards and educate the public on Internet security issues.

History

The group was founded in February 2013 with the seven largest certificate authorities, issuers of SSL certificates — Comodo, Symantec,[1] Trend Micro, DigiCert, Entrust,[2] GlobalSign[3] and GoDaddy.[4] [5] [6] [7] [8] DigiCert withdrew[9] from the group June 15, 2018.

Objectives

The CASC supports the efforts of the CA/Browser Forum and other standards-setting bodies.[10] They support the development of enhancements that improve the Secure Sockets Layer (SSL) and the operations of the certificate authorities (CA).[11] [12]

According to Robin Alden, CTO of Comodo and member of the Council, the CASC will serve as a united front for all of the CAs involved: "While not a standards-setting organization, we’re committed to supplementing standards-setting organizations by providing education, research, and advocacy on the best practices and use of SSL."[13]

Membership requirements

The CASC limits membership to SSL certificate authorities that meet their requirements for reputation, operation, and security. Members are required to undergo an annual audit and to adhere to industry standards, such as the CA/Browser Forum’s Baseline Requirements and Network Security Guidelines.[14]

Industry initiatives

The group works collaboratively to create and define the initiatives to improve the understanding of policies and their impact on Internet infrastructure.

Certificate Revocation and OCSP Stapling

The group's primary focus[15] was promoting an understanding of the importance of certificate revocation checking and the benefits of OCSP stapling. The protocol is intended to ensure that web users are aware when they visit a web site with a revoked or expired SSL certificate.[16]

Securing Software Distribution with Digital Code Signing

The group has also worked to secure software distribution with digital code signing.[17] Code signing certificates play a key role in helping users identify authentic software code from reputable publishers and receive the assurance that the code has not been tampered with beforehand.

Notes and References

  1. https://web.archive.org/web/20130217082728/http://www.symantec.com/connect/blogs/let-s-build-more-secure-future Let’s Build a More Secure Future | Symantec Connect Community
  2. http://www.entrust.com/news/2013-02-14-Entrust-Joins-Worlds-Leading-CAs-to-Form-Certificate-Authority-Security-Council-Advance-Internet-Security-and-Trusted-SSL-Ecosystem Entrust Joins World's Leading CAs to Form Certificate Authority Security Council, Advance Internet Security and Trusted SSL Ecosystem - Feb 14, 2013
  3. Web site: The Paypers. Insights in payments . 2013-03-15 . https://web.archive.org/web/20150702184430/http://www.thepaypers.com/news/e-identity-security-online-fraud/globalsign-joins-the-certificate-authority-security-council-to-upgrade-internet-security/750211-26 . 2015-07-02 . dead .
  4. Web site: Announcing the Certificate Authority Security Council Inside GoDaddy.com . 2013-03-15 . 2013-11-11 . https://web.archive.org/web/20131111090725/http://inside.godaddy.com/announcing-certificate-authority-security-council/ . dead .
  5. Web site: Major Certificate Authorities Unite In The Name Of SSL Security - Dark Reading . 2013-03-15 . https://archive.today/20130410174711/http://www.darkreading.com/authentication/167901072/security/news/240148546/major-certificate-authorities-unite-in-the-name-of-ssl-security.html . 2013-04-10 . dead .
  6. Web site: Multivendor power council formed to address digital certificate issues - Network World . 2013-03-15 . https://web.archive.org/web/20130728114851/http://www.networkworld.com/news/2013/021413-council-digital-certificate-266728.html . 2013-07-28 . dead .
  7. http://www.cmswire.com/cms/customer-experience/website-certificate-authorities-set-up-security-council-for-advocacy-research-019619.php Website Certificate Authorities Set Up Security Council for Advocacy, Research
  8. http://electronicstaff.com/2013/ssl-certificate-authority-security-council-takes-root SSL Certificate Authority Security Council Takes Root | Electronic Staff
  9. News: Notice of Withdrawal from the CA Security Council DigiCert Blog. 2018-06-15. DigiCert. 2018-07-02. en-US.
  10. Web site: About the CA Security Council . 2013-03-15 . 2017-07-14 . https://web.archive.org/web/20170714183658/https://casecurity.org/casc/ . dead .
  11. https://casecurity.org/2013/02/14/worlds-leading-certificate-authorities-come-together-to-advance-internet-security-and-the-trusted-ssl-ecosystem/ CA Security Council | World’s Leading Certificate Authorities Come Together to Advance Internet Security and the Trusted SSL Ecosystem
  12. http://www.networkworld.com/news/2013/021513-certificate-authorities-band-together-to-266752.html Certificate authorities band together to boost security – Network World
  13. http://threatpost.com/en_us/blogs/cas-form-new-alliance-focus-security-issues-education-021413 CAs Form New Alliance to Focus on Security Issues, Education | threatpost
  14. Web site: CA Security Council About the CA Security Council . 2013-03-15 . 2017-07-14 . https://web.archive.org/web/20170714183658/https://casecurity.org/casc/ . dead .
  15. Web site: New Certificate Authorities group promises better revocation checking - Techworld.com . 2013-03-15 . https://web.archive.org/web/20140201203901/http://news.techworld.com/security/3426528/new-certificate-authorities-group-promises-better-revocation-checking/ . 2014-02-01 . dead .
  16. http://www.computerworld.com/s/article/9236803/Certificate_Authorities_to_push_for_better_certificate_revocation_checking?taxonomyId=245 Certificate Authorities to push for better certificate-revocation checking - Computerworld
  17. Web site: Kerner. Sean Michael. Code Signing Seen as Effective Way to Safeguard App Security. https://archive.today/20140126105552/http://www.eweek.com/security/code-signing-seen-as-effective-way-to-safeguard-app-security.html. dead. January 26, 2014. eWeek.