Let’s talk about digital identity with Dean Coclin, Senior Director, Business Development at DigiCert.
In episode 18, Oscar is joined by Dean Coclin, representing the world’s largest public Certificate Authority (CA) – DigiCert. The conversation decodes exactly what a CA does and its critical role in Public Key Infrastructure (PKI).
Listen in on DigiCert’s view of, and role in, digital identity with relation to Transport Layer Security (TLS) and Extended Validation (EV) certificates, the Internet of Things (IoT) and Legal Entity Identifiers (LEIs).
LEIs are the 20-digit alphanumeric codes identifying unique global legal entities. Ubisecure is the fastest growing LEI issuer globally through its RapidLEI service. DigiCert announced a partnership with Ubisecure in December 2019, collaborating to extend the use of LEIs for multiple types of digital certificate-based use cases. Read the press release here – ubisecure.com/news-events/digicert-ubisecure-partnership-legal-entity-identifier-organization-identity-solutions.
“What good is encryption if we don’t know who we are encrypting to?”
Dean Coclin brings more than 30 years of business development and product management experience in software, security and telecommunications. As Senior Director of Business Development at DigiCert, he is responsible for representing the company in industry consortia and driving the company’s strategic alliances with technology partners. Mr. Coclin is also the past Chair of the CA/Browser Forum and the CA Security Council. Currently he chairs the ASC X9 PKI Study Group.
Previously Mr. Coclin worked at Symantec’s Website Security business unit before it was sold to DigiCert and was one of the founders of ChosenSecurity, an Internet security firm which was sold to PGP Corporation in February 2010. PGP was subsequently acquired by Symantec in June 2010. Prior to this, Mr. Coclin was Director of Business Development at GeoTrust which was sold to Verisign in 2006. He holds a BSEE and MS from The George Washington University and an MBA from Babson College.
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar Santolalla: Hello, and thanks for joining today. Today, we will hear how certification authorities contribute to securing the internet but also what is their role in digital identity. And for that, I have a very special guest. Dean Coclin brings more than 30 years of business development and product management experience in software security and telecommunications. As Senior Director of Business Development at DigiCert, he is responsible for representing the company in industry consortia and driving the company’s strategic alliances with technology partners.
Mr. Coclin is also the past Chair of the CA/Browser Forum and the CA Security Council. Currently, he chairs the ASC X9 PKI Study Group. He holds a BSEE and MS from the George Washington University and an MBA from Babson College.
Dean Coclin: Hello, Oscar! Thank you for having me today.
Oscar: You’re very welcome. It’s great talking with you, Dean. I’m really very excited to talk about your career and what you are doing today in this world of Certification Authorities, particularly in DigiCert. So, I would like to hear first, what was your journey to this world of digital identity?
Dean: Well, I’ve been involved with Public Key Infrastructure and Certificate Authorities since 1996 actually, starting out with a company called GTE CyberTrust. That business was sold to a company called Baltimore Technologies which was then sold to a company called Betrusted.
Then I left that group and worked at GeoTrust for a while before we sold the company to Verisign in 2006. And then I went off and worked at another startup which leveraged the company based in Germany, in Hamburg, Germany called TC TrustCenter. That company was then sold to PGP in 2010 and then PGP actually was sold to Symantec a few months later. And Symantec then acquired the assets from Verisign including GeoTrust so I basically joined a lot of my colleagues again. And we kept that going until 2017 when the website security business was sold by Symantec to DigiCert.
And so now, DigiCert by the virtue of acquiring all the assets from Symantec in website security, which included GeoTrust and Verisign from way back, now is the world’s largest, public certificate authority. So, it has been sort of a long journey, but the good thing is, I’ve been dealing with a lot of the same players as well as new players in the industry and have learned a lot along the way. So, I’m really happy to join you here today to talk a little bit more about certification authorities.
Oscar: Yeah, that’s a very consistent and long experience in very specific field that is PKI until today that you are in the biggest one, that is DigiCert. So DigiCert as you said is the largest commercial CA. But for ones who are not so familiar with what is the role of these organisations, how would you define – what is a certification authority?
Dean: Well, it’s a good question. The certification authority plays a very key role in a public key infrastructure. In a public key infrastructure, you have a concept of private and public key pairs. The private key is something that you always keep with you. You never leave it out of your possession.
But the public key is something that you can send to others that they can then use to encrypt messages to you. However, when you send that public key to someone else, how does that other party know that that’s coming really from you and not a hacker?
And so, the role of a certification authority is to attest to the authenticity of that public key. And what essentially a certificate authority does is sign your public key with a certification authority’s private key. And that basically tells the recipient that, “Ah, someone has certified that yes, this public key is authentic.”
So, in a simple example, let’s say you and I need to communicate, and we’ve never met before and you say, “OK, Dean, I want to encrypt a message to me.” And I say, “OK, Oscar, send me your public key.” So, you send me your public key but if your public key has not been checked by a certification authority, how do I really know that that public key is your public key? Because if I send you a message that has been encrypted with your public key then only you can open it but how do I know a hacker hasn’t intercepted that conversation and inserted their public key into the conversation?
So, having it signed or attested to by a trusted third party, which is a certification authority, gives me confidence that someone has checked that that public key really belongs to you. And that example is for the secure mail world. But looking at things that are used every day for websites, websites used public key cryptography in the form of digital certificates – or that little lock that you see on the screen – to attest to the authenticity and the person who is behind that website.
So, I think we are going to talk a little bit about that more coming up. But in general, a certification authority is someone who attests to the authenticity of a public key.
Oscar: Sure. Thanks for that. And the certification authority is very important in security. In the example you have described is how to secure email for instance. Actually, most of us are not aware but most of us are sending email encrypted. That’s most of the cases and it’s very transparent from our side. In securing a service such as email, securing a website, security is one of the pillars of the certification authority. What about digital identity? How does a company like DigiCert view digital identity?
Dean: Well, we view it as something that’s very critical to operating on the World Wide Web. The World Wide Web has been a great tool to communicate, to learn, to educate others, but unfortunately, that world is also filled with people who don’t have the same intentions in mind. And these people are typically known as cyber criminals or hackers. And so, we want to make sure that when you’re doing business online, when you are communicating online, that you are communicating with the party you expect to be communicating with.
And so, we feel that digital identity is extremely important in e-commerce, in education, in business on the World Wide Web. We want to try to minimise the effect that hackers have by assuring people that those they are communicating with are in fact who they say they are.
And so, digital identity, when you can’t see someone, you can’t touch them, you can’t hear them, plays a very, very important role. I think the European Union especially has recognised this and they’ve put out some legislation and digital frameworks around digital identity. We are right in line with that, we support that. We want to make sure that e-commerce is safe on the web by assuring each party that their digital identity has been verified.
Oscar: So that’s mostly the digital identity of the organisation, not the end-user.
Dean: Well, it could be both. The identity of the organisation in SSL certificates for example is key. But for example, as we talked earlier about S/MIME certificates, we are talking about an individual, and that individual could be part of an organisation or it could be just an independent individual. Nonetheless, the identity is extremely important, and we want to make sure that it’s verified.
Oscar: So, I know for instance some of the main applications of DigiCert are TLS and IoT. Could you tell us a bit about how identity is in these fields?
Dean: Right. Yeah, in TLS, I think as we just started to talk about, ensuring that when visitors go to websites, that the website that they believe they are on is in fact that real website. This is extremely important. And maybe we know just by typing in a domain name that we are used to going to that we are sure we are on the right website, but what if we search for something on the internet and we are using a search engine?
And let’s say we are looking for sunglasses and we are looking for Ray-Ban sunglasses. Well, I happen to know that searching for Ray-Ban sunglasses is actually a very tedious task because there are so many sites that advertise Ray-Ban sunglasses and sometimes, it can be difficult to find out who is the authentic site. Which site is actually the real site for Ray-Ban? Is it Rayban.com? Is it Ray-Ban.com? Is it Rayban.us?
There are so many different permutations of the name that, to the average user, it’s impossible to tell which is the real website. And so, being able to identify that website with a digital certificate that actually shows the identity of who is behind that website is very, very important for e-commerce, for financial transactions, and for any other highly important transactions online.
Now with IoT, it’s a little bit of a different story. With IoT, we have so many different types of IoT devices. Of course, we have consumer devices like baby monitors and webcams. But then we have much more professional devices like medical devices used to monitor blood pressure or drug infusion pumps. We have SCADA systems, industrial controls, so things that take care of water dams and nuclear power plants. We have vehicle control systems now with the advent of autonomous vehicles. We have vehicle to vehicle communications. And these all have to be authenticated and they are done securely using digital certificates.
So, there are some critical applications in IoT that require identity and authenticity and encryption to happen and this is best done with digital certificates. These IoT applications are much larger than we would think of for World Wide Web applications because, for example, let’s talk about cable boxes, cable TV boxes have digital certificates in various parts of the world. And we are talking about hundreds of millions of devices. That’s a big number and that’s a lot more than the number of websites out there today. So, the scale is on a different level for IoT devices than it is for TLS. But nonetheless, identity is extremely important in both cases.
Oscar: Yeah, it is very interesting, these distinctions you make between websites. That’s something where we are much more familiar with. We are facing it every single day and we have this idea, the image of the padlock, the green padlock or similar, but when we extend that to IoT devices – you mentioned self-driving cars communicating with each other or even these set of boxes, the cable boxes we have at home -, the numbers are much, much bigger. So, it’s quite interesting.
And most of these applications, most of these sets of boxes or all of them, are they using certificates the majority of them?
Dean: In many parts of the world, that is true. Especially in the European Union and in the US. Many cable boxes use certificates to authenticate the device as well as to provide encryption for the device. So yes, that is true.
Oscar: Yeah, it’s excellent to see that and to know that these certificates are already there in devices that people really trust a lot because you buy these devices, and you trust that it’s already secure.
Another interesting aspect, again with the padlock on the web browsers and many people don’t know, there are of course organisations who work to build standards of all these browsers that we use also. So, we don’t notice how important these are and who is behind that. So of course, there are few companies that shift the browsers, update them, but that organisations even less known that are working on that.
And you are currently the Vice Chair Person of the CA/Browser Forum. If you can tell us a bit about this organisation and what has been its impact on online security.
Dean: Sure. The CA/Browser Forum was formed about…I would say 14 years ago. And the purpose of the Forum at that time was to come up with standards for digital certificates that are used on the web – formerly known as SSL certificates, now replaced with new protocol TLS.
At the time, remarkably, there were a few companies issuing these types of certificates but there was no recognised standard for how these certificates should be issued, renewed, revoked, etc. And so, a bunch of certificate authorities, competitors actually at the time and still are, as well as browsers, these are the companies that actually use these types of certificates in their environment got together and said, “OK, let’s come up with standards for different types of certificates”.
And the first standard they came up with was for Extended Validation certificates or EV certificates. And these are the certificates that are the highest form of authentication on the web today where we verify not only the domain name belongs to the person applying for the certificate, we verify that the person applying for the certificate is authorised by the company to do so, and we also verify the company existence by looking at third party documents from reputable sources to verify that it is a legitimate company.
So that standard came out, I would say around 2008. And then work started to develop the standard for the other types of certificates which are known as DV or Domain Validated, and OV or Organisationally Validated. And I believe those were issued around 2011-2012. Since then, the forum continues to meet on a regular basis, bi-weekly by telephone and three times a year face to face in different parts of the world. And it’s a great way for both CAs and Browsers to come together to talk about what issues they’ve seen, how they can be solved and how to keep improving these standards which were developed quite a few years ago.
Most recently in the CA/Browser Forum, new working groups have been stood up namely for code signing and I think very soon, we are going to have one for secure mail, to be able to set standards for those particular areas.
But it’s a great group of international folks that are working cooperatively together to help improve the security of the internet.
Oscar: Yeah, definitely very interesting to know that CA/Browser Forums brings these two worlds together because we are usually more familiar with the browser. We will install Firefox or install Chrome. Different people have different opinions about which one is better or which one do you trust the most.
Oscar: And there are a few of these. But after all, we trust. We trust that they are secured. They don’t have bugs and they have the certificates that are there once we install the browser. Yeah, excellent about that.
You already mentioned the types of certificates like the Extended Validation and then the OV, the Organisation Validation. You said that the highest level of assurance is the EV today.
Dean: Yes. Yes.
Oscar: Yes. Could you tell us more in practice how a certification authority does that validation? I mean how rigorous is it? Imagine that I have a website and I want to have this certificate validated, what are the steps to have the EV issued?
Dean: Sure. Right. You’re right. You’re correct. EV is the highest form of authentication and therefore, it requires multiple steps on the role of the certificate authority to ensure that the person applying for the certificate is not a criminal and actually represents a legitimate business.
And so first, we have to do the same thing we do for all types of certificates, and that’s to verify the domain name. So, let’s say your company was Oscar, Oscar.com. We would go and verify that Oscar.com is a legitimate domain and that you have the ability to control that domain. So, there are different ways that you can check the control of that domain. We can usually send an email to an email domain that we know belongs to you and if you respond to that, that might be one way to do it. Another way is to have you put something on a particular webpage that we can go and look at like a shared secret. So, there are multiple ways that we can confirm ownership of the domain.
After we’ve confirmed ownership of the domain, we need to confirm that you are an authorised representative of the company to be able to request that certificate. So that would require us going to a public directory to find the phone number for your company, calling the number that we find in the directory, and having the phone transfer to your extension. So that would validate that you are actually part of that company.
And then we have to validate the company’s existence from a legal perspective. That would involve going into possibly a corporate registry for that particular country where it’s registered. Let’s say, you are in Finland, so we probably have to go to the Finish registry, verify that your company is registered as a business there, check those records, and update our records accordingly.
If you are a certain type of business that is not listed in the registry, we require a legal opinion letter which would mean you would have to go to a lawyer, and they would just validate that you are a legitimate business and we would accept that letter.
So yeah, there are different types of authentication we have to do to verify all this for EV. But once that’s done then you can receive the EV certificate. Now, what’s important about the EV certificate is that it contains additional information than a domain-validated or an organisationally-validated certificate. And this can be viewed via the different browsers. Most browsers allow you to click on the lock and show that it is in fact an EV certificate, and the way you would verify this is because it will actually show the company name.
For example, if you were to go to BankofAmerica.com with Chrome or Firefox or Edge, you would click on the lock and it would say, “Certificate issued to Bank of America Incorporated” and then in parentheses would say US, which is the region where it’s incorporated.
So other types of certificates do not have that information. And this is the distinguishing factor between EV certificates and other certificates. And if you wanted to get more information such as the particular address where the company is located, you can click on more information and get all that information as well.
So, all of this information is there if someone needs it. It’s not necessarily displayed to a user every day, but it is there when they need it especially if they are trying to find out, “Is this the real Ray-Ban that I want go to?”
Oscar: Yeah, exactly. One interesting point, the one that you say that there is more information in the certificates. If you go to the browser, you can find much more information, the official name of the company, the jurisdiction and more information.
And one of the strongest things I can see of this is that it combines the digital world so things that you can verify purely in the digital world plus the physical world. They have to provide their physical address. So, the certification authority is going to make calls to that existing verification with the physical. And even in some cases as you explained, you have to visit a lawyer or do some paperwork, which might be difficult to truly validate the authenticity of the ownership of this.
Dean: Yes. In fact, I love that analogy. I think bringing the digital and physical world together into the digital certificates so that people can review things that they recognise in the physical world like their address, their corporate registry, and having that in the digital certificate which is verifying the authenticity of the website, I think this is a great analogy and it’s a way that makes it easy for folks to understand.
Oscar: Yes, Dean. Well, we have announced a couple of months ago that we have a partnership between DigiCert and Ubisecure and the focus of this partnership is exploring how the Legal Entity Identifiers, LEIs, can help the certification authorities.
So, from your very vast experience in seeing a bit in the future what’s going to happen, what can consumers expect from this relationship?
Dean: This is great. I think LEIs, or Legal Entity Identifiers, are playing a very important role in the global business identification scheme. We see that that it is extremely valuable, and I think that as we said earlier, it’s a great way to marry the physical world and the digital world together by bringing together identity information into that digital certificate. LEIs provide another piece of that identity equation. These are identities that have been checked out by different registrars around the world and using a standard method that’s prescribed by the Global LEI Foundation, the GLEIF, puts this into a standard form that can be used around the world.
And these LEI numbers can be easily checked using a reference database that’s provided by GLEIF to verify identity. So, it’s another piece of identifying information that can be used to connect those two worlds that we talked about.
Currently, LEI numbers can be put into certain extensions in certain fields of certificates. We are looking at ways that we can actually expand that a little bit more in the CA/Browser Forum to allow for LEIs to be put in other particular fields of certificates that would make them more prominent to users and allow them to recognise them easier. We will see if that actually happens. There are a lot of people that are for that but there are some people that are against that. And we are going to keep pushing that to see if we can make that a reality. But I think it would be something that would be valuable to relying parties who are going to websites and looking at certificates, as well as entities that want to show relying parties who they are through the use of LEIs.
Oscar: Yeah, it definitely has a really good potential to bring more transparency to the organisations that show it in these certificates. Good. Something that I like to ask you, because I know that you also belong to another very important organisation, the ASC, and you are leading the ASC X9 PKI Study Group. Tell us a bit about this organisation and what you are doing there.
Dean: Sure. ASC X9 is a standards body for the financial community around security standards. And I think years ago they were very concerned about using publicly-trusted TLS certificates in financial devices. Think about automated teller machines, ATMs, or credit card terminals, payments terminals. Because what happened many years ago, actually not that many years ago, the industry moved from SHA-1 to SHA-2.
And unfortunately, at that time, some of these payment terminals, these smaller devices were older devices and could not communicate using SHA-2, and therefore they relied on SHA-1. But when the CA/Browse Forum outlawed the use of SHA-1 for servers, those payment terminals could no longer connect to servers that were using SHA-2 certificates. And so, they essentially became dead devices.
And unfortunately, there were large number of these devices around the world that were basically stuck, and merchants had to scramble and spend a lot of money to update those things on a very short notice.
So the ASC X9 Group wants to avoid any repeats of that particular action. So, they are looking at whether or not they should continue to use publicly-trusted TLS certificates or come up with their own standard for TLS certificates, and actually of PKI, in their environment and for their users.
We uncovered many different used cases for PKI in the financial community and we are focusing on the high priority ones in the second phase of the study to determine if a private PKI would be better for this community and how such a private PKI would be implemented. We expect to start phase 2 of that study group later this month and the nice thing is we have brought participation from a wide variety of financial community participants involved in this study.
I’m personally not from the financial community but I think that’s actually a good thing because I’m able to help guide this group along with my co-Chair who was a former Mastercard person. We are able to help guide this group without any sort of influence of being formerly in the financial community. However, we do have a lot of industry knowledge as I mentioned earlier, being in the space for many years to help guide this group and come up with the right conclusion.
Oscar: Yeah, that’s really an excellent initiative, this new working group. And yeah, it’s a good example of how sometimes part of the industry is leading one direction, of course making innovations to make things more secure but sometimes you somehow ignore or don’t realise that other industries might not be in sync. And yeah, it’s very interesting to hear that. And so, we all will benefit from the work done in this initiative.
Dean: Yes, I think so.
Oscar: So, Dean, now I would like to ask you if you can give us a tip for anybody on how to protect our digital identities.
Dean: Well, being online these days, it can be very rewarding because we need to get business done. We need to access our accounts. Some of us take distance learning classes. We do research. And especially nowadays when many people are working from home due to this whole coronavirus situation, we have many people online at the same time at our homes, many different ages of our families. But what’s important is that we have to protect our identities and our transactions online.
So, there are a few things that we can do for that. Obviously, when we are online and doing financial transactions on websites, we need to look to ensure that those transactions are encrypted. And the one way to assure that is by looking for the lock in the website to show that the transaction is encrypted. The lock does not guarantee that you are at the website you think you are. So, it’s very important that you look at the website name, perhaps check the digital certificate that is securing that website before proceeding to enter personal information. And what good is encryption if we don’t know who we are encrypting to? So being able to check the authenticity of the other end is very important.
And then of course, there are basic tips for protecting identity. Make sure you log out of websites when you are done. Don’t just close the browser. Your web session might still be active.
Make sure you update any antivirus software that you might be using on your computer. Do software updates on your operating system whether you are on Apple, Macs, or PCs. These updates come out quite regularly. And make sure you stay up-to-date because those updates are there for your safety.
And in addition, make those updates for your cell phones, your smartphones. Those devices are also very susceptible to hackers intercepting things, and that’s why these device manufacturers come out with frequent security updates. So, it’s very important to ensure you’re up-to-date there.
In addition, most people don’t even check this but, for computer manufacturers, they also offer their own updates, Lenovo, Dell, HP, for their own operating system, for their own firmware, for their own device drivers. It’s important to check those on a regular basis to make sure you’re up-to-date because hackers will take advantage of vulnerabilities and weaknesses in Wi-Fi networks, Bluetooth controls, etc. to try and attack your computer. So, keeping those up-to-date is very important.
If you are using webcams or cameras on your phones, there had been reports in the past where hackers had been able to get into those cameras without you even knowing it. And so, keeping those cameras closed with either a little sticky note or a piece of tape is not a bad thing to do.
Those are some basic tips. I’m sure there are plenty of others we can think of but that’s the ones that pop into my head at the moment. So, I’ll leave it at that.
Oscar: Yeah, absolutely. It’s a great reminder there are many ways we can secure ourselves. Well, thanks a lot, Dean. It was a pleasure talking with you and know more about the certification authority and anything that is connected with that, like the financial industry, the browsers, and how LEIs can be in the future combined with these certificates to provide us better security and securing our identities.
Please, could you let us know how we can find you on the net? What are the best ways to find more about the work you are doing?
Dean: Well, you can always follow me on Twitter. My Twitter handle is @chosensecurity, that’s, all one word. And I also published periodically some blogs on DigiCert.com/blog and you will find some articles that I’ve written recently. I think those are probably the two best areas where you’ll find some of the stuff that I’ve been doing.
Also, if you are inclined to follow the activity of the CA/Browser Forum, all that information is publicly available. You can go to cabforum.org and you can sign up for the public email lists for any of the working groups or just the general email list. I’ll warn you that you might get a lot of mail that you don’t really want to see but nonetheless, you can always delete that part and read what you want. So, it would be interesting for those that have a very specific interest in this area.
Oscar: Excellent. Many ways to find you and all the work you are doing. So again, thanks for being here, Dean, and all the best.
Dean: Thank you, Oscar. It was a pleasure.
[Outro] Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.
[End of transcript]