CASC Member Dean Coclin, Symantec's Transact conference 2016 presentation on the CA/B Forum, the problem with SHA-1 and future solutions to the problem.
Payments Security – Vital Information all Payment Processors need to know
1. Payments Security – Vital Information all
Payment Processors need to know
Dean Coclin
Sr. Director of Business Development
Chair CA/Browser Forum
2. Agenda
1
The CA/Browser Forum and its role in
the ecosystem
2
Publicly trusted certificates in payment
terminals
3 SHA-1 deprecation
4 Solutions for the payment industry
2
3. Agenda Highlight
1
The CA/Browser Forum and its role in
the ecosystem
2
Publicly trusted certificates in payment
terminals
3 SHA-1 deprecation
4 Solutions for the payment industry
3
4. Who is the CA/B Forum?
4
The Certification Authority Browser Forum
(CA/Browser Forum) is a voluntary organization of
leading certification authorities (CAs) and vendors of
Internet browser software and other applications.
http://www.cabforum.org
5. CA/B Forum: A Brief History
5
CABF starts as a loose association of CAs and browsers to
draft guidelines for EV SSL Certificates
Membership expands globally, currently 52 CAs and 6
browsers
EV Guidelines generated and approved
Baseline Requirements formulated and passed
Network Security document created and finalized
All publicly trusted CAs, whether members of CABF or not,
must adhere to guidelines!
20142007 2008 2009 2010 2011 20122006 2013 2014 2015
7. Roles of parties in the CA ecosystem
7
Server
Auditors
Browsers
Root Certificates
8. CA/B Forum Facts and Misconceptions
• Rules are codified in “Baseline Requirements” documents
• The Forum cannot grant “exceptions” to its rules
• All rules are made by ballot
• Browsers and CAs have separate voting groups:
– 2/3 of CAs must approve + Majority of Browsers must approve
• All meeting minutes, mailing lists are public
• The Chair does not have the authority to waive any
requirements
8
9. Agenda Highlight
1
The CA/Browser Forum and its role in
the ecosystem
2
Publicly trusted certificates in payment
terminals
3 SHA-1 deprecation
4 Solutions for the payment industry
9
10. Payment Terminals are all over the map
• Many different terminals…
– Manufacturers
– Software versions
– ROMs
• …which trust various root certificates…
– SHA-1
– SHA-2
– Many only trust Verisign roots
• …causing difficulty in determining which terminals work with
SHA-2
10
12. Agenda Highlight
1
The CA/Browser Forum and its role in
the ecosystem
2
Publicly trusted certificates in payment
terminals
3 SHA-1 deprecation
4 Solutions for the payment industry
12
16. Agenda Highlight
1
The CA/Browser Forum and its role in
the ecosystem
2
Publicly trusted certificates in payment
terminals
3 SHA-1 deprecation
4 Solutions for the payment industry
16
17. SHA-1 certificates for the payment industry
• In order to continue issuing SHA-1 certificates (for non-browser
users), some CAs have removed roots from public (browser/OS)
trust stores
• These roots had excellent ubiquity and are likely present in
many payment terminals
• Because they are no longer trusted by browsers/OSes, CA/B
rules do not apply
17
18. Private CA with retired root
• A cross-intermediate CA for Private CA
– Private SSL can chain to up to a retired root via a cross cert
• Customers don’t need to distribute the Private root to clients
• This solution works for only non-browser applications
Server
E/E cert
ICA cert
Cross cert
Non-browser
(POS, Set box)
Browser*
*Private root needs to
be pre-installed
19. SHA-2 certificate from SHA-1 intermediate
• Issue a SHA-2 certificate from a known SHA-1 intermediate
• Some payment terminals seem to work with this method
• Terminals were found to check for a “hard coded” name in the
intermediate certificate (which was “Verisign”)
• Use an old Verisign SHA-1 Intermediate to issue the SHA-2
certificate
19
20. Going Forward….
• Move away from CA/Browser Forum publicly trusted roots
• Create separate “roots of trust” specific to the payment industry
• Distribute these roots to terminals in a trusted fashion
• Roots can be used under payment industry rules and guidance
20
Root Certificates
The forum is a self regulating body composed of CAs and Browsers and was formed to devise standards relating to the issuance and use of digital certificates in the browser ecosystem.
CAs issue TLS certificates to web servers using public root keys trusted by browsers. Auditors play a critical role in the ecosystem by checking the work performed by the CA against criteria known as Baseline Requirements. The result of the audit is an audit report which is given annually to browsers. Browsers act as the Internet police. If they feel that a CA is misbehaving, they can sanction that CA or in the worst case, remove their root keys.