Taking a look at the history and evolution of SSL/TLS certificates we can cleary see how many facts of this landscape changed over the years to provide a better trust and security ecosystem today. As someone who’s been involved in the cybersecurity industry for many years, there are two main reason why website owners use SSL/TLS certificates.
Encryption & Identity are Separate Concepts
The first reason is encryption. The website owner wants to make sure that all the information remains private. The https connection ensures the communication between browser and server is encrypted so that no internet spoofer can read that information.
The second reason is identity. The SSL certificate can show the user which organisation they are sending that encrypted information.
When examining the history and evolution of SSL/TLS based encryption we can see that we went from 1024 bit keys and weaker algorithms as MD5, to stronger algorithms (SHA256, ECC) and larger keys (2048, 4096 bit keys). This is unarguably good progress.
When examining the history and evolution of SSL/TLS based identity in certificates we see less evolution, with one major milestone – the introduction of Extended Validation. Extended Validation, or EV, certificates incorporate additional checks to verify the authenticity of a certificate applicant before the certificate is issued. For example, the applicant organisation must be contacted at a verified phone number (i.e., a phone number listed in a verifiable third parties phone directory), and both the applicant and his/her direct supervisor or HR must confirm that the EV SSL certificate request is genuine and authorised. The verified organisation data is then included within the Certificate. Yet once issued, the identity data remained fixed in the Subject field within the Certificate for as long as the Certificate is valid.
CN: Common name O: Organisation OU: Organisation unit L: Locality S: State C: Country
Revocation status – moving from a static source to a live source
A positive change for SSL/TLS has been the change from CRL to OCSP. Instead of using an embedded list (CRL) of revocation status, browsers now typically refer to a live data source (OCSP). It’s raises the question of why don’t we the same when it comes to identity. Aren’t there any strong identity sources available. Let’s have a look at the candidates.
LEI stands for Legal Entity Identifier and is a globally verifiable unique code that confirms your company’s identity and group structure. Issued LEIs are entered into an open Database to provide a verifiable source of level 1 ‘who is who’ business data and level 2 ‘who owns who’ parental structures. LEIs must be updated at least annually and could therefore be an improved alternative to the static information given today in multi-year certificates.
Local QGIS (i.e. local jurisdiction business registrars or “company houses”) give only information about the first level of identity information ‘who is who’ but it’s missing to ‘who owns who’ data that an LEI is providing.
LEI on the other hand is a global Identity source available in an internationally agreed structured format backed by the G20 supporting ISO standards such as ISO 20275 and ISO 17742.
Today, LEIs are often used to meet an increasing amount of regulation (e.g. MiFID II, MiFIR) and are essential for any company conducting financial transactions worldwide. It gives previously unavailable corporate identity transparency and are used by over a million companies around the world.
The DUNS Number is a unique nine-digit identifier for businesses. Dun and Bradstreet the company behind DUNS numbers are calling this the social security number of businesses. DUNS stands for data universal numbering system and is used today by more than 300 million global businesses. Similar to LEI, this number refer back to a database with more identity information about the company behind the DUNS numbers. It refers to a company’s credit profile as listed in D&B’s database. DUNS numbers can be used an identity source to predict the reliability and/or financial stability of the company in question.
A common use case from DUNS numbers are the application for a business credit with a lender. You can supply the lender with your company’s DUNS number. The lender can now obtain and review your company’s business credit report and rating.
Each DUNS number conveys certain information about the business it represents: the DUNS number signifies that a company exists and is operational. When a business ceases to operate, its entry is closed to reflect that. A DUNS number also includes extra information besides just the credit rating like your physical location, contact information, ownership, business structure, industry, employee count, aliases and historical financial data making it a good identity source to be included in certificates.
LEI + DUNS – a powerful combination for identity assurance
Both DUNS and LEI are great additional identity information sources for the identity needs of TLS/SSL Certificates. Additionally, browsers will be ideally placed to display identity information from LEIs and DUNS, extracting them from the underlying X509 SSL/TLS certificate giving immediate identity information to any consumer. The consumer can see live identity data so he or she can immediately identify who’s behind that website and answer the essential questions: who am I really buying from, who am I really giving my information to, who owns who in this group, does this company still operates and have a credible financial status.
The end goal is clear. We want to improve the eco system so that consumers immediately can identify who they are doing business with and to avoid them sending sensitive information like credit card details to a fraudulent website. Adding extra identity in certificates seems to me a step in the right direction.