CASC’s London Protocol for Enhancing Identity Assurance


The London protocol refers to a treaty or agreement signed in London. One such agreement was recently signed with the aim of minimizing phishing activities on identity websites and improving management assurance. The protocol was launched by the Certificate Authority Council (CASC).

A rise in phishing attacks motivated CASC certificate authorities to develop the London protocol. The objective of developing the London protocol was to strengthen the difference between identity websites and the encrypted websites that use domain validated certificates that are devoid of organization identity.

Some of the certificate authorities that participated in developing the London Protocol include Entrust Datacard, Comodo CA, Trustwave, GoDaddy, and GlobalSign.

Speaking during the launch of the protocol, GoDaddy head of security products, Tony Perez, said that the London protocol was designed to provide online customers and users with better assurance and trust. Perez said that “at its core, the London Protocol is designed to get back to the root of what EV and OV certificates were created for”. These are providing online customers and users with better assurance and trust.

Phase 1: June to August 2018 – The five CAs create the details of the Protocol and conduct a feasibility study. Some rudimentary procedures will be implemented

Phase 2: September to November 2018 – CAs apply the London Protocol Concepts to clients’ identity websites

Phase 3: December 2018 to February 2019 – Updating Protocol policies based on outcome from previous phases. Approve plan for uniform policies applicable for participating CAs

Phase 4: March 2019 – Evaluation will take place, where CAs will send a report to CA/Browser Forum for modification and enhancement

Each of the implementation phases will be assessed. The 3rd phase of implementing the protocol will be released once it is completed. It will be released to maintain the integrity and improve processes of authentic websites. The release will also improve user awareness in regard to identifying phishing attack on an authentic website.

Christian Simko, marketing vice president, EMEA, and Americas GlobalSign, opined that encrypted internet has caused a lot of confusion among users. “While there is no arguing that the advent of the encrypted internet is a move in the positive direction, it has unfortunately created user confusion and fostered an increased threat of phishing attacks with more websites being ‘secured’ with anonymous DV certificates,” Simko stated.

Irrespective of being usually automatic and affordable, certificate authorities do not require to verify the identity of an organization while issuing DV certificates. Phishers can obtain DV certificates issued anonymously since such certificates lack legitimate contact (s) information.

The CEO of Comodo CA, Bill Holtz, had an input regarding the anonymous issuance of DV certificates. Bill Holtz argued that the best handling of website security is through layers. The reason for his argument is that it is unlikely a single layer will be totally secure. “No single layer is 100 percent impenetrable,” Holtz stated.

Conversely, before the issuance of either an EV or an OV certificate, communication authorities are required use all the available verifiable documents to verify an organization. An example of such a document is a business license issued by the government.

Chris Bailey, Entrust Datacard vice president of VP of strategy and business development for certificate services said that their research indicated that nefarious activities on the internet are as a result of anonymity. “We believe the internet will be safer for users if the sites they are visiting are organisationally identified,” he added.

The London Protocol features the creating of a database that will be used to offer guidance to CAs to follow while issuing EV and OV certificates. Moreover, CAs will be required to gather and analyse phishing attack reports for OV and EV encrypted websites. In case a secured site is hijacked, the owner will collaborate with the CA to respond to the incident.

McCullen, compliance CEO at Trustwave clearly explained the need of having certificates that are identity-based. In his view, McCullen said that cybercriminals are devising cleverer ways of bypassing website security controls which protect their integrity. Ultimately, issuing certificates to identifiable organisations is indeed crucial in ensuring that safe online experiences are implemented.