Root Causes 117: Why Default Deny Matters to the CA/Browser Forum
This year the CA/Browser Forum has put considerable discussion into the concept of "default deny." It's a philosophy for how to interpret potential ambiguities in existing guidelines for public certificates, and how you land on the default-deny question can have a significant impact on how you interpret the rules. Join our hosts as they describe this debate and its potential impact on public certificates.
- Original Broadcast Date: September 4, 2020
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
Today, we are going to talk about a topic - - well, we're going to talk about let’s with the phrase default deny.
-
Jason Soroko
Yes.
-
Tim Callan
Default deny. So, this is a phrase where you might even have to just parse, what do you mean, when you say default deny? This is a very important phrase right now, and a big conversation in the context of the CA/Browser Forum. So, the CA/Browser Forum, of course, as we've covered in the past, is the voluntary industry standards body that makes the baseline requirements and EV guidelines, which then all of the major root store programs make part of their root store requirements in order to dictate how CAs do the job of CAing, if you will.
-
Jason Soroko
If you browse the internet, chances are the CA/Browser Forum has made a lot of the esoteric rules that you might not know are actually in behind the scenes.
-
Tim Callan
Absolutely. If you are connecting to anything digitally, the way that happens is being dictated by the CA/Browser Forum. And so, the CA/Browser Forum has these documents. Again, there's the two main ones. The first one that was created is called the EV guidelines and these were published in I'm going to say 2007 when EV started. I think that's right. And then the second one is the baseline requirements and the baseline requirements were published in 2012, I believe. It's a little bit of a shame that I don't know those numbers, but those are the gist of it. And each of these guidelines were created - basically before them, there was nothing. And EV guidelines are what you need to do to issue a public EV SSL or code signing certificate and then, of course, the baseline requirements are more broadly, what do you need to do to issue any kind of public certificates, initially for TLS, but then now, subsequently, code signing, and soon to be S/MIME as well. So, the baseline requirements are sort of the general things that you have to do. And again, remember, these documents were created from whole cloth, from nothing, a long time ago, just with a relatively small number of pretty smart, experienced people sitting down and starting at the beginning and doing a lot of typing and getting to the end and that's how the first version of these documents were done. And in the intervening 8 to 15 years, depending on which one we're talking about, they have been modified a lot of times. They've been expanded. They've been changed. Allowable practices have been disallowed as they proved to be weak or as attacks, you know, turn out to work against them. New practices have been put in as new innovation came about. Areas that were unspecified have been filled in and these documents have continued to change and change and, as a result, they were written by a large number of people, some of whom aren't involved anymore, some of whom would dip in and change wording on things that they didn't originally write. Quality levels vary and one of the situations that has come up is ambiguity in interpreting certain rules.
-
Jason Soroko
Yeah. Anytime you have levels of complexity, Tim, especially over a period of time, you know, there's, it's perhaps one of the reasons we have a Supreme Court and a multi-100-year-old Constitution, right?
-
Tim Callan
Yeah. Absolutely. I mean, that's a great example, right? Where the Supreme Court needs to look at the Constitution and the law and say, this is what - - this is how we interpret what this has meant and that's a great point you bring up because one of the challenges that the CA/Browser Forum have is it doesn't have a Supreme Court, right? Like there isn't a single somebody sitting at the top, who's an arbiter, who's a judge, who says, okay, this is what we're going to do and instead, it's just got to get worked out. And so, one of the proposals that has come up and has been socialized, starting really maybe late in 2019, early in 2020, was this concept of default deny and what default deny means in essence is sometimes there are lists of things. It could be lists of qualifiers, lists of methods, and there might be seven different methods. And so, a part of the baseline might require saying, the browser shall, and then there'll be these lists of seven things and the way the way it's written, sometimes it's not clear if they're saying that the, or the browser, the CA shall, let’s say. Sometimes it's not clear if you're saying that the CA shall do at least one of these, or if the CA shall do all of these. And so, this has led to problems in the past where one person read the rules one way and a different person read the rules a different way and therefore, there were different expectations about what the CA had to do. And this could go as far as auditor. So, I might have a certain interpretation of the rules, my auditor might come in with different interpretations and fail me on my audit, or Auditor A might fail me, but Auditor B might pass me because they themselves have different interpretations. And so, this has led, you know, one of the trends we've seen over the years in the CA/Browser Forum is this desire to tighten and disambiguate these guidelines that originally were created, you know, in a real hurry by, you know, just a few people working really hard at them. And over times, we're trying to standardize them, codify them, remove the ambiguities, tighten them up, fill in the blanks. And so, these lists as an example.
And so, the proposal that was advanced, I believe, by one of the browser manufacturers, was this concept of default deny, and basically what default deny means is that you take the strictest possible definition. So, if there's a list of five things, and it's unclear whether it's one of those five things, or all those five things - it's all of those five things, right? And if that's not what you mean, then you rewrite the guidelines to make it clear that it's one of the five things and or if there's a list of, you know, potential data sources that are allowed, well, maybe that's a bad example. But you know, but that's basically the basic idea, right, is to say, it'll always be the strictest, impossible interpretation of these random lists. And, in principle, you might say, oh, okay, that sounds like a good way to do it. But then you run into instances where when you read that particular instance, clearly, it's a dumb way to do it, because you're going to belt and suspenders yourself to death. Right? You know, it would be like saying, you know, you must - - in order to get downstairs, you may (1) use the elevator; (2) take the stairs; (3) use the escalator and a default deny interpretation has you running up and down three times to make sure you did all three? Right? And that would just be dumb, right?
So, there are places where it clearly doesn't work but then there are these other places where something's got to be done. And so, right now, in the CA/Browser Forum, there's a lot of head scratching and a little bit of consternation about how to do this. Are we going to settle on default deny as a standard? Are we not? And I think in general, there is a recognition that going through and systematically cleaning up every single one of these instances in the baseline requirements would solve this, but that's a heavy lift and there are also other important things that need to be done, and so, it's been hard to make that reality.
-
Jason Soroko
So, Tim, what is the end result to the end user? Are we talking about rules that affect what, you know, a website that you can get to depending on - -
-
Tim Callan
Yeah.
-
Jason Soroko
- - problems with a certificate or is it also decision making as to whether or not a certificate has been mis-issued and, therefore, needs to be revoked? Is it all those things?
-
Tim Callan
Potentially all these things. Now, if there's a change to the baseline requirements, then a certificate that was issued before that change, obviously, you're not going to turn around and say that somebody is non- compliant, right? If I make a new rule that every certificate has to you know, every OU field has start with the letter A and you had certificates before that, I'm not going to turn around and ding you for that because, you know, you can't read the future and none of us has time travel. But, um, what it does do is it does affect the way that CAs do their job and the way that CAs do their job ultimately affects you as a consumer of certificates. So, if you're a subscriber, and you subscribe to certificates, you know, your certificate offerings may change, your authentication process may change, other things could change based on these changes to the baseline requirements. And so, you know, there's always this push/pull in the CA/Browser Forum, which is, on the one hand, we want to maintain a very high level of security and authenticity. We want to have a great degree of confidence that our certificates are not going to be broken, or mis-issued. Right? On the other hand, you could make a set of rules that were so impossibly draconian, that a certificate would cost $10,000 and it would take a year to get. And so, what you need to do is you need to find a place in the middle. And a lot of this is about the tension of where exactly that line in the middle that we settle on should be.
-
Jason Soroko
Tim, there's so many analogies in the physical world. I'm thinking of not that long ago, I was driving my vehicle down the highway and all of a sudden, all kinds of lights went off and it actually is the first time my life my car actually went into limp home mode.
-
Tim Callan
Oh, geez.
-
Jason Soroko
Yeah. And my RPMs went down to like a bare minimum. I couldn't get above a maximum speed. And guess what? The very next day, when I started the car, there was nothing, no problems. And I've since diagnosed it as being, you know, a mass airflow, there was a little bit of dust on it.
-
Tim Callan
Okay.
-
Jason Soroko
And it just went away on its own. So, the analogy I'm trying to bring here is what's the risk for false positives in terms of problems? In other words, do you think and I'm not saying this is true or not true. It’s just a question, asking from your level of experience with public trust, do you think that a fail-safe rule, which is essentially what this default deny is, and it's the same thing that's, you know, it’s the same kind of rule that's put into a lot of physical systems to, you know, you obviously want the safest mode possible in a lot of physical systems, you want to be able to browse the internet in the safest mode possible. This is essentially what we're talking about. So, is there situations like this, where, you know, that situation with my car was essentially a false positive of a problem?
-
Tim Callan
Right. Yeah, I mean, to stick with your car analogy, we do want the safest mode possible, but actually, we don't. Right? Like, I can tell you, the easiest way to modify your car, to minimize the risk of vehicular accident, is take off the wheels.
-
Jason Soroko
Don't go anywhere.
-
Tim Callan
Right? Take off the wheels, and I guarantee you, you won't hit anything. You also won't go anywhere. And so, in the real world, we do have to make these balances. We actually do. And so, this is a lot of what it comes down to and, you know, that's such a hard question to answer. I'll tell you this is it's all getting much stricter. So, once upon a time, there was nothing. Go back to 2006 and every CA made their own rules, and they kept them a secret. And, you know, you had to, you know, if you were running a root program, it was very difficult to figure out who to trust and who not to trust and that's why these things happen. That's why the CA/Browser Forum was created. That's why we have baseline requirements. That's why we have CT logs. All of these things are supposed to give transparency, consistency, control and guidance to the ecosystem. And I think at that sense, they're very, very healthy, right?
-
Jason Soroko
I agree.
-
Tim Callan
And at a macro level, 100% behind the whole thing. I think when you get down into the brass tacks of individual decisions, then you look at those individual decisions and some of them, I've agreed with them. Some of them I've not. I was in favor of the move to one-year certs. Right? That didn't pass the CA/Browser Forum. It was implemented by root programs anyway, and I think it was a good call.
Default deny just being blanket painted on everything today, I think is a mistake because there are places individual places where you can clearly look and see this is stupid. Now I have to go downstairs three times in a row, right? And you could turn around and fix those things but fixing those things is going to take time. It's going to be hard and there are higher priority items that we're working on. And so, you know, as with so many things in the security world, or the computing world or just the world, it's in the details. Like it's a good initiative at a high level to make these things clear and consistent, but it needs to be executed on correctly.
-
Jason Soroko
Tim, in my mind, and I haven't studied this as closely as you have, but just from top of mind it does seem like an implications analysis needs to be done. Call it what you will, but, you know, I'm sure for some rules, it would make a lot of sense just default to the safest mode possible.
-
Tim Callan
Yeah.
-
Jason Soroko
But for some things, I can't imagine what it might potentially break. And I don't think it's been fully thought through, which then leads us back to the original question, well, maybe you then need to go through the full BR to clean it up because, you know, that's just perhaps the way it needs to be.
-
Tim Callan
Right. And then there's another important point, which is you say, well, okay, what's the consequence of slowing down a little and doing it right? And I think the consequence is very little. It's almost nothing. We're talking about some fairly esoteric interpretations of rules for how to behave, hypothetical attacks that there's no reason to believe have actually occurred, or hypothetical vulnerabilities that nobody's really even detailed what an attack would be, but seems like maybe there's something and for all of that to just go full blown lockdown is an excessive and unnecessary and ultimately, detrimental response and it just doesn't need to happen, right? If this were a scenario where real bad things were going to happen, or were happening, and we got to take action, that would be a different story, but there's nothing to indicate, no evidence to indicate that that is the scenario.
-
Jason Soroko
Oh, that's interesting, Tim. This is something then to watch. I'm very interested also in people's motivations. I mean, everybody wants a safer internet. Who doesn't?
-
Tim Callan
Yeah.
-
Jason Soroko
But, as you said - -
-
Tim Callan
Well, bad guys don’t but those are the opponents. Right? That's okay. Those are the people we're trying to undermine. But go ahead, Jay.
-
Jason Soroko
No, no, you said it best - the only way to stay safe is not to browse, just, you know, become a Luddite and get rid of your electricity and perhaps life will be better, but it probably won't. When we're talking about this, though, I think from completely top of mind, and I could be wrong, this invites more study, than to just make a blanket rule. I just, that's my perhaps wrong gut feel on this.
-
Tim Callan
Yeah. And that's where I come to, right. And so, you know, this has been a very debated, and I'd say, a very emotional topic and I'm sure if we had one of the proponents of the other worldview on the podcast with us, they would be very heated, or very, at least very engaged in their response that but at the end of the day, just trying to be dispassionate, pragmatic and realistic about it. It's just, it's just overkill. And it is a problem that needs to be solved, but it's a problem that should be solved properly and properly is we go through, we chip away at it, we do the work, and we clear up the ambiguities, you know, and that's work that's been going on for a long time and that's work that's gonna keep going on.
-
Jason Soroko
Yes. As it should. As it should. And, you know, I think that the invitation for debate is there. I'm glad that there's a healthy forum for it. I'm glad that there has been debate. This is all good. It's probably - - I think, perhaps in the end, we may get to where we want to be anyway just because of the fact that these problems have been brought up.
-
Tim Callan
Right. And we will. I think that's absolutely everybody's plan. I think it's just a question of how we go about it. So, there we go. A little peek into the fun that is the inner workings of the CA/Browser Forum and, you know, that's one of the things - one of the many things that the members of CA/Browser Forum have to think about.
-
Jason Soroko
You probably won't hear about this too many other places than here on this podcast, Tim.
-
Tim Callan
Probably not.
-
Jason Soroko
And your knowledge of the public trust world is something I know I listen to carefully and so should everybody who actually browses the internet and as you say, connects digitally.
-
Tim Callan
Awe, gee. Blush, blush. Well, thank you, Jay. As always, it is fun to talk about these things.
-
Jason Soroko
It certainly is, Tim.
-
Tim Callan
Thank you, Listeners. Thanks for joining us. This has been Root Causes.