EU wants breach notification for certificate authorities
European authorities plan to clamp down on certificate authorities, demanding security signing organisations speak up if hit by hackers.
Certificate authorities – either private or government backed – issue digital certificates that verify web pages and code, and are a key component of the web running smoothly and securely.
But as last year’s DigiNotar debacle highlighted, there is little regulation of this critical area – and if a CA is hacked, the fallout can be severe.
“There is no comprehensive EU cross-border and cross-sector framework for secure, trustworthy and easy-to-use electronic transactions that encompasses electronic identification, authentication and signatures,” officials warned in a document proposing regulation of the arena.
When DigiNotar was hacked Dutch officials delayed removing certificates from circulation, provoking widespread criticism from web companies and security officials.
The hacking of DigiNotar in the summer of 2011 made clear that the Dutch government was not prepared for a breach of its digital security
In response, the EU wants to tighten controls, saying it will force CAs to report breaches within 24 hours.
“Trust service providers shall, without undue delay and where feasible not later than 24 hours after having become aware of it, notify the competent supervisory body, the competent national body for information security and other relevant third parties such as data protection authorities of any breach of security or loss of integrity that has a significant impact on the trust service provided and on the personal data maintained therein,” the proposal said.
The proposals also call for databases used for checking certificate validity to be updated within ten minutes if one is pulled for security reasons.
The importance of a properly working CA system was highlighted last week when Dutch investigators issued a scathing report on local authorities’ inability to deal with the fallout from hacked Diginotar.
“The hacking of DigiNotar in the summer of 2011 made clear that the Dutch government was not prepared for a breach of its digital security,” said the Dutch Safety Board in its report.
“The security breach meant that the data of private individuals and companies could be intercepted and possibly misused. To the surprise of many, it proved impossible to effect a rapid switch to a different supplier without seriously endangering the continuity of various essential data flows with and within the government.”