New security standard pushes for better support for digital certificates

Not mentioned in the article, the proposed standards are pushing for more mutually authenticated SSL/TLS implementations which most government agencies can start to really deploy due to the PIV roll-outs happening over the past couple years. So a plus there...


A lot of the smaller proposed upgrades also get a plus from me.

Extended validation(ev) certificates in case anyone is unclear are more on the authentication end and offer no more security (cryptography wise) as standard x.509's. In a nut shell for EVs entities will basically have to provide more cash and paperwork to CA companies. The push doesn't address the fundamental concerns currently with the CA chain. They can still be issued fraudulently due to CA compromise or rogue state CA's. From a government perspective EVs are a good hardening of the system. For everyday people, it doesnt help much.


I will hold final judgement until the actual document is released.

 

Agreed. EV certificates are not much better than regular certs. As you said, all it means is that companies pay more money to Verisign or Comodo or Entrust to get one of these "EV" certs. I doubt the company does any extra checking.

The problem with encryption is not the math but the trust issue. The CA system means you have to trust a third party and that is always subject to attack. The only way to be sure is to personally verify the cert fingerprint of the website in question (by meeting in person, etc.) This is obviously impractical which is why we have the CA system.

The CA system needs to be scrapped all together for something better. I like the ideas of Convergence. Have a bunch of servers around the world verify the cert (check to see if the cert is the same from all points). If it matches you can be pretty sure it is the real cert.