Changes

==Certificate Recommendations and Guidance==

==Certificate Recommendations and Guidance==

In support of the HTTPS Everywhere initiative, a recommendations [[Media:Recommendations for TLS Server Certificates.pdf|document]] was developed for the purpose of identifying the minimum requirements for TLS server certificate type and content, issuing CA conformance and website responsibilities that apply to all externally facing GC websites. This effort was led by TBS CIOB in close collaboration with members of the HTTPS working group including CRA, CSE, ESDC and SSC.

 

In support of the HTTPS Everywhere initiative, a [[Media:Recommendations for TLS Server Certificates.pdf|recommendations document]] was developed for the purpose of identifying the minimum requirements for TLS server certificate type and content, issuing CA conformance and website responsibilities that apply to all externally facing GC websites. This effort was led by TBS OCIO in close collaboration with members of the HTTPS working group including CRA, CSE, ESDC and SSC.  

<br><br>

<br><br>

While there are many technical details within the report that are not captured in this brief summary, the most important recommendations are:

While there are many technical details within the report that are not captured in this brief summary, the most important recommendations are:

* Domain Validated (DV) server certificates are recommended for use by GC public facing websites. While the use of Organization Validated (OV) and Extended Validation (EV) certificates is not precluded, DV certificates are preferred due to their lower cost, the ability to support automated certificate issuance, and the fact that DV certificates provide the same level of security between the web browser and web server as OV and EV certificates.

* The '''use of the free service provided by Let’s Encrypt is recommended''' for obtaining DV certificates combined with the use of [https://letsencrypt.org/docs/client-options/ compatible certificate management agents] (e.g.: https://digital.canada.ca/). If used, OV and '''EV certificates should be obtained from SSC''' (contact [mailto:ssc.ssltls.spc@canada.ca ssc.ssltls.spc@canada.ca]) in order to take advantage of the reduced pricing from an approved CA vendor.

* '''Domain Validated (DV)''' server certificates are recommended for use by GC public facing. While the use of Organization Validated (OV) and Extended Validation (EV) certificates is not prevented, DV certificates are preferred due to their lower cost, and ability to support automated certificate issuance, for the same level of security between the web browser and web server as OV/EV certificates.  

* The use of the free service provided by '''Let’s Encrypt is recommended for obtaining DV certificates''' combined with the use of [https://letsencrypt.org/docs/client-options/ compatible ACME certificate management agents] (https://letsencrypt.org/docs/client-options/).

** '''Note:''' This CA should be chosen by an organization who has the ability to manage their certificates, and does not need 3rd party support in the case of an outage. Let’s Encrypt is very much <u>serve yourself</u>.

* Organization Validated ('''OV) certificates are not recommended''' for use, as they provide no brand or security benefits above DV certificates.

* If used, '''EV certificates should be obtained from SSC''' (contact [mailto:ssc.ssltls.spc@canada.ca ssc.ssltls.spc@canada.ca]) in order to take advantage of the reduced pricing from an approved CA vendor (Entrust).

[[File:Le-logo-twitter.png|250px|link=https://letsencrypt.org/]] [[file:entrust_site_seal_ssl.png|200px|link=mailto:ssc.ssltls.spc@canada.ca]]

[[File:Le-logo-twitter.png|250px|link=https://letsencrypt.org/]] [[file:entrust_site_seal_ssl.png|200px|link=mailto:ssc.ssltls.spc@canada.ca]]