2

I recently uploaded images of my passport and driver's license to a Certificate Authority (CA) to apply for SSL certificates. The submission was rejected because I have added watermarks to prevent data theft. I explained to the Cert Master that the watermarks do not block any important details on my passport and driver's license and they are meant to prevent misuse in case the data was stolen.

The reply I was given is that this is standard audit requirement by all CAs. If this is so, how do we prevent others from posing as us using those documents if they somehow managed to obtain them?

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
Question Overflow
  • 5,220
  • 6
  • 27
  • 48

1 Answers1

2

The Online Trust Alliance (OTA), an industry organization with widespread CA membership, maintains a set of operational security best practices which all CAs should abide by. However, the documents do not recommend specific data retention policies, nor do they attempt to define PII (personally identifiable information).

The implementation of OTA Best Practices will vary from CA to CA, so the best course of action I can see is to begin by selecting a provider based on their published policies and meta-information, e.g. news stories related to CA security breaches. Once potential candidates are selected, ask them specifically about your concerns and how their policies address them.

There is no compelling reason for a CA to indefinitely retain such easily-exploited PII as a scanned passport, because this information is only used in due diligence before the issuance of a certificate.

dartonw
  • 196
  • 4
  • Sorry that I take long time to respond. I guess the best protection is not to send them any such data. There are CAs that are less stringent than others, mine happen to be a PITA. – Question Overflow Jul 10 '14 at 09:14