DigiCert Open Sources Domain Control Validation Software
DigiCert has made available a Domain Control Validation (DCV) library under an open-source software license as part of a larger effort to enable certificate authorities (CAs) to reduce total costs, at a time when the number of certificates that need to be issued and maintained continues to explode.
Chuck Blevins, director of product management for public key infrastructure (PKI) services for DigiCert, said the open source DCV developed by DigiCert ensures that the entity receiving a digital certificate actually owns the associated web domain. While that is a crucial tool for any CA to provide, it doesn’t make a lot of economic sense for each CA to provide what amounts to an undifferentiated feature, said Blevins.
This open-source initiative is the second such DigiCert effort, following the launch of pkilint, an open-source tool for ensuring the accuracy of digital certificates.
As the number of certificates being created continues to increase, the need to process certificates at scale will clearly require more standardization, said Blevins. Significant elements of the stack of software that any CA provides are similar, so rather than spend time and money building those components, the industry as a whole would benefit if it relied more on open-source software components that multiple CAs can collaboratively build and maintain, said Blevins.
That level of collaboration would ultimately ensure that those open-source software components are reviewed and tested in a way that ultimately improves security, he added.
In theory, at least, the less CAs need to invest in capabilities they all need to routinely provide the more resources there should be available for improving customer experience. If Google or Apple have their way, digital certificates will need to be renewed every 45 to 90 days. The implications for certificate management are, of course, profound. Most organizations continue to rely on often cumbersome manual processes to renew certificates, resulting in service interruptions every time it’s discovered that a digital certificate is no longer valid. The Apple and Google proposals would require more organizations to invest in tools and services to automate those renewals.
At the same time, as the overall amount of software being deployed continues to expand, the number of platforms that need to be included in any effort to automate certificate management is increasing as well.
It’s not clear how much traction open-source software initiatives are gaining among CAs, but hopefully, as these efforts expand they might serve as an example in other cybersecurity functions as well. After all, there are billions of lines of code to implement the same basic set of functions in slightly different ways. There could be a lot to be gained by streamlining those efforts.
The challenge, of course, is keeping everyone working on an open-source project committed. There is an unfortunate tendency for disputes to lead to forks of code being created that fracture communities as contributors start to pick sides. Despite that potential for conflict, however, the value created by open-source software still continues to be more than the sum of its parts.