EU wants breach notification for certificate authorities
By Stewart Mitchell
Posted on 5 Jul 2012 at 11:41
European authorities plan to clamp down on certificate authorities, demanding security signing organisations speak up if hit by hackers.
Certificate authorities - either private or government backed - issue digital certificates that verify web pages and code, and are a key component of the web running smoothly and securely.
But as last year's DigiNotar debacle highlighted, there is little regulation of this critical area - and if a CA is hacked, the fallout can be severe.
“There is no comprehensive EU cross-border and cross-sector framework for secure, trustworthy and easy-to-use electronic transactions that encompasses electronic identification, authentication and signatures,” officials warned in a document proposing regulation of the arena.
When DigiNotar was hacked Dutch officials delayed removing certificates from circulation, provoking widespread criticism from web companies and security officials.
The hacking of DigiNotar in the summer of 2011 made clear that the Dutch government was not prepared for a breach of its digital security
In response, the EU wants to tighten controls, saying it will force CAs to report breaches within 24 hours.
“Trust service providers shall, without undue delay and where feasible not later than 24 hours after having become aware of it, notify the competent supervisory body, the competent national body for information security and other relevant third parties such as data protection authorities of any breach of security or loss of integrity that has a significant impact on the trust service provided and on the personal data maintained therein,” the proposal said.
The proposals also call for databases used for checking certificate validity to be updated within ten minutes if one is pulled for security reasons.
The importance of a properly working CA system was highlighted last week when Dutch investigators issued a scathing report on local authorities’ inability to deal with the fallout from hacked Diginotar.
“The hacking of DigiNotar in the summer of 2011 made clear that the Dutch government was not prepared for a breach of its digital security,” said the Dutch Safety Board in its report.
“The security breach meant that the data of private individuals and companies could be intercepted and possibly misused. To the surprise of many, it proved impossible to effect a rapid switch to a different supplier without seriously endangering the continuity of various essential data flows with and within the government.”
- Adobe Dreamweaver CC review: first look
- Huawei Ascend P6 review: first look
- Adobe Illustrator CC review: first look
- Let MPs tell us what they really want ISPs to block
- Adobe Photoshop CC review: first look
- WWDC 2013 and iOS 7 launch: live blog
- Sony VAIO Pro review: first look
- Want child porn blocked? Meet the IWF
- Is it worth upgrading a media centre to Windows 8?
- Flickr redesign: is it enough to tempt photographers back?
- Google two-step verification: a must for business email
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?