In a post to the CA/Browser Forum Public Discussion List, Google has set out plans to enforce high standards for security of SSL/TLS certificates in Chrome and products built on it.
The two major themes of the changes are:
The Baseline Requirements were issued to facilitate stronger encryption in the Public Key Infrastructure. Certificate Authorities have paid lip service to them but, as Netcraft recently showed, there are still many certificates out on the Internet, including many issued by prominent CAs, that have serious flaws that cause them to fail the Baseline Requirements, including:
As an example, a recently-issued certificate for Avon in France, issued by Equifax, has no OCSP server specified. Netcraft also identified non-compliant certificates issued by Symantec, Verizon Business, SwissSign and GoDaddy. CAs should be capable of testing compliance with the baseline requirements as an automated check before issuance, so there's not much of an excuse for these lapses.
As a percentage of total certificates there are very few which are non-compliant, but the number is still in the thousands. Netcraft's surveys show that nearly all of these non-compliant certificates were issued by GoDaddy and Comodo.
Google will also begin to require, after a date yet to be determined, that all Extended Validation (EV) certificates support their Certificate Transparency. Eventually, the requirement will be extended to all certificates.
CT adds 3 components to the PKI:
The effect of these systems should be faster detection of bogus certificates and more effective blocking of them.