About Us Membership Resources OTA Members Login
Anti-Malvertising  l   Data Breach   l   DNSSEC  l   Email Authentication    I    EV SSL Certs   l    Messaging Ecosystem Security 

Certificate Authority Best Practices

SSL Best Practices         Always On SSL        Certificate Authority Best Practices         Extended Validation SSL         ECC         

Certificate Authority Best Practices
Raising the Bar on End-To-End Trust - A Guide for CA's & Their Customers

Download the White Paper (updated 3/7/2013)

Security, Privacy & Data Protection should be top priorities for all Certificate Authorities (CAs) - As with all best practices, the strength of a solution is only as strong as the weakest link.  Unfortunately several CAs have experienced serious operational and security oversights which have diminished trust in the SSL ecosystem. Fortunately up to now the majority of these incidents have been detected and neutralized before significant harm has occurred.  The risk and likelihood of future harm and damages underscores the urgency of raising the bar and the voluntary adoption of best practices by CAs.

In response to these threats and by soliciting feedback from CAs, security experts, relying parties and government agencies, this paper outlines practices that organizations should demand from their CAs. It is important to note that there are other efforts working in parallel that should not be discounted, and require collaboration by operating systems, browser vendors, and the relying party sites.  Collectively we have a shared responsibility to improve the protection of the SSL "chain of trust".

Given the important role of CAs in online trust, it is important for the security public to know the highest industry standards. In this whitepaper, the OTA surveys the current online trust landscape and presents a collection of CA best practices that enhance trust. Looking a head OTA will be publishing those CA's who self-assert in writing their commitment and adoption of the practices outlined. While OTA does not endorse any CA, OTA will highlight those CA's as " north stars" to serve as an aid for businesses when considering and seeing a CA committed to security and privacy best practices.

Future SSL papers will address other best practices.  Some of these promising solutions include Certificate Transparency, Certificate Pinning, Always on SSL. Other recommended practices like hard failing the SSL connection when revocation checking fails, DNSSEC with Certification Authority Authorization Resource Records, and OCSP Stapling will be reviewed and recommended. These new approaches call for a holistic approach to protecting the PKI/CA/SSL ecosystem, from tools and hardware to process and procedures.

Download the paper today >

CA Assertion Form for Adoption of CA Best Practices - CA's are encouraged to complete the form to be listed as a supporter of these best practices.  CA's who submit will be posted.  Note this is self-reporting by the CA and OTA does not make any assertion on their actual adoption or level of security and privacy practices. Companies evaluating the selection of a CA should verify with the CA directly.  Download the Form 


Revised  March 12, 2014