Root Causes 218: PKI Nomenclature Oddities

Tim Callan

I think we have a fun one today. PKI and digital certificates is a jargony industry. All industries are jargony, and all tech industries are jargony. But we have our own special brand of jargon in our industry, and I’m a word guy. I notice words. Part of what my job has always been in my career is to communicate technology, aspects of technology and so, speaking about them, how you speak about them is important to me, and I’ve noticed what we’re calling PKI nomenclature oddities. So these are things that are unusual or funny or noteworthy or unclear in the world of PKI nomenclature, and I know of some, and I know you know of some, and we’re just going to talk about them today. What do you think?

Jason Soroko

I think it’s great, Tim. I think it wasn’t that long ago you and I were actually having a podcast about the term PKI itself and what it really meant. So, there’s a lot of oddities in this little corner of tech.

Tim Callan

Absolutely. These things do matter. Some of these things are a little silly and picky, but some of them aren’t. These things do matter, so it’s worth talking about. So, I just captured some notes this morning, and stuck them in six categories. It’s kind of like jeopardy.

So, it’s which word, can you count them, repetition, capitalization, what does it mean, and grab bag. So, which one do you - pick one. You want me to read them again? Which word, can you count them, repetition, capitalization, what does it mean, and grab bag. Pick a category, Jay.

Jason Soroko

Let’s start with the capitalization.

Tim Callan

Capitalization. Capitalization for $400.00. So, let’s cover some capitalization things. Which one of these do I want to start with? I have four in this category. Let’s just start with the top one. So, how do you capitalize X.509?

Jason Soroko

Usually have the small x? And then – oh no, but I have seen it with capital.

Tim Callan

I think I see it more with capital. I actually use the capital. I used to do the small x because I used to think that was proper. And I’ve kind of changed my mind over the years. I actually think the big X is proper, although the big X is ugly.And I think maybe the small x occurs because of the big X is ugly.

Jason Soroko

As a style issue, small x but proper I believe is large X.

Tim Callan

Yes. So, that’s one I think, ok, we both agree large X. The other problem with large X of course is you have to hit the shift key, and we’ll run into that concept again later, like, things that make writing it, typing it unnecessarily difficult. Ok. So, now, this is the next one. This is a little meatier. HTTP or https? Capital or lower case?

Jason Soroko

To me that would be a browser choice. In other words, this is one where perhaps it’s subjective.

Tim Callan

I think it’s contextual.

Jason Soroko

Contextual. So, therefore, there is a context.

Tim Callan

So, HTTP is an acronym for hypertext transfer protocol. However, http is also a description of the four letters that occur at the front of an URL, and one of those is always lower case, which are the four letters that occur at the front of the URL, and other one is always capitalized, which is the abbreviated acronym. And I think I will type it both ways depending on what I’m saying. Then there are some cases where it gets a little more general abstract, where it could be either, and then under those cases, you kind of pick one, I guess.

Jason Soroko

That’s a good answer. It’s dead right. When you’re writing about the acronym, it would be capitalized, and when you see it in the browser, it is – because of the fact that it’s part of the URL, it is not. Exactly right, Tim. Perfect.

Tim Callan

If you were writing about that, you would do it the same. And then again, at a higher level there’s times, especially when you’re talking about https, where it could be either. You're saying, now, are we so, so in the event that this is using https, well which one do I mean there. I think either would be proper, and you could put either or them in, and it would be proper.

This isn’t exactly a PKI thing, but it’s a pet peeve, so I’m going to bring it up. IoT. It’s a thing we talk about a lot, write about a lot. I hate the fact I know why it’s that way, but I hate the fact that we have a capital and a lower case and another capital because my fingers just don’t want to do it.

Jason Soroko

It’s that word of which typically within an acronym or when it’s fully spelled out typically it will be - -

Tim Callan

It would be lower case. But not always. Like, think about, it’s not of it’s on, but think about DOA, dead on arrival. How do you capitalize that? Capital D, capital O, capital A. I know there are plenty of other examples, and it feels like we all arbitrarily settle on one or another, and unfortunately, this one I think we settled on the wrong thing. I might start my campaign to start capitalizing IoT differently just because it’s inconvenient to type.

This is the last one. This goes way back into the arcane days of early digital certificates, but we all know, I figure we all know, you and I know and probably most people who listen to this podcast know that the first company that ever issued an SSL certificate was Verisign, and Verisign was major in SSL for a long time. So, Jay, in the word Verisign, do you capitalize the S?

Jason Soroko

I use to. So, good enough for me, good enough for everybody.

Tim Callan

This is a real interesting one. So Verisign actually changed the capitalization of its name. In 2010, they went from capital S to lower case s. Today, you would do a lower case s, but back then when they were an SSL powerhouse, you would have done a capital S.

Jason Soroko

See, that just means I’m old.

Tim Callan

Me too. That’s it. So, pick another category. Again, they are which word, can you count them, repetition, what does it mean, and grab bag.

Jason Soroko

Can you count them.

Tim Callan

Can you count them. So, the idea here is, is this an enumerable or a non-enumerable noun? When I say enumerable, I mean you can associate number with it. So, for instance, you cannot say I have five gold, but you could say I have five bars of gold because bars is an enumerable noun and gold is not. It’s the difference between an object and a substance. So, let’s start with the one I hear the most. Can I go out and purchase an SSL?

Jason Soroko

An SSL. An SSL certificate. So, you’re talking about that in the singular?

Tim Callan

People say, SSL, so I’m going to go get an SSL and stick it on that server. Is that proper English?

Jason Soroko

No.

Tim Callan

I tend to agree. I think SSL is a protocol. It stands for a certain thing; therefore, it’s a substance, and I think the object is the certificate.

Jason Soroko

It is, Tim. To my ears anyway. You could, you always – if you say the sentence fully it would be an SSL certificate, making it only singular.

Tim Callan

Correct. I do hear it, but I do hear it a lot. It is something that’s very much in common parlance, and people say it all the time, including very knowledgeable people. But I agree. It feels wrong to my ear, and that would never come off my tongue. I would always follow that with the word certificate. I bet you I know your answer to the second one, along the same lines, but can you have a PKI?

Jason Soroko

A PKI. A PKI is to me a singular system.

Tim Callan

So, could I have three PKIs? Like, is that valid? Can PKI be that noun on its own or would it have to be a PKI instance or some word along those lines?

Jason Soroko

It’s funny. We have dealt with multiple PKI systems, but I always have to throw on that extra word that does allow for the concept of multiple. I tend not to use PKI other than in the singular.

Tim Callan

You’re using it as general. You’re talking about then the architecture not as a single CA, or a single instance. Because PKI, the last word in PKI is infrastructure. It’s short for infrastructure. And can you have more than one infrastructure? Sure. I can have this infrastructure over here and that infrastructure over there. That’s perfectly fine. But I agree. If feels a little funny just to say, how many PKIs are you running? I’m running four. It feels wrong.

Jason Soroko

If feels wrong, but you are right in saying it is technically correct. You could use that in a sentence. I don’t think the grammar police would come. I think it is correct.

Tim Callan

I do. I hear people say that. Even though I don’t think I would. But that might be me. I might – that might be my own, how I learned things, and it might not be correct. That’s all I had for that, can you count them.

By the way, if you want to throw yours in on any of these, bark out something or if they’re all grab bag, we can do them in grab bag.

Jason Soroko

Sure. No, these are too good, Tim. Let’s keep going.

Tim Callan

Which word, repetition, what does it mean, or grab bag?

Jason Soroko

Let’s go right to the beginning. Which word.

Tim Callan

Which word, for $100.00, Alex. This is a big one. I’ve got a lot of these. Let’s start with the biggest one. SSL or TLS?

Jason Soroko

It’s TLS.

Tim Callan

But the market talks about SSL.

Jason Soroko

And the market talks about other things that mean nothing, too.

Tim Callan

Nice. Nice, puristic response, Jay. I actually almost always say SSL. Because my audience says SSL. The people I’m talk to say SSL.

Jason Soroko

So do I. I use it every day.

Tim Callan

I use TLS when the fact that it’s TLS matters. Like if you're talking about the current version of the protocol, I’ll say TLS. But if you're just talking about a cert that you put on a server that identifies the server and enables encrypted communication, I say SSL. Just because that’s what everyone else says.

Jason Soroko

Well, the thing is when you have a term that is technically deprecated but there is no other option to help to distinguish and therefore, it requires an entire sentence to distinguish which TLS you're talking about, it doesn’t make sense. The older term is going to remain, and there’s a good example.

Tim Callan

That’s a good example of why. I think that’s a nice explanation of at least part of the reason why that term has stuck around. It certainly has stuck around for a long, long time, hasn’t it? I think also maybe nobody was pushing for the new word back in the day, and now we have a whole generation of IT professionals who have grown up saying this from the time they were freshman in college, and it’s just the word they know. Certificate Authority or Certification Authority?

Jason Soroko

That’s a good one. You know what? To me, it was always Certificate Authority. Because it’s about who is the, basically the centralized authority over the set of certificates. To me it’s Certificate Authority.

Tim Callan

I’ve always said Certificate Authority. When all this stuff started to come into my consciousness shortly before the World Wide Web exploded, like in the early 90s, everybody used, in this world, just said Certificate Authority, and that’s just what it was, and it wasn’t until a long time later that it occurred to me that perhaps Certification Authority could be the right term. You do hear this sometimes. Like people write Certification Authority. I see it written more than I hear it spoken. Certificate Authority also just rolls off the tongue better. That’s the other thing. It’s easier to say.

Jason Soroko

If we’re playing with words, it is the certificate. Certification is something else, and it’s something that a Certificate Authority would do. It’s a subset of activity rather than the thing.

Tim Callan

So your point is that certification is part of what I do but a functioning certificate ecosystem is more than certification. It’s also a revocation and status monitoring or status reporting and things along those lines.

Jason Soroko

In other words, the word certificate is really, really the thing and in fact, in our realm of the world, certification can mean a few different things, and in fact, it’s not even the correct term. We would typically either say verification and because what is it that a CA is certifying. That word is typically not used. We have other very specific words for – that surround what you might consider to be certification. Regardless of how it’s used, that would be a subset of the thing in total.

Tim Callan

How nerdy are we that we’re having this conversation?

Jason Soroko

Well, that’s what this is. We’re getting in the weeds of nerdy here.

Tim Callan

I’m letting my nerd flag fly on this one. Ok. So, the domain validation. Domain validated.

Jason Soroko

I will tell you that this might be a contextual one. Tell me if I’m totally wrong. The term is domain validation. Because you might not have validated yet, and you want to know, hey, what is my domain validation methodology. That’s how you would say that. You wouldn’t say what’s my domain validate. One really does come out as the winner because of the way that it would be used in general.

Tim Callan

I agree with you on all of that, and but here’s what’s interesting. Nobody says organization validated. They always say organization validation. Always. And nobody says extended validation. Nobody says extended validated. They say extended validation. So DV, weirdly, has these two usages in the world, and they’re both common. OV and EV has only the one.

Jason Soroko

It has to do with the domain because that’s a really specific thing. You are validating the domain. With the other ones, you're validating something else.

Tim Callan

Extended validation has the further problem that you wouldn’t say extended validated because that would be ungrammatical.

Do you say expiry or expiration?

Jason Soroko

That’s a good one, Tim. I’ve used both completely interchangeably.

Tim Callan

I say expiration just because that’s the word I grew up with my entire life. I never heard this word expiry until I got into the certificates world, and it never sunk in. I always say expiration. Always, always, always.

Do you say cert or certificate?

Jason Soroko

It depends on how quick I want to get the word out.

Tim Callan

There you go. I agree. Depends on how formal I am. I never write cert. I will write cert in an e-mail to a colleague. I will never write cert in let’s say a blog post or an article or something like that. Just won’t write it.

Jason Soroko

No, the word is certificate.

Tim Callan

But I say cert all the time when I’m talking.

Jason Soroko

Right on.

Tim Callan

Because as you said, it’s just quicker. Multidomain certificates/MDC or SAN or UCC? They’re all synonyms!

Jason Soroko

I know. These are really good, Tim. You're pointing out why people coming into this could get so confused.

Tim Callan

I know. It’s horrible.

Jason Soroko

To me - maybe again this is showing my extreme decrepitude of age. I’m a SAN guy, and that’s just what I use.

Tim Callan

I will say UCC if it’s specifically UCC. I will say SAN, but that bothers me because SAN actually means something else. We shouldn’t actually say SAN, we should say MDC. So I try to say MDC. When I’m writing, again, in an article or something, I’m always saying MDC because that’s like the proper word. When I talk, like to you, I tend to say SAN.

We already touched on this, but do you say x dot 509 or do you say x509? I have used both, and if I were to speak at a conference I might use both, maybe not in the same sentence, but I might use both within a talk.

Tim Callan

I’m the same way. I just, one or the other comes out of my mouth, and I can’t figure out why it isn’t consistent, and it makes me wonder what’s going on in my brain, but it isn’t.

Now, this is interesting because this is a new one, and this is a topic near and dear to my heart, both of our hearts. This is where things are evolving is interesting, but what is the term that you currently favor to discuss cryptography that will be secure against quantum computers?

Jason Soroko

That’s a good one. It comes up so many different ways. I will say, Tim, the one that rings the most true in my head just because of the way things are going, is quantum resistant cryptography because everything else does, to me, has some problems with it.

Tim Callan

That’s interesting. I say quantum safe, and I get your point that nothing is truly safe but quantum resistant is a mouthful. I say quantum safe. I also hear a lot of people say postquantum or PQC, and I think those are legit. Right now, I’m kind of in favor of quantum safe.

Jason Soroko

Quantum safe – that word safe is a little softer than quantum secure, calling it something like that. So, there’s an implication that no, nothing will ever be 1 million percent perfect, guaranteed, signed by higher authority, but definitely, for me it’s still quantum resistant, but that is a true synonym to quantum safe.

Tim Callan

And quantum resistant is good. I could see that. It’ll be interesting to see if the industry settles on a term because this is going to be talked about more and more. You and I started on this topic pretty early, but I’m seeing a lot more discussion about it now. We’re going to need to settle on a word.

Getting down there. There are three more categories, Jay. We got repetition, what does it mean, and grab bag.

Jason Soroko

What does it mean?

Tim Callan

What does it mean? Ok. These are things where they – I think they either mean multiple things or they mean no things. What does CA mean?

Jason Soroko

CA? What does CA mean? We touched on this. Certificate Authority.

Tim Callan

But is that a public company like Sectigo that can sell you a public certificate that you can put on your - -

Jason Soroko

No. You can set up a Certificate Authority for absolutely no beans at all with some open-source software. That would constitute a Certificate Authority.

Tim Callan

Sure. What I would use the word for that would be Certificate Authority, but at the same time, if I was describing that other thing, what would I call it? I’d call it a Certificate Authority. Now, I tried to disambiguate that personally by saying a public Certificate Authority, but I’m like the only person in the world who does that.

Jason Soroko

The term Certificate Authority really and truly does mean – even though we use it very loosey-goosey, it absolutely means the mechanism with which you are issuing certificates, and in fact, within a PKI, used in the singular, you can have multiple CAs. A root CA, an issuing CA, various types of subordinate CAs, and so, the CA itself means something very specific. It typically, the one thing it does, it issues certificates.

Tim Callan

I agree on all of that. I think the point I’m getting at here is – and yet this other usage has become so common that it would be valid to include that in the dictionary, and it means a very different thing that is not even a subset of what you said. It’s actually a different animal that’s closely related but it’s a completely different animal. I mean a CA is a company. If I asked somebody if Sectigo is a CA, they would say yes.

Jason Soroko

You're right. I’ve used that term, and I’m exactly like you. I will typically say a public CA, but keep in mind as well, those vendors, it probably comes from past history. When the very first CAs for what was then SSL certificates, you typically had a CA, and that’s what you were running, and that’s what you were the vendor of, and now, of course, things have gotten far more complex than that, and that old term just kind of stuck.

Tim Callan

Sure did. So, next one. This one, actually we did a whole episode on this, so we don’t need to belabor it, but it’s very in the spirit of what we just discussed, which is crypto. Maybe we’ll just point to you at our old episode. Go look at our episode on crypto. Crypto used to mean cryptography, and now, suddenly it’s started to mean cryptocurrency.

Jason Soroko

Perfect example though for this podcast.

Tim Callan

I see it all the time. I’ll see some headline. It’ll be something doubles down on crypto, and I’ll go, oh, let’s find out about this, and it’s all about cryptocurrency. I see that headline all the time. What does it mean? I’m going to do the opposite. A what does it mean. It means absolutely nothing. High assurance.

High assurance. This is an SSL term. This has been around forever, and it’s still around. And it’s kind of used to mean a certificate with a high degree of information and validation, and it’s a term that predates the specific words we have, like EV and OV. And the reason is because it means nothing. It’s just this word that people started to use to say well this is a high assurance certificate, and they meant as opposed to a DV Certificate. But there was no codification of what constituted high assurance. It’s so, so squeezy.

Jason Soroko

That’s brutal, Tim. That is a really brutal term because of the fact that a lot of IT people who might not be directly working with certificates, or SSL specifically, they use that term HA usually with a number of 9s. And that means something completely different.

Tim Callan

Means something completely different. The other problem, of course, is at one point I remember when we were naming Extended Validation SSL. There was this groundswell of support to refer to it as high assurance SSL, and the way I scuttled that idea is I pointed out that the acronym was hassle.

Jason Soroko

I hadn’t thought of that.

Tim Callan

And everybody said, oh, we can’t call it hassle, and so we got to name it a different word, which was going to be better, so we got a word that was more precise.

Jason Soroko

That’s perfect.

Tim Callan

Do you want repetition or grab bag?

Jason Soroko

Let’s do repetition.

Tim Callan

Repetition. Here’s one I hear a lot. PKI infrastructure.

Jason Soroko

You're using – you're throwing in the word infrastructure which is the last term of PKI. It’s a repetition.

Tim Callan

Yes. Here’s another one. We talked about MDCs and SANs, and UCCs earlier. So, I frequently hear UCC certificate, which is United Communication Certificate Certificate. And I also frequently hearing MDC certificate, which is Multi Domain Certificate Certificate.

Jason Soroko

How do you know when you're using acronyms too much? When you're breaking down the acronym.

Tim Callan

That’s it for repetition. It’s a short category, but I think those were fun. Then, we’re down to grab bag.

Jason Soroko

We’re down to grab bag, and in fact, I’m thinking of a couple, Tim, so go right ahead.

Tim Callan

Why don’t I give you – I only have one in grab bag. So I’ll give you mine, and you can give me yours. Is that fair?

Jason Soroko

That sounds good.

Tim Callan

Mine is kind of complicated. So, I’m certain you're going to get this right, but I’m going to start here anyway. What is the full term that SSL stands for?

Jason Soroko

Secure Sockets Layer?

Tim Callan

That’s right. And I frequently here all three of those words mutilated. I will hear secured, Secured Sockets Layer; I will hear socket, Secure Socket Layer; and I will hear layers, Secure Socket Layers. And any mix of those. Secured Sockets Layers. I know why. It’s weird to have the plural in the middle. Like our brains don’t want to do that. Having the plural in the middle and the singular at the end, just confuses everything, and it’s Secure Sockets because the sockets are secure. It’s not Secured Sockets, but I can see where all that happens. But I hear every possible mutilation of that one or read every possible mutilation of that one. Have my career all of them.

Jason Soroko

I think the reason I usually get that right is because I’m old enough to know what those words actually meant.

Tim Callan

If you think about it, it’s a good point. If you think about it, the meaning of those words is actually clear. It’s just again, if what you’ve learned is this acronym, and that itself has become the word, and you don’t think much about what they are.

What do you got for grab bag?

Jason Soroko

Tim, I got two and I think this might have fit into your category of words, what do they mean. But, this is really two examples of interchangeability of words where no you shouldn’t, you shouldn’t interchange the words.

The first one being – maybe this is way too obvious. Keys and certs are quite often interchanged and they shouldn’t be.

Tim Callan

Yes. They’re very different things.

Jason Soroko

But you’ve heard people say keys when they mean certs, and you’ve heard people say certs when they means keys.

Tim Callan

Absolutely. Depending on the context, maybe to some degree the cert for keys substitution might be acceptable or no, sorry. The key for cert substitution might be acceptable because it’s the container and the thing contained, so I might say, hey– if I’m in the grocery store I might say, hey, can you give me one of those peanut butters? I don’t want you to open up the jar and scoop it out in your hand. What I actually want you to do is hand me the jar of peanut butter. But I leave out the jar part because what we care about is the thing inside. So, the cert is a carrier for the key.

Jason Soroko

Perfect. Perfect reason why our brain will do that. Exactly.

Tim Callan

But I agree. Keys and certs are not at all the same thing, and you do not want to get them confused.

Jason Soroko

Happens all the time. Even amongst people who have done this for many, many years. The brain just does it.

And the last one, Tim. The word encryption and the word cryptography. Sometimes interchanged and most of the time they really shouldn’t be.

Tim Callan

Encryption is enabled by cryptography. But they are not synonyms.

Jason Soroko

That is correct. Encryption is something very specific. Typically, you are turning some sort of message into a cypher and how you do that is with some form of cryptography. As you just said, Tim. And so therefore, in the most simplistic sense, that’s the difference. However, the terms are both so heavily used that they just sometimes they stomp on each other in a sentence and I know when the person has done it wrong, but, does it matter. Well, it does matter if you're explaining something it does matter if you're explaining how the system is working, what it’s doing. It really does matter, so, hey, it’s one of those things, be careful out there.

Tim Callan

I think you’re touching on another point with a lot of what we’re talking about here today, which is oftentimes the meaning is clear due to the context, and picking on it is just being nit-picky. But sometimes the distinction matters, and if you don’t get it right, you can lead to misleading conclusions.

Jason Soroko

Exactly. I would say that that’s true probably for the cert and key example even just a little bit more. But there you go, Tim. Those are the two I came up with.

Tim Callan

Lovely. So that was it. PKI nomenclature oddities. I am certain that there are other ones that I didn’t think of because I run into this stuff all the time, and as soon as we get off of this recording, I’m probably going to think of them, but if I think of enough, maybe we’ll return to this topic again some day.