August 2019 Industry Update
• ~63.5M certs observed by Netcraft
• Up 2M or 3.3% from last month
• OV grew by 1.3M, DV by 743K
• Greater than 50M DV certs
• DigiCert had the largest gain, up 1.3M (4th month in a row!)
Largest growth of any CA
How does this breakdown by DV/OV/EV?
The World of Publicly Trusted TLS (according to Netcraft) June 2019
Share of Total Certificates By Certificate Authority
33,245,680
13,547,633
13,202,302
1,220,215
622,602
587,052
343,258
327,554
234,194
115,746
36,802
13,488
Let’s Encrypt
Sectigo
DigiCert
Total: 63,524,099
DV Share of Total Certificates By Certificate Authority
33,245,680
12,948,422
2,570,774
1,182,974
498,267
231,655 Lets Encrypt
Sectigo
622,597
320,122
163,059
20,109
8,216
5,220
2,698
Total: 51,821,591
OV Share of Total Certificates By Certificate Authority
Total: 11,486,471
DigiCert
98,568
77,563
21,937
21,052
15,921
12,373
7,897
159,388
217,598
10,847,697
EV Share of Total Certificates By Certificate Authority
Total: 216,037
DigiCert
Sectigo
129,162
16,189
11,222
5,107
14,480
1,199
772
36,282
EV Certificate Market Share – May 2019
Source: trends.netcraft.com/www.digicert.com
DigiCert Rest of Industry
Latin America Distribution by Certificate Type (June 2019)
DV OV EV Total
Argentina 97.9% 1.7% 0.3% 126,146
Brazil 97.5% 2.3% 0.2% 533,824
Chile 98.1% 1.4% 0.5% 175,989
Colombia 90.0% 6.9% 3.1% 37,079
Mexico 81.3% 14.7% 4.0% 32,731
Nicaragua 80.6% 11.2% 8.3% 556
Panama 94.8% 3.3% 2.0% 9,995
Paraguay 89.3% 5.8% 4.9% 2,038
Peru 85.3% 10.2% 4.6% 10,943
Uruguay 93.4% 5.4% 1.2% 6,386
Source: https://whynohttps.com/
Which of these websites loads over insecure connections w/o redirecting to https?
• Baidu.com
• ESPN.com
• google.cn
• bbc.com
• vodafone.co.uk
• speedtest.net
• nba.com
• mit.edu
• ca.gov
What’s new in the CA/B Forum? Ballots
PASSED
Alternative registration numbers for EV certificates
Allow for the inclusion of additional information in certificates in order to comply with relevant EU regulations
SC 17
PASSED
Phone contacts with DNS CAA records
Permits domain validation via phone numbers stored in CAA records
SC 19
PASSED
Updates to bylaws: working groups, officers, subcommittees
Forum 9
PASSED AND IN IP REVIEW
Formally adopt Code Signing Guidelines
CS-1
EV and Identity
EV Guidelines have not been improved in many years
Rare to have a security standard with no updates for this long
Suggested improvements:
• Limit data sources for EV
• Add LEIs to EV certificates (more on next slide)
• Add trademarks/wordmarks to EV certificates
• Allow CAA records to specify type of cert customer will accept
• Legal Entity Identifier
• Objective: Identification of legal entities participating in financial transactions
• Issued by LOUs (Local Operating Units) under rules from GLEIF
What are LEIs?
Trademarks & Wordmarks
• Unique
• Distinguishable
• Familiar
• Recognizable
• Use for:Brand Protection
Prevent forged websites
Norton Secured Seal Facts
88% of consumers recognized the Norton™ Secured Seal
91% of consumers trust the Norton™ Secured Seal
78% of on-line shoppers are likely to continue transacting on the website when they see the Norton Secured Seal
90% of on-line shoppers are very or somewhat likely to enter their credit card information when they see the Norton Secured Seal
Source: International Online Consumer Research by Ipsos: US and UK, 2019
88%
91%
78%
90%
eIDAS and PSD2
• Requires use of qualified certificates for secure communication & transactions between payment service providers:
• Qualified website certificates (QWACs) for payment service providers
• Qualified e-Seal certificates (QSealC) for payment service providers
PSD2 Certificates
Qualified Certificate for Website Authentication (QWAC)
TLS/SSL to protect data in peer-to peer communications
using standards such as IETF RFC 5246 or RFC 8446
Qualified Certificate for Electronic Seals (QSealC)
Digital signatures to protect data or documents and
assert their origin from a legal entity
using standards such as ETSI’s PAdES, CAdES or
XAdES,
eIDAS
QWAC eSeal
Where is it used?
Identifies end points,
protects data during
communication
Identifies origin of document
or data and makes it
tamperproof in
communication and storage
What are the security
features?
Confidentiality
Authentication and integrityAuthentication and integrity
Provides legal evidential
value for transactions?No Yes under eIDAS
Is data protected when
passed through an
intermediary?
Peer-to-peer onlyEnd-to-end, even if passed
through intermediary
PSD2 Certificates
Nuts n Bolts
November 27,2017
September 14, 2019
Mid-June2019
Mid-March2019
RTS comes
into effect
3 month live test
3 month prototype
test
PSD2 Delegation of
RTS
QuoVadis is Ready!
• Already issuing PSD2 certificates for both prototype/test and live systems
• Similar to EV vetting
• Qualified: requires face-to-face vetting of authorized representative
• Able to issue internationally, including to DigiCert customers
January 13, 2018
PSD2 comes into
application
DigiCert’s involvement with NIST
NCCoE projects
https://www.nccoe.nist.gov/projects/building-blocks/mitigating-iot-based-ddoshttps://www.nccoe.nist.gov/projects/building-blocks/tls-server-certificate-managementhttps://www.nccoe.nist.gov/projects/use-cases/health-it/pacshttps://www.nccoe.nist.gov/projects/use-cases/medical-devices
Mitigating IoT based DDoS (SP 1800-15)
TLS Server Certificate Management (In process)
Securing Picture Archiving and Communication System (Hold)
Securing Wireless Infusion Pumps (SP 1800-8)
Quantum Computing and Risks to TLS certificates
• Quantum computers pose a risk to today’s systems and could break RSA encryption
• Technology is moving rapidly
• “Quantum-safe” algorithms exist safe from quantum computers
• NIST selecting finalists
• Long lived certificates are the most at risk
• Cars, medical devices, SCADA systems, etc.
• Confidential data with long life times
• DigiCert has Quantum Safe certificates available NOW
• In cooperation with ISARA and Gemalto
Quiz time: True or False?
The new bylaws of the CA/B Forum allow for the creation of working groups to address any type of digital certificate.
The CA/B Forum’s office location and phone can be found at cabforum.org
If there’s an issue with a certificate that may have been mis-issued but is used in a mission critical application, you can go to the CA/B Forum and request a waiver/exception
You must waive any pertinent IP rights or grant an RF license in order to join the CA/B Forum
It would be advised to move TLS certificates to quantum safe algorithms as soon as possible
Browsers provide special indicators for QWACs
Digital certificates from the experts
Software Security
Email Security
IoT Security
Website Security
Personal CertificatesMPKI issues and manages certificates for employee email signature and encryption
TLS/SSL CertificatesDV/OV/EV, Multi-Domain, Wildcard, Norton Secured Seal
Code Signing CertificatesDigitally sign code to protect integrity
and authenticate source
Identity Certificates
Cloud PKI™ from DigiCert. Create and manage
millions of IoT certificates from a single platform
Thank youAvesta [email protected]