The EV certificate standard was devised by the industry group CA/Browser Forum. The CAB Forum is undergoing some turbulent change as its members, including Microsoft, Google, PayPal, Symantec and Apple, among others, make organizational changes, including hashing out decisions related to intellectual-property rights each own pertaining to public-key infrastructure.
"EV certificates have higher levels of assurance associated with them, that they're issued to the right people." says Polk. "We support efforts to move the state-of-the-art forward. We believe for some applications that are important, there is value in it."
NIST also wants the federal government to move forward with what is called "mutually authenticated TLS" in which the server presents you with a way to log in via the user's certificate. "It's not done much today," says Polk. "It's not because most users don't have crypto keys of their own." The federal government has the potential to take advantage of this higher security because of the Personal Identity Validation (PIV) cards that are issued to government employees.
There have been numerous compromises of CAs during the past year or so and NIST is also looking at how federal agencies should be responding to news of a data breach or other type of compromise impacting certificates.
NIST, in a bulletin entitled "Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance," explains how the complex world of CAs, registration authorities and relying parties works in the certificate-issuance process. The NIST document, written with some help from Venafi, addresses how things can go wrong, how fraud can occur and what to do and expect from the standpoint of an organization making use of certificates. Many of these ideas are also likely to be incorporated into the upcoming NIST standards as guidelines, Polk suggests.
In spite of security breaches at CAs, does NIST still feel that digital certificates constitute good security for websites, browsers and other purposes?