Man
Professional
- Messages
- 3,093
- Reaction score
- 634
- Points
- 113
The CA/Browser Forum introduces new requirements for Internet security.
The CA/Browser Forum Alliance has updated the requirements for certificate authorities (CAs) and auditing processes, and introduced rules for issuing certificates for . onion. The changes are aimed at strengthening the control, transparency, and security of the Public Key Infrastructure (PKI).
Certification Authority Obligations and Audits
According to the new requirements, each CA is obliged to:
If the CA issues certificates that can be used to issue new certificates, they must be technically restricted (in accordance with requirements 7.1.2.3 through 7.1.2.5) or be fully audited. Each period of issuance of certificates must be accompanied by an audit, which is carried out at least once a year. If you do not have an up-to-date audit report, you should conduct a readiness assessment before issuing certificates.
Audit and qualification of auditors
The audit should be performed by a qualified auditor with the following competencies:
The CA may choose from the following audit schemes:
The audit report must include complete data about the organization, certification authorities, certificates used, and criteria applied. It must be published within three months after the end of the audit period. If the report is delayed, the CA is required to publish an explanatory letter signed by the auditor.
CAs are required to conduct self-audits at least once a quarter, checking a random sample of certificates. From March 15, 2025, such samples must be checked using a linting process to assess the technical accuracy of certificates. Similar audits apply to third-party delegates, who are also required to undergo an annual audit.
Certificates for .onion domains
According to the new requirements, certificates for .onion domains must comply with strict rules. The domain must contain two levels: "onion" and a unique version 3 address according to the Tor specification.
CAs are required to verify ownership of a .onion domain using the following methods:
All connections must be made directly through the Tor protocol, without the use of third-party services such as Tor2Web. Another verification option is to sign the certificate request with the private key of the hidden service, which is confirmed by special high-entropy nonce values.
CAs are not allowed to issue wildcard certificates for .onion domains, unless it is provided for by separate procedures in the rules. The CA also emphasizes that certificates for .onion domains will not be considered internal names as long as they meet the new requirements. This change aims to increase trust and improve security in the Tor ecosystem.
Legal and financial obligations
The CA is fully responsible for fulfilling its responsibilities and complying with all requirements, including the obligations of the delegated parties. In the event of breaches, CAs are required to compensate users and application providers.
Each CA must notify the CA/Browser Forum of any changes to its certification policy and ensure compliance with the law in all jurisdictions in which it operates. If necessary, changes to requirements must be minimal and temporary until conflicts with local law are resolved.
Requirements Updates and Compliance
Certificate Authorities are required to follow local laws in each jurisdiction where they operate. In the event of a conflict between local law and the requirements of the CA/Browser Forum, CA may make minimal changes to the policy until the inconsistencies are resolved.
Changes to the policy must be recorded in public documents and sent for approval by the CA/Browser Forum. If legislation or regulations change, CAs are required to update their policies within 90 days.
The changes are aimed at improving the security and transparency of the public key infrastructure and ensuring trust in certificate authorities, especially in the context of issuing certificates for .onion domains.
Source
The CA/Browser Forum Alliance has updated the requirements for certificate authorities (CAs) and auditing processes, and introduced rules for issuing certificates for . onion. The changes are aimed at strengthening the control, transparency, and security of the Public Key Infrastructure (PKI).
Certification Authority Obligations and Audits
According to the new requirements, each CA is obliged to:
- Meet current requirements and be audited within the specified timeframe.
- Obtain a license in each jurisdiction where it is required by law.
- Enforce the Certificate Policy (CP) and Certification Practice Statement (CPS).
If the CA issues certificates that can be used to issue new certificates, they must be technically restricted (in accordance with requirements 7.1.2.3 through 7.1.2.5) or be fully audited. Each period of issuance of certificates must be accompanied by an audit, which is carried out at least once a year. If you do not have an up-to-date audit report, you should conduct a readiness assessment before issuing certificates.
Audit and qualification of auditors
The audit should be performed by a qualified auditor with the following competencies:
- Independence from the audited object.
- Proficiency in PKI, information security, and certification standards analysis.
- WebTrust license or ETSI accreditation in accordance with ISO 17065.
- Maintaining professional liability through insurance with a limit of at least $1 million.
The CA may choose from the following audit schemes:
- WebTrust (for example, version 2.7 or later).
- ETSI (e.g. EN 319 411-1).
- An internal audit scheme, if it meets the requirements or is comparable to accepted standards.
The audit report must include complete data about the organization, certification authorities, certificates used, and criteria applied. It must be published within three months after the end of the audit period. If the report is delayed, the CA is required to publish an explanatory letter signed by the auditor.
CAs are required to conduct self-audits at least once a quarter, checking a random sample of certificates. From March 15, 2025, such samples must be checked using a linting process to assess the technical accuracy of certificates. Similar audits apply to third-party delegates, who are also required to undergo an annual audit.
Certificates for .onion domains
According to the new requirements, certificates for .onion domains must comply with strict rules. The domain must contain two levels: "onion" and a unique version 3 address according to the Tor specification.
CAs are required to verify ownership of a .onion domain using the following methods:
- Agreed changes to the web page (sections 3.2.2.4.18 and 3.2.2.4.19).
- Use of TLS via ALPN (Section 3.2.2.4.20).
All connections must be made directly through the Tor protocol, without the use of third-party services such as Tor2Web. Another verification option is to sign the certificate request with the private key of the hidden service, which is confirmed by special high-entropy nonce values.
CAs are not allowed to issue wildcard certificates for .onion domains, unless it is provided for by separate procedures in the rules. The CA also emphasizes that certificates for .onion domains will not be considered internal names as long as they meet the new requirements. This change aims to increase trust and improve security in the Tor ecosystem.
Legal and financial obligations
The CA is fully responsible for fulfilling its responsibilities and complying with all requirements, including the obligations of the delegated parties. In the event of breaches, CAs are required to compensate users and application providers.
Each CA must notify the CA/Browser Forum of any changes to its certification policy and ensure compliance with the law in all jurisdictions in which it operates. If necessary, changes to requirements must be minimal and temporary until conflicts with local law are resolved.
Requirements Updates and Compliance
Certificate Authorities are required to follow local laws in each jurisdiction where they operate. In the event of a conflict between local law and the requirements of the CA/Browser Forum, CA may make minimal changes to the policy until the inconsistencies are resolved.
Changes to the policy must be recorded in public documents and sent for approval by the CA/Browser Forum. If legislation or regulations change, CAs are required to update their policies within 90 days.
The changes are aimed at improving the security and transparency of the public key infrastructure and ensuring trust in certificate authorities, especially in the context of issuing certificates for .onion domains.
Source
