An SSL encrypted session between web browser and the web server provides a secure tunnel, but does not provide assurance in the identity of the end entity. While a few high assurance providers continue to offer high assurance validation processes, many more low assurance providers are entering the market. These low-assurance providers offer high speed, low value automated validation procedures that are not appropriate for encryption and provide neither reliable privacy nor trust.
Enterprises have a responsibility to provide customers with the confidence of making safe, secure online transactions and identity assurance through high assurance SSL certificates.
- Validation techniques followed by Certification Authorities should constantly be reviewed, refined and improved.
- Techniques should be audited by a centralized independent body.
- Adherence to those techniques should form the minimum entry criteria for any Certification Authority to have their root certificates accepted by Browser providers.
The goal of ever increasing security should drive future standards with entity authentication an absolute minimum where encryption and trust is required. After all,
What is the point of encryption if you don't know who you are encrypting your identity for?