A digital certificate {Chapter 12 Security+ 4ed} is a technology used to associate a user’s identity to a cryptographic public key, in which the user’s public key that has been “digitally signed” by a trusted third party. This third party verifies the owner and that the public key belongs to that owner. Microsoft's Internet Explorer 9 (IE9) Application Reputation now checks files to be downloaded against a Microsoft service that tries to identify the file's contents and its digital certificate. The most common transport encryption algorithm used for digital certificates is Secure Sockets Layer (SSL), which uses a public key to encrypt data that is transferred over the SSL connection. Transport Layer Security (TLS) is a protocol that guarantees privacy and data integrity between applications communicating over the Internet. TLS is an extension of SSL, and they are often referred to as SSL/TLS.  The management tools for the use of digital certificates and asymmetric cryptography is public key infrastructure or PKI {Chapter 12 Security+ 4ed}. Public key infrastructure involves public-key cryptography standards, trust models, and key management.

  Digital certificates have come under the security spotlight recently. Thefts of digital certificates have resulted in citizens having their e-mail messages read behind their backs by their governments (see Mar 30 2011 and Sep 7 2011 blog postings).  And due to a vulnerability in the Online Certificate Status Protocol (OCSP)--used to check on the current status of a certificate--Chrome will no longer support it (see Feb 12 2012 blog posting).

   Now some order may be coming to these important digital certificate instruments.  The CA/Browser Forum was formed back in 2006 and was responsible for an enhanced type of server digital certificate known as the Extended Validation SSL Certificate (EV SSL) {Chapter 12 Security+ 4ed}. This type of certificate requires more extensive verification of the legitimacy of the business. In addition, Web browsers can visually indicate to users that they are connected to a Web site that uses the higher-level EV SSL by using colors on the address bar. A Web browser that accesses a site that uses EV SSL will display the address bar shaded in green along with the site’s name. The address bar will be displayed in red if the site is known to be dangerous.

   The CA/Browser Forum recently released the first international baseline standards for the operation of Certification Authorities (CAs) issuing SSL/TLS digital certificates.  It sets standards for on verification of identity, certificate content and profiles, CA security, revocation mechanisms, use of algorithms and key sizes, audit requirements, liability, privacy and confidentiality, and delegation. Known as the "Baseline Requirements for the Issuance and Management of Publicly Trusted Certificates," it's the first industry-wide standard for the issuance and management of SSL/TLS digital certificates (that's surprising considering the widespread use and the importance of these instruments).  These requirements become effective on July 1, 2012.  The CA/Browser Forum members who issue digital certificates make up 94% of the world-wide CA's and they have agreed to these new standards.

   You can download the document at http://www.cabforum.org/.

   Stay secure!

http://www.cengage.com/community/infosec