The Certification Authority Browser Forum, also known as the CA/Browser Forum, is a voluntary consortium of certification authorities, vendors of Internet browser and secure email software, operating systems, and other PKI-enabled applications that promulgates industry guidelines governing the issuance and management of X.509 v.3 digital certificates that chain to a trust anchor embedded in such applications. Its guidelines cover certificates used for the SSL/TLS protocol and code signing, as well as system and network security of certificate authorities.
Founded | 2005 |
---|---|
Type | Professional organization |
Focus | Provide internet security industry standards for certificate authorities and certificate consumers such as Internet browsers |
Website | cabforum |
As of May 2022[update], the consortium includes 54 certificate issuers, 11 certificate consumer vendors, and industry standards and audit bodies including the European Accredited Conformity Assessment Bodies’ Council (ACAB’C), the WebTrust Task Force, and the European Telecommunications Standards Institute (ETSI).[1]
Working groups
editThe CA/Browser Forum has these working groups:
- Server Certificate Working Group, which has subcommittees for Validation and Network Security, which maintains the following standards:
- "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" (for SSL/TLS)
- "Guidelines For The Issuance And Management Of Extended Validation (EV) Certificates" (for SSL/TLS)
- "Network and Certificate System Security Requirements"
- Code Signing Working Group which maintains:
- "Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates"
- S/MIME Certificate Working Group which is developing:
- "Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates"
History
editIn 2005, Melih Abdulhayoglu of the Comodo Group organized[2] the first meeting of CA/Browser Forum. The first meeting was held in New York City. This was followed by a meeting in November 2005 in Kanata, Ontario, and a meeting in December, 2005, in Scottsdale, Arizona with the main objective to enable secure connections between users and websites.
In addition to CA/Browser Forum members, representatives of the Information Security Committee of the American Bar Association Section of Science & Technology, Law and the Canadian Institute of Chartered Accountants participated in developing the standards for issuing and managing Extended Validation SSL/TLS certificates. Version 1.0 of the EV Guidelines was adopted on 7 June 2007.[3]
In November 2011, the CA/Browser Forum adopted version 1.0 of the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" intended to provide minimum security standards for all browser-trusted SSL/TLS certificates. Subsequent versions expanded the Baseline Requirements to directly incorporate requirements from browser root store policy programs such as those of Mozilla and Microsoft.
In January 2013 the CA/Browser Forum's first "Network and Certificate System Security Requirements" took effect defining best practices for the general protection of CA networks and supporting systems.
In February 2013 a new industry group, the Certificate Authority Security Council (CASC), was formed with a mission that includes promoting CA/Browser Forum standards. Membership requires adherence to CA/Browser Forum standards.[4] The CASC's founding members consisted Comodo CA (now Sectigo), Symantec (now DigiCert),[5] Trend Micro (now Entrust), DigiCert, Entrust,[6] GlobalSign[7] and GoDaddy.[8][9][10][11][12]
In August 2020, the S/MIME Certificate Working Group[13] was chartered to create a baseline requirement applicable to CAs that issue S/MIME certificates used to sign, verify, encrypt, and decrypt email.
In September 2020, the CA/Browser Forum adopted version 2.0 of the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates", which had previously been maintained outside the group.
In January 2023, the CA/Browser Forum adopted version 1.0 of the "Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates", It defined four types of S/MIME certificate standards. Mailbox-validated, Organization-validated, Sponsor-validated and Individual-validated.[14]
References
edit- ^ "Members of the CA - Browser Forum - Over 50 CAs and All Major Browsers". CA/Browser Forum. Archived from the original on 2022-05-03. Retrieved 3 May 2022.
- ^ "How Can We Improve Code Signing?". 9 May 2008.
- ^ "GUIDELINES FOR THE ISSUANCE AND MANAGEMENT OF EXTENDED VALIDATION CERTIFICATES v1.0" (PDF). The CA/Browser Forum.
- ^ "About the CA Security Council". 27 January 2013. Archived from the original on 14 July 2017. Retrieved 20 February 2014.
- ^ "Let's Build a More Secure Future". Archived from the original on February 17, 2013.
- ^ "Entrust Joins World's Leading Certificate Authority".
- ^ "GlobalSign joins the Certificate Authority Security Council to upgrade internet security". Archived from the original on 2015-07-02. Retrieved 2013-04-02.
- ^ "Get more done with Microsoft Office 365 from GoDaddy". Archived from the original on 2013-11-11. Retrieved 2013-04-02.
- ^ "Authentication Security News, Analysis, Discussion, & Community". Archived from the original on 2013-04-10.
- ^ "Multivendor power council formed to address digital certificate issues - Network World". Archived from the original on 2013-07-28. Retrieved 2013-04-02.
- ^ "Website Certificate Authorities Set Up Security Council for Advocacy, Research".
- ^ "SSL Certificate Authority Security Council Takes Root | Electronic Staff". Archived from the original on 2014-07-14. Retrieved 2013-04-02.
- ^ CA/Browser Forum S/MIME Certificate Working Group https://cabforum.org/working-groups/smime-certificate-wg/
- ^ "CA/Browser Forum S/MIME Baseline Requirements" (PDF). CA/Browser Forum. Retrieved 4 April 2023.
External links
edit- Official website
- "Windows Root Certificate Program members". Support. Knowledge Base. Microsoft. Jan 11, 2013. 931125. Archived from the original on 2013-12-16.
CAs approved for EV in Microsoft IE7
- "Configure Trusted Roots and Disallowed Certificates". TechNet. Certification Authority Guidance. Microsoft. May 5, 2014. dn265983.
- Oiaga, Marius (Jun 13, 2007). "Microsoft's Internet Identity Technology Gets Certified". Softpedia.