Ensuring that Certification Authorities (CA), and other trust service providers, operate securely and follow current best practice is essential to the security of modern electronic services.
The European Telecommunications Standards Institute (ETSI), working with the international CA and web browser community, and in line with the emerging European regulatory environment for trust and confidence in electronic transactions, have recently issued a number of standards (follow link and search for Trust Service Provider) for assuring the secure operation of trusted service providers supporting the security of electronic transactions.
Continue reading "Harmonising European Audit Standards for Certification Authorities" »
Weaknesses in the SSL protocol (the protocol for encrypting information over the internet) or the public certificate authority (CA) ecosystem that underpin it have received a lot of coverage recently and the last couple of weeks have been no exception. The pervasive nature of SSL and its unique role in securing ecommerce and numerous cloud services makes SSL attractive to security researchers and attackers alike. However, many of the lessons learnt are in no way specific to SSL and must be applied to other Public Key Infrastructure (PKI) and encryption deployments if we're to avoid handing potential attackers a skeleton key to access our sensitive data or critical infrastructure:
- Recent research by École Polytechnique Fédérale de Lausanne has reminded us that for encryption or digital signatures to be effective keys must have a strong provenance as well as strong protection for their entire lifecycle. Keys generated by a software algorithm and without a good source of entropy or randomness can be easy to crack and so are vulnerable to attack.
Continue reading "No skeleton key – protecting your organisation on the web" »
