OP 24 October, 2024 - 03:34 PM
CA/Browser Forum Introduces New Requirements for Internet Security
The CA/Browser Forum has updated its requirements for certificate authorities (CAs) and auditing processes, and introduced rules for issuing certificates for .onion domains. The changes are aimed at strengthening the control, transparency, and security of the public key infrastructure (PKI).
CA Obligations and Auditing
The new requirements require each CA to:
Comply with current requirements and pass the audit within the specified timeframes.
Obtain a license in each jurisdiction where required by law.
Ensure compliance with the Certificate Policy (CP) and the Certification Practice Statement (CPS).
If the CA issues certificates that can be used to issue new certificates, they must be technically limited (in accordance with paragraphs 7.1.2.3–7.1.2.5 of the requirements) or fully audited. Each certificate issuance period must be accompanied by an audit, which is carried out at least once a year. In the absence of an up-to-date audit report, a readiness assessment must be carried out before issuing certificates.
Audit and auditor qualifications
The audit must be performed by a qualified auditor with the following competencies:
Independence from the audit object.
Proficiency in PKI analysis, information security and certification standards.
WebTrust licensed or ETSI accredited according to ISO 17065.
Maintain professional liability insurance with a minimum limit of $1 million.
CA may select one of the following audit schemes:
WebTrust (e.g. version 2.7 or later).
ETSI (eg EN 319 411-1).
Internal audit framework if it meets the requirements of or is comparable to accepted standards.
The audit report must include full details of the organization, the CAs, the certificates used, and the criteria applied. It must be published within three months of the end of the audit period. If the report is delayed, the CA must publish an explanatory letter signed by the auditor.
CAs are required to conduct self-audits at least quarterly, examining a random sample of certificates. From March 15, 2025, such samples must be checked using a linting process to assess the technical accuracy of the certificates. Similar checks apply to third-party delegates, who are also required to undergo an annual audit.
Certificates for .onion domains
According to the new requirements, certificates for .onion domains must adhere to strict rules. The domain must contain two levels: "onion" and a unique version 3 address according to the Tor specification.
CAs are required to verify ownership of the .onion domain using the following methods:
Agreed changes to the web page (sections 3.2.2.4.18 and 3.2.2.4.19).
Using TLS over ALPN (Section 3.2.2.4.20).
All connections must be made directly through the Tor protocol, without using third-party services such as Tor2Web. Another verification option is to sign the certificate request with the private key of the hidden service, which is verified by special high-entropy nonce values.
CAs are not allowed to issue wildcard certificates for .onion domains unless specifically provided for in the rules. CAs also emphasize that certificates for .onion domains will not be considered internal names as long as they comply with the new requirements. This change is intended to increase trust and improve security in the Tor ecosystem.
Legal and Financial Obligations
CAs are solely responsible for fulfilling their responsibilities and complying with all requirements, including the obligations of delegated parties. CAs are required to compensate users and application providers for any violations.
Each CA must notify the CA/Browser Forum of any changes to its certification policies and ensure compliance with the laws of all jurisdictions in which it operates. If necessary, changes to requirements should be minimal and temporary until a conflict with local law is resolved.
Updating Requirements and Legal Compliance
CAs are required to comply with local laws in each jurisdiction where they operate. In the event of a conflict between local law and CA/Browser Forum requirements, CAs may make minor policy changes until the inconsistency is resolved.
Policy changes must be publicly documented and submitted to the CA/Browser Forum for approval. CAs must update their policies within 90 days of any change in law or regulations.
The changes are intended to improve the security and transparency of the public key infrastructure and ensure trust in CAs, especially in the context of issuing certificates for .onion domains.
source : https://github.com/cabforum/servercert/b...p-profiles
![[Image: Capture-d-cran-2025-01-13-134003.png]](https://i.ibb.co/yqTM0D0/Capture-d-cran-2025-01-13-134003.png)
The CA/Browser Forum has updated its requirements for certificate authorities (CAs) and auditing processes, and introduced rules for issuing certificates for .onion domains. The changes are aimed at strengthening the control, transparency, and security of the public key infrastructure (PKI).
CA Obligations and Auditing
The new requirements require each CA to:
Comply with current requirements and pass the audit within the specified timeframes.
Obtain a license in each jurisdiction where required by law.
Ensure compliance with the Certificate Policy (CP) and the Certification Practice Statement (CPS).
If the CA issues certificates that can be used to issue new certificates, they must be technically limited (in accordance with paragraphs 7.1.2.3–7.1.2.5 of the requirements) or fully audited. Each certificate issuance period must be accompanied by an audit, which is carried out at least once a year. In the absence of an up-to-date audit report, a readiness assessment must be carried out before issuing certificates.
Audit and auditor qualifications
The audit must be performed by a qualified auditor with the following competencies:
Independence from the audit object.
Proficiency in PKI analysis, information security and certification standards.
WebTrust licensed or ETSI accredited according to ISO 17065.
Maintain professional liability insurance with a minimum limit of $1 million.
CA may select one of the following audit schemes:
WebTrust (e.g. version 2.7 or later).
ETSI (eg EN 319 411-1).
Internal audit framework if it meets the requirements of or is comparable to accepted standards.
The audit report must include full details of the organization, the CAs, the certificates used, and the criteria applied. It must be published within three months of the end of the audit period. If the report is delayed, the CA must publish an explanatory letter signed by the auditor.
CAs are required to conduct self-audits at least quarterly, examining a random sample of certificates. From March 15, 2025, such samples must be checked using a linting process to assess the technical accuracy of the certificates. Similar checks apply to third-party delegates, who are also required to undergo an annual audit.
Certificates for .onion domains
According to the new requirements, certificates for .onion domains must adhere to strict rules. The domain must contain two levels: "onion" and a unique version 3 address according to the Tor specification.
CAs are required to verify ownership of the .onion domain using the following methods:
Agreed changes to the web page (sections 3.2.2.4.18 and 3.2.2.4.19).
Using TLS over ALPN (Section 3.2.2.4.20).
All connections must be made directly through the Tor protocol, without using third-party services such as Tor2Web. Another verification option is to sign the certificate request with the private key of the hidden service, which is verified by special high-entropy nonce values.
CAs are not allowed to issue wildcard certificates for .onion domains unless specifically provided for in the rules. CAs also emphasize that certificates for .onion domains will not be considered internal names as long as they comply with the new requirements. This change is intended to increase trust and improve security in the Tor ecosystem.
Legal and Financial Obligations
CAs are solely responsible for fulfilling their responsibilities and complying with all requirements, including the obligations of delegated parties. CAs are required to compensate users and application providers for any violations.
Each CA must notify the CA/Browser Forum of any changes to its certification policies and ensure compliance with the laws of all jurisdictions in which it operates. If necessary, changes to requirements should be minimal and temporary until a conflict with local law is resolved.
Updating Requirements and Legal Compliance
CAs are required to comply with local laws in each jurisdiction where they operate. In the event of a conflict between local law and CA/Browser Forum requirements, CAs may make minor policy changes until the inconsistency is resolved.
Policy changes must be publicly documented and submitted to the CA/Browser Forum for approval. CAs must update their policies within 90 days of any change in law or regulations.
The changes are intended to improve the security and transparency of the public key infrastructure and ensure trust in CAs, especially in the context of issuing certificates for .onion domains.
source : https://github.com/cabforum/servercert/b...p-profiles