|
Work item:
|
TR.PKIC-man-ib
|
|
Subject/title:
|
Technical Report: Technical guidelines for Web PKI certificate validation and fine-grained configuration for Internet browser
|
|
Status:
|
Under study
|
|
Approval process:
|
Agreement
|
|
Type of work item:
|
Recommendation
|
|
Version:
|
New
|
|
Equivalent number:
|
-
|
|
Timing:
|
2027-04 (Medium priority)
|
|
Liaison:
|
-
|
|
Supporting members:
|
-
|
|
Summary:
|
With the promotion of network security law, personal information protection law, data security law and other laws and regulations, the construction and application of Internet authentication services and PKI systems in various countries have entered a new stage of development. Currently, over 80% of website servers use SSL/TLS certificates to achieve basic encrypted communication services. Meanwhile, with the rapid development of technology, the functions of various terminal devices such as mobile phones, tablets, and laptops are becoming increasingly powerful, allowing users to access the internet anytime and anywhere. However, they also face serious communication security issues. For Web PKI dependencies such as browsers, certificate authentication path construction and certificate verification are necessary security review processes for identifying the true identity of network entities and encrypting communication. However, the current standard content is outdated and inconsistent with practice, failing to standardize the complete process. Most mainstream browsers follow the RFC5280 standard released in 2008, but with the introduction of new features such as Certificate Transparency System CT and OCSP, it has not been fully implemented. The proprietary implementations of browser manufacturers have made the certificate verification process complex and disorderly. In combination with the latest digital certificate function definition, this standard proposes a unified reference procedure for the path verification of SSL/TLS digital certificates in the process of browser encryption communication, which is intended to guide the product reference implementation of Internet browser manufacturers and promote the security standardization operation of WEB PKI and Internet browser industry.
In addition, with the promotion of network security laws and regulations, as well as the application and popularization of SSL/TLS protocols as the foundation of encrypted communication, currently, the vast majority of website servers in China have deployed SSL/TLS certificates. However, these certificates generally rely on foreign CA roots and pose serious security risks, such as unilateral forced suspension and revocation. In order to solve this problem, this standard specifies a simple browser based local certificate resource management technical requirement for the SSL/TLS certificate security guarantee mechanism in the browser industry, combined with the latest digital certificate specification definition, to guide Internet browser manufacturers to unify the reference implementation of product functions in a smooth and progressive manner. At the same time, while minimizing the large-scale transformation of existing infrastructure, this standard is compatible with the certificate resource management technology of the existing certificate authentication system, and through the new functions of the browser and standardizing browser behaviour, it can solve the certificate guarantee problem of the domain name system in China's network infrastructure, and resolve the risk of unilateral suspension and revocation of the ownership of certificate resources. This security issue is a common problem among countries and has universality. This draft can serve as an international standard for reference by all countries.
|
|
Comment:
|
-
|
|
Reference(s):
|
|
|
Historic references:
|
|
Contact(s):
|
|
| ITU-T A.5 justification(s): |
|
|
|
|
First registration in the WP:
2025-04-17 12:19:06
|
|
Last update:
2025-04-23 18:40:35
|
|
