Entrust commits to SSL despite CA/Browser Forum exit

Security firm Entrust has announced that it is withdrawing from a voluntary online security standards organisation that it co-founded and co-chaired for six years

Security firm Entrust has announced that it is withdrawing from a voluntary online security standards organisation that it co-founded and co-chaired for six years.

The move follows the introduction of a mandatory Intellectual Property Rights (IPR) Agreement by the Certification Authority Browser Forum (CA/Browser Forum).

The IPR policy requires member organisations to provide other members a royalty-free (RF) licence of their patents that touch on proposed standards.

The company said in a statement: "The IPR policy also discriminates against certain corporate and ownership structures, extending licences within organisations in ways that made it impossible for Entrust to support."

Bill Conner, Entrust CEO and president, said his company understands why large certification authorities and browser developers are asking for free intellectual property (IP), why smaller suppliers would like it for free.

"We do not believe, however, that simply giving away intellectual property makes the SSL market safer. In fact, we’re of the strong opinion it does the exact opposite,” he said.

According to Conner, by making CA/Browser Forum members’ IP available to all, many smaller, unproven certification authorities are empowered with issuing digital certificates that could jeopardise the trust and security of the entire internet.

"Entrust can’t support this position,” he said.  

Entrust, which is one of the main holders of patents relating to certification authorities (CAs), certificate management, secure socket layer (SSL) and public key infrastructure (PKI) industries, is among 18 other companies leaving the Forum.

Read more about SSL

  • Does BEAST SSL tool represent an SSL threat?
  • Threat of SSL malware highlights SSL security issues
  • Securely implement and configure SSL to ward off SSL vulnerabilities
  • Infosec 2012: Internet security body to tackle SSL problems
  • Explaining how trusted SSL certificates and forged SSL certificates work
  • Tackling SSL vulnerabilities for secure online transactions
  • Black Hat 2012: SSL handling weakness leads to remote wipe hack

According to Entrust, those leaving make up nearly 40% of the Forum's membership, and include companies such as IdenTrust, Network Solutions, RIM, RSA and T-Systems.

“At a time when the SSL industry is under intense scrutiny, with many organisations being compromised by attacks, it is unconscionable that the CA/Browser Forum mandates new IP policy to further fragment the industry,” said Conner.

However, he emphasised that leaving the Forum does not affect Entrust’s ability to serve as a trusted CA for SSL digital certificates. It also does not change the company’s participation in browser-embedding programs.

Conner said Entrust SSL digital certificates will remain trusted by more than 99.9% of all desktop web browsers in use today, including Microsoft Internet Explorer (IE), Mozilla Firefox, Google Chrome and Apple Safari, and 99.5% of mobile-based browsers.

While the CA industry continues to be a prime target for sophisticated and targeted attacks, resulting in the breach of several high-profile CAs in the past year, Entrust believes that security suppliers should collaborate and focus resources and capabilities to create a more secure SSL ecosystem.

“Entrust will maintain its leadership position in the CA industry to ensure SSL remains a trusted solution for securing information and transactions on the internet,” said David Rockvam, Entrust certificate services general manager.

"Entrust is strongly committed to building CA trust, which includes the direct involvement in all browser-embedding programs," he said.

Read more on Privacy and data protection