Following the recent Wired article Google wants to kill the URL and follow up article from The SSL Store Google’s plan to kill the URL is a golden opportunity for Certificate Authorities we felt it was worth adding some thoughts to the debate, since clearly this early stage proposal is more than a radical change to the web!
Google’s focus in their words “isn’t to upend URLs haphazardly, but to enhance a vision that is already in place, given that entity identification is foundational to the overall security model of the web”. Given that the current end entity identification is performed by Certification Authorities (CAs), one can imagine that Google is not happy with the current status quo.
What do they mean by wanting to “enhance” the vision and what does that mean for CAs?
Google amongst others have been very active over recent months highlighting the flaws of identity information contained within EV SSL certificates. The removal of positive security indicators in the Chrome 69 release and further hints at not displaying the identity data contained within certificates at all, has essentially been seen as a move to use SSL certs for encryption only.
The interesting point here, is that once you remove identity from the equation, it doesn’t matter who you are connecting to, good guy or bad guy (at least technically)! So does this mean that identity can then be a separate concern layered into higher level transactions executed over the now (by default) secure link?
Let’s now talk about identity. The SSL Store commented that “No, authentication would need to be outsourced, and the CA industry is in perfect position to step into that role.” Based on the observations raised so far, from interpreting Google’s perspective at least, the CA industry is yet to deliver reliable identity data within the certificate and hence will not be displayed to a consumer!
Our team includes individuals who have been involved in the CA industry for many years and founded/worked with all the major CAs. It is our collective opinion, this is NOT something the CA industry can solve alone; they need to work with other providers of business identity.
Our recent blog post Widening the scope of best practice for LEIs for SSL/TLS identity touched on how browsers will be ideally placed to display LEI (Legal Entity Identifier) to consumers and how one such container could be X509 SSL/TLS certificates.
We also announced news of a pilot initiative from a RapidLEI partner and the world’s largest CA demonstrating a live cert containing real life validated and verifiable LEI data: TrustCubes adds Legal Entity Identifiers to SSL Certificates.
As the TrustCubes blog post succinctly states:
Users relying on company identity data for any online use case need several things. They need it to be:
Live and accurate – representative of the company at the time of relying it
Regulated and consistent – there should be a credible standardized validation workflow of identity data
Transparent – published to a publicly accessible and verifiable open database
User friendly – Doing Business As should be supported where complicated group holding names would otherwise confuse users (KLM vs Koninklijke Luchtvaart Maatschappij N.V.)
Detailed when needed – as well as providing the ‘who is who’ aspect of company identity, when needed give insight into ‘who owns whom’ for corporate structure understanding
Challengeable – if inaccuracy is suspected, there should be a protocol to challenge
The Legal Entity Identifier (LEI) ecosystem, overseen by the GLEIF (Global Legal Entity Identifier Foundation), created at the request of the G20, was designed to meet all these requirements. Whereas the most common use case for LEIs today remains within financial reporting, the LEI has the potential to be a central single corporate identifier for a multitude of use cases.
Ubisecure’s RapidLEI service via a cutting-edge API and SaaS solution, is fast becoming the go-to-solution for technology innovators looking to add stronger, verifiable corporate identities as the central identity element in their solutions.
The connection of the very different SSL and LEI ecosystems throws up many challenges, but very effectively delivers one example of how the CA industry can indeed play a pivotal role, albeit NOT alone!