Information about http://www.us.kpmg.com/RutUS_prod/Documents/12/DC80502.pdf
D I G I TA L C E R T I F I C AT E S , A…
Tags: authentication certificate, business model, certificate policy, certificate revocation list, certificate status, certification authorities, cps, fac, integrity internet, internet service provider, management authority, oid, policy management, requester, satisfactory level, security services, server certificates, socket layer, subscriber authentication, transfer protocol,Pages: 25
Language: english
Created: Mon Aug 5 16:07:03 2002
Display cached document
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
D I G I TA L C E R T I F I C AT E S ,
A U T H E N T I C AT I O N , A N D
TRUST ON THE INTERNET
A S S U R A N C E
P R E FAC E
Until recently, substantially all server certificates (SSL or secure
Abbreviations
socket layer certificates) issued by public certification authorities (CAs)
were issued to organizations following a subscriber authentication certificate policy CP
process that included verification of the organization's existence, the certification authority CA
organization's right to use the domain name included in the certificate, certification practice statement CPS
and the authority of the requester to obtain a certificate on behalf of certificate revocation list CRL
the organization. Such certificates afforded a satisfactory level of certificate signing request CSR
hypertext transfer protocol with SSL HTTPS
assurance by enabling three security services--confidentiality,
identification and authentication I&A
authentication, and integrity.
Internet service provider ISP
object identifier OID
In recent months, with the rise of a new business model for SSL cer-
online certificate status protocol OCSP
tificate issuance, some CAs now issue lower-assurance server certifi-
policy management authority PMA
cates without authenticating the subscriber, thereby providing only
public key infrastructure PKI
two security services--confidentiality and integrity. Using current
© 2002 KPMG LLP the U.S. member firm of KPMG International, a Swiss nonoperating association. All rights reserved. 02-07-22
registration authority RA
browser technology, it is very difficult for an Internet user to distin-
secure socket layer SSL
guish between higher- and lower-assurance server certificates. As a
uniform resource locator URL
result, consumer confidence in the security of electronic commerce
may be at risk. This paper addresses this topic and provides recom-
mendations for addressing related issues through industry and stan-
dardization activities.
,
CONTENTS
1 EXECUTIVE SUMMARY
1 Subscriber Authentication
3 Relying Party Control Considerations
4 REQUIREMENTS FOR CA TRUST
4 Overview
4 CA Control Requirements
4 CA Business Practices Disclosure
5 CA Environmental Controls
5 CA Key Life Cycle Management
5 Certificate Life Cycle Management
5 ASSURANCE LEVELS
6 REQUIREMENTS FOR SUBSCRIBER AUTHENTICATION
6 Standards for Subscriber Authentication
6 AICPA/CICA WebTrust for CAs and ANS X9.79
7 ISO CD 21188 (draft)
7 Industry Practices for Subscriber Authentication
© 2002 KPMG LLP the U.S. member firm of KPMG International, a Swiss nonoperating association. All rights reserved. 02-07-22
9 Legal Perspective
10 RISKS OF INSUFFICIENT SUBSCRIBER
AUTHENTICATION
10 Scenario 1: No authentication of the organization by the CA
11 Scenario 2: No check of the applicant's right to use the
domain name by the CA
12 Scenario 3: No check of organization's existence by the CA
12 Scenario 4: No check of the applicant's authority to request
a certificate for the organization by the CA
12 RELYING PARTY CONTROL CONSIDERATIONS
12 Appropriateness for Use
13 Root CA and Subordinate CA Trust Issues
14 Certificate Status Checking
15 Shared Hosting
15 OTHER TYPES OF HIGH-ASSURANCE CERTIFICATES
15 RECOMMENDATIONS FOR FUTURE REQUIREMENTS
17 APPENDIXES
17 Appendix A: WebTrust for CAs--Principles and Criteria
19 Appendix B: Certificate Policy Contents
20 Appendix C: Example Assurance Levels
21 Appendix D: What Does an SSL Certificate Mean?
22 NOTES
,
E X E C UT I V E S U M M A RY
The use of high-assurance SSL certificates is a critical building block Leading browser providers such as Microsoft® and Netscape® recog-
for secure electronic commerce and one of the most ubiquitous uses nized the importance of high-assurance SSL certificates and incorpo-
of public key infrastructure (PKI). SSL certificates provide three secu- rated easy to understand icons (locks and keys) into their browsers to
rity services--confidentiality, authentication, and integrity. They enable inform Web site visitors when an SSL session was invoked and con-
an Internet user to: sequently that their information would be secure in transit. Until
· Securely communicate with a Web site--information provided by recently, this simple approach worked well and facilitated the expan-
the Internet user cannot be intercepted in transit (confidentiality) or sion of online commerce. However, recent changes in the SSL certifi-
altered without detection (integrity) cate marketplace pose a security risk with a potential threat to
· Verify that the Internet user is actually at the company's Web site consumer confidence in the security of online commerce.
and not an impostor's site (authentication).
S U B S C R I B E R A U T H E N T I C AT I O N
For example, an SSL certificate bearing the organization name "XYZ Until recently, substantially all SSL certificates could be categorized as
Software, Inc. is intended to convey assurance that the visited Web
" "medium" to "high" assurance and therefore provided all three secu-
site (e.g., www.xyzsoftware.com) is an XYZ Software, Inc. Web site rity services--confidentiality, authentication, and integrity. However,
© 2002 KPMG LLP the U.S. member firm of KPMG International, a Swiss nonoperating association. All rights reserved. 02-07-22
(and not another entity's site perhaps intended to trick unsuspecting in recent months emerging providers of SSL certificates have elected
Web surfers into doing business with someone pretending to be XYZ to provide lower-assurance SSL certificates (with no authentication of
Software, Inc.). the subscriber) at a reduced cost and with rapid order fulfillment.
These lower-assurance SSL certificates provide confidentiality and
Why is this point important? A domain name or URL (uniform resource integrity, but not authentication. This conflicts with generally accepted
locator) is like a telephone number. It is assigned to a paying customer industry practices and serves as a source of confusion for Internet
(organization or individual) for the period of time it is registered. users. Whereas, in the past, users could reasonably rely on the lock
or key, they must now examine and understand the contents of the
The domain name system was designed to support open-systems SSL certificate to distinguish between varying levels of assurance.
information flow. While there are restrictions on certain types of
domains (e.g., .mil is restricted to military entities, .es is restricted to Industry standards for subscriber registration require that a certification
organizations physically located in Spain), there are no such restric- authority (CA) maintain controls to provide reasonable assurance that:
tions on the most common types of domains (including .com, .org, · Subscribers are properly identified and authenticated
.net, and others). To register for these types of domains, the individ- · Subscriber certificate requests are accurate, authorized, and
ual or organization need only pay the annual fee. The applicant is also complete.1
obligated to provide accurate information, though there is no require-
ment for registrars to verify the accuracy of the information provided.
,
T R U S T O N T H E I N T E R N E T 1
E X E C UT I V E S U M M A RY
A certification authority's specific practices for meeting these require- authenticated organization. In general, an Internet user incurs a higher
ments should be disclosed in the CA's published certificate policy (CP) degree of risk if such verification steps are not performed. The fol-
or certification practice statement (CPS). Fundamental to the process lowing table provides an overview of some of those risks.
of issuing SSL certificates to an organization for use on its Web site
are three basic verification components: In each scenario, the failure to complete the specified checks could
· Confirmation that the organization named in the certificate has the expose:
right to use the domain name identified in the certificate · Unsuspecting Internet users to direct loss of funds due to fraud
· Confirmation that the organization named in the certificate is a legal · The legitimate company to direct loss of funds due to fraud, or
entity undue business risk such as loss of productivity, bad public rela-
· Confirmation that the individual who requested the SSL certificate tions, or legal action
on behalf of the organization was reasonably authenticated and had · The CA to undue business risk such as loss of productivity, bad
proper authorization.2 public relations, or legal action.
Completion of these verification steps prior to certificate issuance
© 2002 KPMG LLP the U.S. member firm of KPMG International, a Swiss nonoperating association. All rights reserved. 02-07-22
enables Internet users to know they are conducting business with an
Scenario Threat
1. No authentication of the organization A malicious individual could masquerade as an existing organization, deceiving users
by the CA. into believing that the malicious individual's Web site is operated under the auspices
or of an existing organization whose name is included in the site's SSL certificate. A
2. No check of the applicant's right to use false level of trust is established by associating the malicious individual's domain
the domain name by the CA. name with the name of an existing organization.
3. No check of the organization's existence A malicious individual could pretend to be an organization even though no such
by the CA. organization exists (i.e., the organization has not been registered with the appropriate
government authority).
4. No check of the applicant's identity A malicious individual who is not authorized by the organization could obtain an SSL
and authority to request a certificate for certificate bearing the organization's name, allowing the malicious individual to
the organization by the CA. masquerade as the organization. ,
T R U S T O N T H E I N T E R N E T 2
E X E C UT I V E S U M M A RY
R E LY I N G PA R T Y C O N T R O L required to automatically check certificate status might vary signifi-
C O N S I D E R AT I O N S cantly depending on the certificate status publication technology used
Current browsers do not distinguish between higher- and lower- by the CA. As a result, it is very difficult for an Internet user to distin-
assurance SSL certificates. As long as the SSL certificate is linked to guish between a valid SSL certificate and a revoked SSL certificate.
a trusted Root CA and the common name in the certificate matches
the domain name of the visited Web site, the browser will not gener- Another scenario that may give Internet users a false sense of secu-
ate an alert and, consequently, the Internet user (relying party) will rity is the situation where a Web site has been implemented in a
generally trust the SSL certificate. The "lock" icon in the user's shared hosting environment using shared SSL to secure the HTTPS
browser will appear exactly the same to the user regardless of pages of multiple customers' Web sites with a single certificate
whether a particular site has an authenticated high-assurance SSL issued to the Internet service provider (ISP). In this scenario, the
certificate or a lower-assurance unauthenticated SSL certificate. Internet user may visit a Web page that is secured with an SSL cer-
tificate issued to the ISP rather than the organization (e.g., ABC Co.)
Browser providers play an important role in enabling SSL-secured with which the user believes he is doing business. When the user vis-
electronic commerce by including and distributing "trusted" Root CA its such a secured page via the ABC Co. Web site and sees the lock
© 2002 KPMG LLP the U.S. member firm of KPMG International, a Swiss nonoperating association. All rights reserved. 02-07-22
certificates in their browsers. To establish a standard for trusting icon, the user may conclude that ABC Co. has been authenticated
Root CAs, Microsoft implemented a program in 2001 requiring that when, in reality, only the ISP has been authenticated.
Root CAs must complete an annual WebTrust Program for
Certification Authorities (WebTrust for CAs) audit for their Root CA The following sections describe these issues in greater detail and pro-
certificates to be included in future browser releases and the vide recommendations for addressing them through industry and
Microsoft Windows ®
Update function. Other browser providers standardization activities.
such as Netscape and AOL have not formally established a similar
requirement. However, this does not address the issues of SSL cer-
tificate authentication practices and assurance levels, or the lack of an
intuitive or automated mechanism for users to distinguish between
higher- and lower-assurance SSL certificates.
In addition, browsers are not configured to check certificate status
by default. Many certificates do not contain the extensions that are
necessary to enable automated certificate status checking. The time
,
T R U S T O N T H E I N T E R N E T 3
REQUIREMENTS
F O R C A T RU ST
OVERVIEW ance with policies, procedures, and standards are identified and cor-
As the adage goes, trust is difficult to build and easy to lose. This is rected quickly. In addition, a robust third-party audit can enhance con-
particularly true in the context of PKI where a relying party must have sumer confidence in the CA and the certificates it issues. Toward this
the confidence and ability to trust a particular certificate. How does a end, the WebTrust Program for Certification Authorities was designed
CA ensure the trustworthiness of the certificates it issues? It does to specifically address the needs and requirements of CAs. WebTrust
this by establishing a Community of Trust through a complex set of for CAs defines the specific criteria that must be included in the scope
technology, procedural, legal, and audit components. of the audit and provides a specific reporting format intended for
broad distribution to customers and other relying parties. If the CA
From a technology perspective, the CA must implement a highly successfully completes the audit, the CA may post the WebTrust for
secure IT infrastructure and a PKI solution consisting of CA signing CAs seal on its Web site with a link to the audit opinion.
servers, database servers, application and Web servers, registration
authority (RA) terminals or workstations, backup servers, hardware Industry standards, including WebTrust for CAs, ANS X9.79, and ISO
security modules, firewalls, routers, intrusion detection systems, CD 21188 (draft), address key elements of a PKI that are critical to
monitoring systems, a disaster recovery infrastructure, and many enabling an Internet user to rely on the authenticity of a digital certifi-
© 2002 KPMG LLP the U.S. member firm of KPMG International, a Swiss nonoperating association. All rights reserved. 02-07-22
other technology components. Each of these elements must be cate. These include the following:
appropriately secured and housed within a physically secure environ- · CA business practices disclosure
ment protected by multiple levels of security. Published certificate policy
Published certification practice statement
From a procedural perspective, the CA performs many functions and · CA environmental controls
has many processes to support the issuance and management of cer- · CA key life cycle management
tificates. At the highest level, policy requirements are specified in one · Certificate life cycle management.
or more certificate policies. The CPs are supported by a more detailed
description of the CA's practices and procedures (i.e., a CPS). In addi- CA CONTROL REQUIREMENTS
tion, it is necessary for a CA to establish detailed operating proce- To enable trust in the certificates issued by a particular CA, it is nec-
dures and system configuration standards to enable qualified and essary to adequately address a number of control areas that are sum-
trained CA personnel to perform their duties in accordance with the marized below. See Appendix A for a detailed description of the
CP CPS, and operational procedures.
, WebTrust for CAs criteria.
From a legal perspective, in different countries and jurisdictions it may CA Business Practices Disclosure
be necessary for a CA to be licensed or accredited to operate or to Certificate policy (CP). A CP is a named set of rules that indicates the
issue certain types of certificates. Laws and regulations relating to applicability of a certificate to a particular community or class of appli-
digital and electronic signatures, electronic record keeping, repository cation with common security requirements. Certificate policies are
requirements, and privacy also will impact the CA. used to define the level of assurance associated with a particular type
or class of certificate. See Appendix B for more information on the
From an audit and controls perspective, it is critical to ensure the sys- contents of a CP.
,
tem integrity of the PKI. Internal compliance and quality assurance
processes are essential to ensuring that occurrences of noncompli-
T R U S T O N T H E I N T E R N E T 4
REQUIREMENTS AS S U R A N C E L E V E LS
F O R C A T RU ST
Certification practice statement (CPS). A CPS is a statement of the Certificate policies are typically used to define the trust requirements
practices that a CA employs in issuing certificates. The CPS defines for a particular type or class of certificate. Each type or class of
the policies, procedures, and controls the CA uses to satisfy the certificate is intended to provide a certain level of assurance. Levels
requirements specified in the certificate policies it supports. of assurance are typically defined within a particular community.
For example, the U.S. Federal Bridge CA has defined five assurance
CA Environmental Controls levels--test, rudimentary, basic, medium, and high--each providing
These controls include those practices and procedures that create a an increasing level of assurance. Other CAs classify specific types
secure and trustworthy environment for the CA. The components of of certificates as providing a low, medium, or high level of assurance.
CA environmental controls include CPS and CP management, security
management, asset classification and management, personnel secu- See Appendix C for a more detailed description of the Federal Bridge
rity, physical and environmental security, operations management, CA classes of certificates.
system access management, systems development and mainte-
nance, business continuity management, monitoring and compliance, CAs generally provide different types or classes of digital certificates
and event journaling. that have different levels of trustworthiness depending on a variety of
© 2002 KPMG LLP the U.S. member firm of KPMG International, a Swiss nonoperating association. All rights reserved. 02-07-22
factors, including the level of subscriber authentication performed
CA Key Life Cycle Management prior to issuance. Relying parties must independently ascertain the
CA key management is a core function of the CA and the underpin- sufficiency of these authentication procedures and the appropriate-
ning of the PKI. Maintaining the security and integrity of CA keys ness of reliance on a given type or class of digital certificate for a
throughout their life cycles is critical to maintaining the integrity and given application or transaction.
trustworthiness of the PKI. The CA key management controls include
CA key generation; CA key storage, backup, and recovery; CA public
key distribution; CA key usage; CA key destruction; CA key archival;
and CA cryptographic hardware life cycle management.
Certificate Life Cycle Management
The certificate life cycle covers the end-to-end process of certificate
management and represents the core functions of a CA. The certifi-
cate life cycle management controls include subscriber registration,
certificate rekey and renewal, certificate issuance, certificate distribu-
tion, certificate revocation and suspension, and certificate status infor-
mation processing [e.g., certificate revocation list (CRL) processing
and online certificate status protocol (OCSP)].
Specific certificate life cycle management policies and practices may
vary depending on the intended purpose and assurance level of the
,
certificates issued by the CA. This is discussed further in the sections
that follow, with an emphasis on SSL server certificates.
T R U S T O N T H E I N T E R N E T 5
REQUIREMENTS FOR
S U B S C R I B E R AUT H E N T I C AT I O N
S TA N DA R D S F O R S U B S C R I B E R · The CA verifies or requires that the external RA verify the authority
A U T H E N T I C AT I O N of the entity requesting a certificate as disclosed in the CA's busi-
AICPA/CICA WebTrust for CAs and ANS X9.79 ness practices.
WebTrust for CAs, which is based on the ANS X9.79 standard, · The CA verifies or requires that the external RA verify the accuracy
provides a detailed set of criteria and a reporting framework specifi- of the information included in the requesting entity's certificate
cally for reporting on the operations of a CA. WebTrust for CAs defines request as disclosed in the CA's business practices.
baseline requirements and requires that the CA disclose its business
practices (typically through a CP and/or CPS). In the area of subscriber WebTrust for CAs also requires certain disclosures. As it relates to
registration, WebTrust for CAs is not prescriptive as to the appropriate subscriber registration practices, the most relevant disclosure require-
identification and authentication (I&A) requirements, but requires the ments are that the CA disclose a description of the following items:
CA to disclose its practices for the different types of certificates it · The conditions for applicability of certificates issued by the CA that
issues. As part of the audit, the CA is audited against the baseline reference a specific certificate policy, including
WebTrust for CAs criteria and the CA's disclosed practices. WebTrust Specific permitted uses for the certificates if such use is limited
for CAs does not define levels of certificates (e.g., low, medium, to specific applications
© 2002 KPMG LLP the U.S. member firm of KPMG International, a Swiss nonoperating association. All rights reserved. 02-07-22
and high assurance), but allows the CA to establish its own levels Limitations on the use of certificates if there are specified pro-
or types. hibited uses for such certificates 3
· Certificate life cycle management practices including initial regis-
The WebTrust for CAs subscriber registration criteria require that the tration, and including a description of the CA's requirements for the
CA maintains controls to provide reasonable assurance that: identification and authentication of subscribers and validation of
· Subscribers are properly identified and authenticated certificate requests during entity registration or certificate
· Subscriber certificate requests are accurate, authorized, and issuance.4
complete.
As stated in WebTrust for CAs, effective controls over the registration
WebTrust for CAs provides illustrative (example) controls that would process are essential, as poor identification and authentication controls
satisfy the requirements for subscriber registration. The most jeopardize the ability of subscribers and relying parties to rely on the
relevant illustrative controls generally include, but are not limited to, certificates issued by the CA. Effective revocation procedures and
the following: timely publication of certificate status information are also critical ele-
· The CA verifies or requires that the external RA verify the identity ments, as subscribers and relying parties must know when they are
of the entity requesting a certificate as disclosed in the CA's busi- unable to rely on certificates that have been issued by the CA.5
ness practices.
· The CA requires that an entity requesting a certificate must prepare
and submit the appropriate certificate request data (Registration
Request) to an RA (or the CA) as disclosed in the CA's business
practices.
,
T R U S T O N T H E I N T E R N E T 6
REQUIREMENTS FOR
S U B S C R I B E R AUT H E N T I C AT I O N
ISO CD 21188 (draft) In addition, the criteria for certificate issuance require that the CA
The ISO CD 21188 PKI Policy and Practices Framework draft standard maintains controls to provide reasonable assurance that:7
builds on the criteria identified in X9.79 and WebTrust for CAs. The cur- · Certificates are generated and issued in accordance with the CA's
rent draft of the standard includes the same subscriber registration disclosed business practices
criteria but provides additional (example) controls that would satisfy · Unauthenticated individual and organization names are not
the requirement for subscriber registration, including the following:6 included in the subject distinguished name field of certificates
· The CA verifies or requires that the external RA verify the identity issued by the CA.
of the entity requesting a certificate in accordance with the CA's
CPS and the applicable certificate policy. I N D U S T RY P R A C T I C E S F O R
For individual certificates, the CA or external RA verifies the iden- S U B S C R I B E R A U T H E N T I C AT I O N
tity of the individual whose name is to be included in the subject Since the use of SSL certificates became prevalent in the mid-1990s,
distinguished name field of the certificate. An unauthenticated until recently major public CAs have substantially followed similar
individual name shall not be included in the subject distinguished standards for subscriber identification and authentication. At the core
name. of this standard I&A process are three basic checks:
© 2002 KPMG LLP the U.S. member firm of KPMG International, a Swiss nonoperating association. All rights reserved. 02-07-22
For organizational certificates (including server, network resource, · Organization's right to use the domain name (domain name regis-
code signing, etc.), the CA or external RA verifies the legal exis- tration)
tence of the organization's name to be included in the organiza- · Legal existence of the organization
tion attribute in the subject distinguished name field of the · The requester's association with the organization and authority to
certificate. An unauthenticated organization name shall not be request a certificate.
included in a certificate.
For organizational certificates containing a domain name, the CA As a result, the following assurances are asserted:
or external RA [also] verifies the organization's ownership of or · The organization's right to use the domain name that is included in
right to use the domain name included in the common name the certificate
attribute of the subject distinguished name field of the certificate. · The legal existence (i.e., formal approval by a government body) of
An unauthenticated domain name shall not be included in a cer- the organization named in the certificate
tificate. · The fact that the requester is associated with the organization and
· The CA verifies or requires that the external RA verify the authority is authorized to request a certificate on behalf of the organization.
of the entity requesting a certificate in accordance with the CA's
CPS and the applicable certificate policy. While different CAs have differing procedures for issuing server cer-
For individual certificates, the CA or external RA verifies the tificates, they generally perform the three basic checks specified
authority of the certificate applicant to obtain a certificate in above and their server certificates generally provide a similar level or
accordance with the CA's CPS. degree of assurance.8 The following table summarizes each compo-
For organizational certificates, the CA or external RA verifies the nent, its significance, and the risks associated with non-performance.
authority of the requesting individual to request a certificate on
behalf of the organization in accordance with the CA's CPS.
,
T R U S T O N T H E I N T E R N E T 7
REQUIREMENTS FOR
S U B S C R I B E R AUT H E N T I C AT I O N
Component Description What Is Verified? Significance Risks/Threats
Domain Name Check The certificate applicant The organization name When coupled with the Without this step, an
(i.e., requesting organiza- in the certificate signing "authentication of organi- organization could poten-
tion) has the right to use request (CSR) must zation" step, the organ- tially obtain a certificate
the domain name. match the registrant ization applying for a for another organization's
name per the domain certificate has the legal domain.
registration. right to use the domain
to which the certificate
is being issued. This
prevents an entity from
obtaining a certificate
that associates an organi-
zation with a domain that
it is not legally authorized
to use.
© 2002 KPMG LLP the U.S. member firm of KPMG International, a Swiss nonoperating association. All rights reserved. 02-07-22
Authentication of The requesting organiza- The certificate applicant This confirms that: A certificate could be
Organization tion has the legal right is an organization that is: · The organization issued to an organization
to use the organization · Registered with the enrolling for the certifi- that does not exist, and
name listed in the sub- appropriate government cate exists. the certificate could be
ject distinguished name entity based on the · The organization enroll- used to mislead relying
field of the certificate. type and location of the ing for the certificate is parties. The wrongly
organization. still in business (i.e., is issued certificate could
· An active organization. currently operating). be used by the request-
· Based in the location ing entity to masquerade
(e.g., city, state, coun- as an existing organ-
try) included in the ization.
certificate.
Authorization of The certificate request The certificate request This ensures that the A certificate could be
Requester is made by an authorized must be authorized by an certificate was in fact issued and provided to
representative of the employee of the authenti- requested by someone an individual who is not
organization. cated organization (i.e., within the organization authorized to request
the corporate contact). who is authorized to do a certificate. The certifi-
so. The purpose of this cate could be used for
step is to confirm: malicious purposes.
· The corporate contact
works for the organi-
zation.
· The technical contact
(i.e., requester) is
authorized to receive
the certificate.
,
· The corporate contact
is aware and approves
of the certificate
request.
T R U S T O N T H E I N T E R N E T 8
REQUIREMENTS FOR
S U B S C R I B E R AUT H E N T I C AT I O N
LEGAL PERSPECTIVE not be cost effective in light of a relatively modest risk of
From a legal perspective, authentication of the organization is equally fraud. With respect to higher assurance certificates, how-
as important. As stated in the American Bar Association (ABA) ever, assessors will want to determine whether validation
Information Security Committee's PKI Assessment Guidelines: procedures meet both purposes.
Validation of Organization Identity 9
PKIs may use a number of ways to identify an organization
To the extent the public key of a device or application is certi- listed in a certificate application, an organization controlling a
fied, procedures in [the CP or CPS] would also include valida- device or application, or an organization applying to become a
tion of the identity of the organization controlling the device CA, RA, or another kind of PKI participant. The methods for val-
or application. idation of the identity of an organization are necessarily differ-
ent from those used to validate the identity of individuals.
The validation of organization identity generally has two pur- Examples of validation methods include, but are not limited to:
poses. First, the CA or RA performing the validation must be · Comparing information in a certificate application or other
sure that the name in the certificate application, or other application to documentation and/or certifications evidenc-
© 2002 KPMG LLP the U.S. member firm of KPMG International, a Swiss nonoperating association. All rights reserved. 02-07-22
application, corresponds to an organization in the real world. ing valid formation and/or recognition (as a corporation,
In other words, does the organization really exist? Validation partnership, nonprofit organization, etc.) in a particular
procedures seek to prevent fraudulent applications submit- jurisdiction.
ted on behalf of non-existent organizations. Second, assum- · Comparing information in a certificate application or other
ing that the application refers to a real organization, a CA's or application with information available from third-party
RA's validation procedures must ensure that the people pre- sources to confirm that the organization named in the
senting a public key for certification, controlling a device that application does in fact exist.
does so, or applying on behalf of an organization wishing to · CA or RA personnel initiating an investigation of the
become a CA or RA actually represent the organization and organization, for example through face-to-face discussions
are authorized to submit the certificate or other kind of appli- with organizational representatives or visits to the organi-
cation. In other words, is the application in fact originating zation's site.
from and authorized by the organization named in the appli- · Communications with personnel at the organization who
cation? Validation procedures, in this case, attempt to pre- are able to corroborate the organization's identity and the
vent fraud based on the impersonation of another fact that the organization or one of its representatives has
organization. in fact submitted a certificate application or application to
become a CA or RA.
Assessors should determine, based on the assurances pro-
vided by the certificates issued within a PKI, whether both
of these purposes must be met by the PKI's validation pro-
cedures. For lower assurance certificates, the expenditures
involved with accomplishing both of these purposes may
,
T R U S T O N T H E I N T E R N E T 9
REQUIREMENTS FOR RISKS OF INSUFFICIENT
S U B S C R I B E R AUT H E N T I C AT I O N S U B S C R I B E R AUT H E N T I C AT I O N
The need for rigor in validation procedures will vary from PKI The use of high-assurance SSL certificates is very important for elec-
to PKI. A PKI should use validation procedures commensu- tronic commerce in an online environment. This section describes
rate with the level of assurances purportedly offered by the some of the related threats stemming from using lower-assurance
certificates. Determining which procedures are appropriate SSL certificates. In all of these scenarios, the failure of a CA to per-
will depend on the risk, sensitivity, and consequence of the form any of the three basis checks (domain name check, authentica-
transactions, communications, or other applications sup- tion of organization, and authorization of requester) may result in the
ported by the certificate. Validation procedures should be suf- loss of customer confidence; bad public relations through diminished
ficiently robust to match the level of assurances provided by trust in PKI, SSL, and the ubiquitous lock icon used by common
the certificates and the business needs underlying the PKI. browser software; and potential legal action.
Non-Verified Subscriber Information10 SCENARIO 1:
Certificates issued to corporate representatives for business No authentication of the
conducted on behalf of the corporation may provide insuffi- organization by the CA
cient assurances if the corporate affiliation listed in the certifi- Suppose ABC Global Bank registers a domain, www.abcbank.com,
© 2002 KPMG LLP the U.S. member firm of KPMG International, a Swiss nonoperating association. All rights reserved. 02-07-22
cate application is not checked by the CA or RA. and implements a legitimate online banking Web site using an SSL
certificate. This certificate includes the following in the subject distin-
If certificates purportedly support e-commerce activities by guished name:
corporate representatives, a certificate is unlikely to provide
sufficient assurances if corporate affiliation is non-verified Organization (O) = ABC Global Bank
subscriber information. Determining which information Common name (CN) = abcbank.com
should be validated will depend on the risk, sensitivity, and
consequence of the transactions, communications, or other Now suppose that "Bad Bob" registers www.abcbankonline.com,
applications supported by the certificate. PKIs should mimics ABC Global Bank's site, obtains an unauthenticated SSL cer-
ensure that enough information is validated and critical infor- tificate, and lures unsuspecting customers to his site. Bad Bob's
mation is not placed within the non-verified category to certificate includes one of the sets of values described in the follow-
match the level of assurances provided by the certificates ing table in the subject distinguished name. None of these values con-
and the business needs underlying the PKI. tains an authenticated organization name.
The ABA's PKI Assessment Guidelines support the concept of assur-
ance levels for certificates, the need to perform subscriber authenti-
cation procedures commensurate with the assurance level of the
certificate, and the need for relying parties to assess the appropriate-
ness of a certificate for a particular use. For high-assurance certifi-
cates, robust authentication procedures are necessary to mitigate the
risk of fraud.
,
T R U S T O N T H E I N T E R N E T 1 0
RISKS OF INSUFFICIENT
S U B S C R I B E R AUT H E N T I C AT I O N
Option 1 Option 2 Option 3 Option 4
Organization (O) = ABC Global Bank abcbankonline.com abcbankonline.com
Common Name (CN) = abcbankonline.com abcbankonline.com abcbankonline.com abcbankonline.com
Disclaimer 11 Organization not Organization not
authenticated authenticated
When a customer visits Bad Bob's site, he has no easy way to know SCENARIO 2:
the site is not legitimate. If he sees the lock icon, he will get a false No check of the applicant's right
sense of security. He will likely think that he is at ABC Global Bank's to use the domain name by the CA
Web site, but really is connecting to Bad Bob's counterfeit site. Seeing Suppose Bad Bob registers a domain (abcbankonline.com) to a nonex-
the lock icon on an information submission page will make the user istent entity (Internet Bank Corp.). He then requests an SSL certificate
© 2002 KPMG LLP the U.S. member firm of KPMG International, a Swiss nonoperating association. All rights reserved. 02-07-22
more likely to enter his user ID and password, account information, or with the organization name ABC Global Bank and the common name
other personal information. Alternatively, Bad Bob might capture the abcbankonline.com. If the CA does not verify ABC Global Bank's right
user ID and password, divert the user to the legitimate site, and auto- to use the domain name abcbankonline.com, a malicious individual
matically resubmit the user ID and password to the valid site--all could obtain an SSL certificate for a counterfeit site but include
without the knowledge of the unsuspecting customer. another organization's real organization name in the certificate.
Perhaps the customer will look at the SSL certificate and see an "orga- This would enable a malicious individual who established a counterfeit
nization not authenticated" disclaimer or see that ABC Global Bank site (abcbankonline.com) to install an SSL certificate on information
was not named in the certificate, but this assumes that the user will entry pages and include the real organization's name (ABC Global
take these additional steps before entering his user ID and password. Bank) in the certificate. As a result, if a user were to examine the cer-
tificate to authenticate the organization, he could falsely believe that
This scenario is equally applicable to an online retail site, online med- this was ABC Global Bank's Web site.
ical records site, tax return filing site, etc. In any of these cases, hav-
ing an unauthenticated SSL certificate could enable a malicious Alternatively, Bad Bob might register a domain (abcinvestments.com)
individual to enhance the appearance of legitimacy for his counterfeit and request an SSL certificate that includes the organization name
site and facilitate the capture of personal or sensitive information. ABC Global Bank. Bad Bob then publicizes ABC Investments as a sub-
sidiary of ABC Global Bank, establishes a fraudulent Web site, and
Requiring authentication of the organization guards against the possibil- uses the lock icon and ABC Global Bank SSL certificate to deceive
ity that a malicious individual or entity can obtain a certificate containing users into providing personal and financial information.
another organization's name. Including an authenticated organization
name in the SSL certificate provides assurance to users that the orga- The purpose of a certificate is to bind a user's identity and other
,
nization that implemented the certificate on its Web site exists. information to a public key. If the correctness of that information is not
verified, the trustworthiness of legitimate certificates is diminished.
T R U S T O N T H E I N T E R N E T 1 1
RISKS OF INSUFFICIENT R E LY I N G PA RT Y C O N T RO L
S U B S C R I B E R AUT H E N T I C AT I O N C O N S I D E R AT I O N S
SCENARIO 3: In addition to the functions that must be employed by the CA, there
No check of organization's are several requirements that are the responsibility of the Internet
existence by the CA user and impact his browser software. These include consideration of:
Suppose Bad Bob registers a domain for Internet Bank Corp. (which · The appropriateness of a specific certificate for a particular applica-
does not exist), perhaps using a stolen credit card as the method of tion or transaction
payment. Bad Bob creates a Web site and obtains an unauthenticated · Trusted Root CAs whose certificates are pre-installed in browser
SSL certificate. When a customer visits the site, he will see the software
browser's lock icon and think that his information will be secure. · Subordinate CAs (Sub-CAs) that are automatically trusted if they
Having an SSL certificate helps Bad Bob give the appearance of legit- chain to a trusted Root CA
imacy to his Web site. If Bad Bob offers higher than average interest · Browser security settings related to checking certificate status
rates on deposits or attractive financing, he may be able to entice · The use of "shared SSL by Web sites implemented in a shared
"
users into providing personal information. hosting environment.
Requiring verification of the organization's existence guards against A P P R O P R I AT E N E S S F O R U S E
© 2002 KPMG LLP the U.S. member firm of KPMG International, a Swiss nonoperating association. All rights reserved. 02-07-22
the possibility of an individual pretending to be an organization. One of the core assumptions of PKI implementations is that relying
parties (i.e., Internet users) are expected to assess the appropriate-
SCENARIO 4: ness of a particular type or class of certificate relative to its intended
No check of the applicant's use. Certificate policies, certification practice statements, subscriber
authority to request a certificate agreements, relying party agreements, and PKI disclosure statements
for the organization by the CA are the vehicles to convey this responsibility.
Bad Bob requests an SSL certificate for ABC Global Bank for use with
a certain ABC Global Bank domain, even though he is not an autho- In closed communities (such as an internal corporate PKI) or in a
rized agent for ABC Global Bank. If the CA does not verify Bad Bob's membership community (e.g., the Identrus PKI hierarchy) there is typ-
authority to request an SSL certificate, a certificate could be inadver- ically a policy management authority (PMA) that specifies the trust
tently issued. Bad Bob might set up a Web server that mimics the requirements for the community. The PMA is obligated to understand
ABC Global Bank Web site. On his Web server, Bad Bob might install and specify the intended and acceptable uses for certificates within
the SSL certificate giving the appearance (through display of the lock the community.
icon) to unsuspecting users that they are dealing with ABC Global
Bank and that their information will be secure. Furthermore, if certifi- However, this poses a problem in an open PKI environment such as the
cates can be issued to unauthorized parties, the trustworthiness of Internet, where there is no designated PMA. As a result, it is necessary
legitimate certificates is diminished. for participating CAs to implement policies and practices that meet the
needs of the user community and meet or exceed industry norms.
Requiring verification of the certificate applicant's authority to request
a certificate (e.g., employment with the organization named in the cer-
tificate) guards against the threat of issuing a certificate to a malicious
,
individual who is not associated with the organization.
T R U S T O N T H E I N T E R N E T 1 2
R E LY I N G PA RT Y C O N T RO L
C O N S I D E R AT I O N S
In this open environment, it is unreasonable to expect each user to Windows Update function. Other browser providers such as
assess the appropriateness of a particular certificate for use, the Netscape and AOL have not formally established a similar require-
appropriateness of a particular certificate policy, or the trustworthi- ment. However, this requirement alone is not a complete solution.
ness of a CA without appropriate user education and user-friendly
tools for doing so. It is incumbent on CAs and other technology For example, a new CA is free to contract with another CA who has
providers (i.e., browser providers) to provide user-friendly automated one or more trusted roots in browser software to have its Sub-CA
mechanisms for users to determine whether or not they should certificate signed by the trusted Root CA, enabling certificates issued
rely on a specific certificate. Interested parties (including browser by the Sub-CA to chain to the Root CA and therefore automatically be
providers, audit standards organizations, industry bodies, and users) trusted by end users. In this scenario, the Root CA generally should
should act to define standards, where necessary, to preserve the have a CP that specifies required baseline policies and practices for
trustworthiness of the community. Sub-CAs. The Sub-CA also should have a CPS that defines its prac-
tices. The Root CA should also have a process to verify that the
R O OT C A A N D S U B O R D I N AT E C A Sub-CA's CPS complies with the Root CA's CP (e.g., through an
TRUST ISSUES assessment of the Sub-CA's practices prior to signing the Sub-CA's
© 2002 KPMG LLP the U.S. member firm of KPMG International, a Swiss nonoperating association. All rights reserved. 02-07-22
In the current Internet model, some Root CA certificates are pre- certificate and periodic audits of the Sub-CA's compliance with its CP
installed in browser software. Users' browsers automatically trust and CPS). In addition, the Sub-CA should be a