CA/Browser Forum


Since this weekend the StartCom Certification Authority is officially a member of the CA/Browser Forum. This forum is a closed group of commercial certification authorities and software vendors - in particular browser vendors - which was founded sometime in 2006. At a previous occasion the StartCom CA was denied participation, but having now met their terms and  requirements for membership, StartCom was eventually accepted. Personally I view the joining of this group rather a necessity than an achievement - but one that I intend to use wisely.

The only sphere of influence I had previously in relation to the CA/Browser Forum and Extended Validation Certificates was through my involvement at Mozilla - and that wasn’t really a lot. With the ability to influence from within this group as the representative of StartCom, I hope that there are some points which I’ll be able to address sometime at the forum :

  • Opening the CA/Browser Forum - at least provide a mailing list which can be accessed by the general public and which is maintained by the forum members. Some other parties which are currently excluded should be eventually invited to join the forum. Exclusion of them only hurts the interest of the public authorities and otherwise valuable input is lost - instead, those parties are aligning against the forum which isn’t really useful.
  • Defining guidelines and creating rules for domain validation, respectively email validation certificates. They represent the lowest level of currently issued certificates by public authorities and a common level of agreed practices will improve the certificates typically used for forums, blogs, web mail etc.
  • Defining guidelines for a middle level, specially for personal identity validation. This level of certification is currently lumped together with the lowest level, which in my opinion is insufficient and unsatisfying for subscribers. Additionally the relying parties have not many indicators in order to make a decision on trusting such certificates. A distinction between domain validated and identity/organization validated certificates which are not EV is almost impossible. This is a shortcoming I already mentioned during Mozilla’s vote discussion of the EV guidelines. I’d also expect some difference in the browsers UI, for example by looking at Firefox, it could be the blue domain name indicator with identity information in the popup.
  • Clarifying auditor requirements of ETSI audits. It’s currently unclear which auditors are considered authorized and acceptable - it seems to me that almost anything will do. I’d like to see this defined and enforced, in particular for browser vendors (e.g. Mozilla) but maybe also the CA/Browser Forum.

Most likely there will be many more interesting points coming up at the forum, for example the WebTrust 2.0 audit about which I’m very interested to learn more. But most important for StartCom is of course the distribution of validated certificates:

How can security at the Internet improve when certificates are unaffordable or simply overpriced for the vast majorities? For any smaller sized business which makes a few thousand dollars profit per month, an expense of US$ 500 or more per year is simply not attractive. They’ll opt for lower priced domain validated certificates - if at all - and with it, lowers the commonly accepted security practices. Instead of having a majority of validated identities and organizations for secured web sites, we have low-level validations at best. And those are provided by StartCom anyway already for the right price - FREE.

EV SSL certificates are currently provided as part of a beta program for only US$ 99.90. Learn how to enroll for extended validation at StartCom here.

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.


Other Posts
The Race Is On - You Won
Positive Indicators

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

You must be logged in to post a comment. Click here to login.

Reader Comments

Does this mean that IE will support StartSSL Certs?

Eventually yes. So it’s not official yet, Microsoft are working on it - scheduled for September. In the meantime test builds of Firefox’s next version are available with StartCom EV support. (Re-visit this site with the release candidate).