Redirecting you to
Podcast Sep 20, 2022

Root Causes 243: Which Came First, the BRs or the EVGs?

Many people don't realize that the CA/Browser Forum's Baseline Requirements actually came LATER THAN the Extended Validation Guidelines. In this episode we explain how this seemly backward turn of events came about and what it says about how online trust has evolved over the past few decades.

  • Original Broadcast Date: September 20, 2022

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    So, Tim picked this topic and you don’t even know what is it. This will be fun. So there is a nuance - - it’s a nuance but arguably it matters that lots and lots and lots of people I have learned over the years get wrong with regards to the CA/Browser Forum and the guidelines it provides to CAs; that CAs must follow. And this is a nuance that has to do with the Baseline Requirements - the BRs - and the EV Guidelines – the EVGs. And here’s what it is.

    So, let’s start with the basics and then somewhere along the line I’ll ask you a question and you may know the answer.

    So, the Baseline Requirements are exactly what they say. They are baseline requirements. Every public certificate that’s covered, that’s in scope - which today is TLS, but there is other certificate types coming - must follow these requirements. It’s baseline. If it’s a public certificate, it must follow these guidelines. Then there is a separate document called the EV Guidelines – the EVGs – which is for an Extended Validation style of certificate, for the certificate types that support that, there are specific guidelines that are specific to Extended Validation that they must follow. Now, based on that, let me ask you this, Jason. Which one came first?

  • Jason Soroko

    Oh, I think I know this one. And watch me fall on my face if I’m totally wrong. I think the EV guidelines were first.

  • Tim Callan

    They did. Otherwise I wouldn’t be asking the question. Everybody in the world thinks the Baseline Requirements came first because of course they did, right? We built the platform of the Baseline Requirements and then we built the EV Guidelines on top of it. Therefore, it went BRs, the EVGs.

    Wrongo. The EV Guidelines were created first and the Baseline Requirements came after.

  • Jason Soroko

    Yes.

  • Tim Callan

    And that was funny.

  • Jason Soroko

    It is funny. I do think though it was - - certificates were out before there was anything.

  • Tim Callan

    Yes. That’s exactly it.

  • Jason Soroko

    Yes. That’s exactly it.

  • Tim Callan

    That is exactly what it is. So, if you go all the way back to the beginning, how did it first happen? There is a bunch of RSA crypto scattered all over the place and some smart folks decided, hey, you know what, this World Wide Web thing is going on. This was like 1995 and they said, we can jump in on this and we can make a company and we can issue these certificates which allow the secure stuff to happen, and this will be really great. We’ll be built it on RSA because it's already out there. And the first company to do that was called VeriSign. And so, once upon a time there was exactly one place you could get a certificate. It was VeriSign. And there were two browsers that you might use and they were Netscape and Internet Explorer. And that was it. So, Microsoft and Netscape and VeriSign all agreed on a certain procedure and everybody thought that sounded good and they moved forward. Then there was this proliferation of the other CAs. Everybody knew there wasn’t only going to be VeriSign, so other CAs came along, and browsers vetted them and let them into the programs too. And everybody knew there wasn’t only going to be Internet Explorer – Netscape went away, right? And so other browsers came along and they started building their own root stores and it was completely and utterly unregulated.

  • Jason Soroko

    Yes.

  • Tim Callan

    Furthermore, not only was it unregulated, but CAs viewed their validation and authentication procedures as secret sauce, and they didn’t tell their competitors because they didn’t want to tell their competitors their business secrets and help their competitor be better. “Oh, we figured out how to do this the hard way. I’m not gonna tell everybody else so they can figure it out without all that work.” So it was just, it was chaotic and it was very difficult to understand what a certificate meant when it made a certain claim. Right?

  • Jason Soroko

    Tim, can I help to set the scene a little bit?

  • Jason Soroko

    Please.

  • Jason Soroko

    Because you and I are old, and I want to set the scene for a lot of you who did not live in this world as intensively as we did. This is a world where you are using your browser of which there’s even fewer than there are today - and there’s not a lot today but there was even fewer – and the number of websites you could go to was few and not only that but the majority of websites you would go to had no https.

  • Tim Callan

    Right.

  • Jason Soroko

    They did not even have - - this world that we live in now where https is rather ubiquitous, that’s recent, folks. You are talking about a world where, yes, these things that you are talking about, these certificates, were in a bit of a club if you had your web server working with a certificate. An https, an SSL. Those were things that were really quite rare and I’m gonna again set the stage for you about how different the world was. This is the world before registrars, Tim.

    When I first learned about domains probably like ’92, ’93, I bought a domain and I’ll tell you how I did it. I had to write a letter. I had to put it in a paper envelope. I then licked the stamp and put it in a mailbox and then there was a check drawn from a Canadian bank account, which confused the heck out of the folks at Rutgers University who received my letter and my check and they were kind enough to just say we are not even gonna cash your check because we don’t know what to do with Canadian money, but here is your domain.

  • Tim Callan

    Ok. Free domain.

  • Jason Soroko

    So, Tim, I just wanted to set the stage. The world you are talking about, Tim, was a very different internet age. You know, I set the stage of a world that’s even just a bit before what you are talking about but it wasn’t much different. It was a very different world, Tim.

  • Tim Callan

    Yeah. Yeah. Agreed. Exactly.

    And so, right. It was chaotic. It was very chaotic and there was increasing concern about, am I really going to be able to trust a certificate. Like can I trust a certificate at all? Can I trust what a certificate is claiming in a most basic fundamental way? And so, the EVGs were about creating a set of guidelines around this thing we called Extended Validation, and those will be used to create a consistently and reliably high or adequately high level of authentication for information.

  • Jason Soroko

    Because the whole intention was you want to have some level of assurance of who it is you are speaking to. You know, if somebody is making a claim and that claim is gonna show up on a web browser, then think about the number of interactions that need to occur because the browsers don’t know who ultimately the web server is. And they don’t want to know. But somebody has to figure that out and that group of people who has to figure that out is the people who are selling that certificate because they are the ones provisioning it, issuing it and ultimately part of the provisioning process says who are you again? Do you own that domain? And with an Extended Validation certificate, there’s a lot more information that you are claiming on that certificate. In fact, there are specific fields on an EV certificate that say, hey, you know, here’s my address; here’s my country; here’s my organization name. These are things that you just don’t get off of other types of certificates and so there had to be a whole pile of rules around it because of the fact that there were claims, and those claims were part of a technology ecosystem that included the browser because the browser showed this information and they had to have a way of doing it. So, it was a very important step in the industry, Tim, and that’s where it started.

  • Tim Callan

    Yeah.

  • Jason Soroko

    That’s where it all started. For sure.

  • Tim Callan

    And then the EVGs were pretty widely considered to be good. People liked this idea, but then the next problem became but there’s this giant body of other certificates that don’t have the same thing, that can’t make the same claim and that’s a problem. And so, next was the Baseline Requirements and we are going to put the Baseline Requirements in place to deal with everything else, and so it’s strange. It’s kind of like building a house and then going and putting a foundation under your house. But that’s basically what happened.

  • Jason Soroko

    And still to this day – just to throw a little bit of technical remnant into all of this, there is no one linter.

  • Tim Callan

    Right.

  • Jason Soroko

    And so, therefore, that legacy of every CA having secret sauce – and I love the way you put it because that’s the way it was – certainly now there’s standardizations and there’s true blue agreed-upon ways to do things and if you don’t do it those ways, you are not gonna be trusted anymore as a CA. And a lot of that is for very, very good reason. This is no funny business here. It’s a very serious business. I think that it’s fun though to look at the industry and the legacy of it and to realize double checking for issues in a cert and doing something like linting, there still is no universal linter. And that comes from that legacy, Tim, which is, to me, it’s an interesting factoid.

  • Tim Callan

    It is. So, anyway, I just thought, you know, cause I hear this all the time, people who don’t know any better or I see this like written in blogs or articles and it’s usually somebody trying to give a little bit of background. They’ve learned a little bit and they say, “Well, you know, so first, there were the Baseline Requirements and then they built the EVGs.” And I always laugh because I’m like, well, no they didn’t.

  • Jason Soroko

    No, they didn’t.

  • Tim Callan

    Nope. The other way. So, there you are.