Recap of NIST’s Workshop on Improving Trust in the Online Marketplace

Rick Andrews (Senior Technical Director for Website Security; DigiCert) 0 comments

On April 10 and 11, NIST held a workshop in Maryland to bring together many parties (industry, research and academia communities, and government sectors) to examine “technical and administrative efforts to increase trust online by improving the Public Key Infrastructure certificate marketplace supporting SSL and TLS.”

From the opening keynote to the final remarks, we heard from experts around the world. There were presentations on the current state of trust infrastructure and audits, the impact of recent breaches, detailed looks on some emerging solutions like Certificate Transparency and DANE, and new ideas to manage and minimize risk in key usage.

During the first day, various CASC members presented at the conference. Ryan Koski of GoDaddy described the current state of certificate revocation checking, Ben Wilson of DigiCert made a case for the benefits of Certificate Transparency, and I participated in a panel discussion on “What do we need to do to improve trust?”. The second day included Ben Wilson describing the CA/Browser Forum and CA Security Council, Ryan Hurst presenting ways to improve trust using principals of least privilege, and Ben Wilson and other panel members discussing “Where do we go from here?”

Many of the presentations included question and answer sessions with wide-ranging discussions, followed by spirited debate during the breaks. I think everyone felt that the format was effective and the conference was very worthwhile.

Tim Polk of NIST summarized the meeting well in his “Building Consensus” talk. He pointed out that we have a number of known problems and even more proposed solutions to them. Coordinated effort among multiple parties will be challenging, but absolutely essential. He suggested that advancements should be led by the private sector but be customer-driven, with all stakeholders equally represented. He called on all parties to implement proposed solutions where possible, so that all of us can experiment with them and learn what works and what doesn’t.

You’ll hear more from the CA Security Council in the following months on many of these proposed solutions. We encourage any parties who might be interested in these efforts to come forward and assist us in working to improve trust.

Rick Andrews, Symantec Corporation