Root Causes 298: Moving Forward, Together - Promoting Automation
The Google Chrome root store has communicated its plans for promoting automation. In this episode we explain Chrome's public plans for this initiative, which is anchored around ACME.
- Original Broadcast Date: April 28, 2023
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
You and I have spoken in recent episodes – in particular, I think it’s our Episode 284 about the Chromium project – about the Google Chrome root store’s Moving Together page or site where they talk about their future intentions for the public web PKI. We’ve mentioned in the past that we think this is a good practice because it gives the community and the industry a chance to understand the direction that the world’s most popular browser intends to take the web PKI, and coming out of that, one of the ideas that you and I had is, geez, there’s more being telegraphed here than just 90- day certificates. Maybe we should carve out some time and talk about some of the other initiatives that are discussed in this page. So, I think we are gonna do the first of those today.
-
Jason Soroko
Alright, Tim. Let’s do it.
-
Tim Callan
They have a bunch of subjects here, and I think eventually we will probably hit them all. The one we’ve chosen for today is promoting automation. This is a one, two, three, four, five paragraph section of the page. I’m not gonna sit and read it but I’ll explain what they have to say and maybe pull some specific wording out and we’ll talk about what we think the consequences of it are.
The first two paragraphs are really focused on explaining the concept of ACME. ACME, of course, is a very popular API that is used to automate the deployment of certificates. It stands for Automatic Certificate Management Environment, ACME, and Chrome explains what ACME does and also its widespread usage. They cite a couple facts – more than 50% of the certificates issued on the web PKI rely on ACME and about 95% of the certificates issued by the web PKI today are issued by CAs that have some form of ACME implementation in place.
Their point is that ACME really has emerged and is emerging as the standard that we can hope and aspire will be ubiquitous. I think this is part of what they are looking for. That everybody can automate their certificates using every tool on every operating system with every public TLS certificate and that’s the goal they are really going for.
-
Jason Soroko
Yeah, Tim, uh, I’ll boil that down with the quick version of it, which is I think Google understands very clearly that this announcement that they are only going to support 90-day certificates is a really, really big deal and they know that automation, for as much as we talk about it, it’s not as commonly employed as people think. And, in fact, to the point where I think that once 90-day certificates become the maximum, we are probably gonna be facing a lot of outages because of the sheer amount of just, you know, four to five times the amount of risk periods per year that are now going to happen because of the fact that the certificates are probably not gonna renew automatically; it’s gotta be done by hand; people are gonna forget about it; and we are just gonna see outages more and more and more.
-
Tim Callan
We just reported on one a few episodes ago.
-
Jason Soroko
I think Google understands this risk. Google probably would never have announced their intention to go to a maximum of 90-day certificates unless there were some kind of automation technology that was widely available. If you think about the history of automation within SSL certificates, Tim, a lot of it was proprietary standards and APIs being called with some specialized coding and various kinds of agents, and ACME was a great open standard that was developed that democratized all the best practices of getting a certificate from the CA and then putting it where it needed to be on the webserver. It was just a great idea. We’ve got previous podcasts about ACME.
-
Tim Callan
They’re not being subtle about this at all. Here’s the beginning of paragraph three.
“Unifying the web PKI ecosystem in support of ACME will”
So, there you are. They’re clear. They want to unify the web PKI ecosystem in support of ACME and ACME specifically and by name. Not automation. ACME.
Now they list their six benefits. I think these are worth reading verbatim. “Unifying the web PKI system in support of ACME will:”
1. “Promote ecosystem agility.”
You and I have talked about this in the past: That automation gives you agility and that’s very important as standards change, key files change, cryptographic algorithms change, certificates need to be revoked in mass. All of these things, you need that agility.
2. “Increase resiliency for CA owners and website owners alike.”
3. “Help website owners address scale and complexity challenges related to certificate issuance.“
Any of this sounding familiar, Jay?
4. “Drive innovation through ongoing enhancements and support from an open community.”
In other words, they want ACME to get better.
5. “Ease the transition to quantum-resistant algorithms.”
That’s in there very explicitly and - -
6. “Better position the web PKI ecosystem to manage risk.”
So, those are the six things that Chrome believes, what they view as noble goals that will directly benefit from driving ubiquitous support for ACME throughout the web PKI ecosystem
-
Jason Soroko
There you go. We don’t even have to speculate. It said what Google’s intentions are here. And so, therefore, this is not Tim and Jay espousing on we gotta do automation. This is now Google telling you.
-
Tim Callan
And I’m not reading tea leaves here. This is Chromium telling us.
-
Jason Soroko
Right.
-
Tim Callan
So then what are they gonna do about it? This is the last paragraph. Again, I’m gonna quote a little bit verbatim and then I’m gonna summarize.
“In a future policy update, we intend to introduce requirements that all Chrome Root Store applicants must…”
I’m not gonna read this whole thing but basically adhere to a series of ACME quality standards that they are going to demand such as availability and uptime for ACME services, URL disclosures in CCADB and the types of certificate issuance ACME services must support and minimum privileges that must be provided to the Chrome program for evaluation and monitoring of ACME services.
So, first of all, they are gonna have a set of explicit requirements the CA must follow that are gonna be around the quality and availability and scope of ACME services that are provided, and a CA that doesn’t meet those requirements will not be in the root store program. So, how is that for driving ubiquity in the web PKI?
-
Jason Soroko
Yeah. There it is, Tim. Look, you and I, Tim, we are in the in the CA business. We are in the CLM business. We offer ACME as part of our services and so we have our end to uphold here. And, by the way, I actually support a lot of what Google is doing. Definitely at least in principle.
-
Tim Callan
I do, too.
-
Jason Soroko
This podcast is not about, hey, what are the CAs doing here? We could have a whole other podcast on that. You know, what is the CA reaction to all of this. To me, the reason why we are reading out this part of Google’s announcement is for those of you who have not already gone there and listened or read to it, here it is. You can listen to Tim talk about it and listen to the synthesis which is, guys, Google is changing your world. If you run a webserver, your world just changed. Or is going to change and the warning shot has been shot.
-
Tim Callan
I talked about improving ACME, right? One of their bullets above was drive innovation though ongoing enhancements and support from the open community. So, they return to this concept more explicitly.
The second thing that they intend to do in a future policy update is that they tend to require that root store participants must support ACME Renewal Information, ARI, which is in a draft RFC right now, which basically means that you will be able to use ACME to renew existing certificates in an automated fashion through ACME. That itself is an important functional improvement over what we have today.
-
Jason Soroko
Let me put that into really plain English, Tim. Basically what it means is ACME as a protocol had no concept of renewal. It was really just deployment. So, if you look at the pillars of CLM, there is deployment as one of the pillars and renewal as another separate pillar. ACME as it was, and in fact, as it is right now at the time of the recording of this podcast, is really only about deployment and renewal, really is just a matter of deploying again. That’s the way renewal is handled.
-
Tim Callan
Yes. In the PKI world, every cert is just by itself and it’s not, from a PKI perspective, connected to any other cert. That is all sort of a meta, systemic concept that we have.
-
Jason Soroko
That’s right. And so, therefore, if you have things such as a revocation or if you want a track renewal, these are the kinds of innovations that ACME is growing into and it’s a good, good thing. In other words, ACME is slowing growing into being not just pure automation. It’s actually starting to get into the business of fleshing out some more of the CLM minus discovery, minus visibility, minus all the truly important aspects of CLM in total. ACME is not CLM. ACME is in support of automation and starting to support some concepts within CLM.
-
Tim Callan
And having ACME support that just gives more power to your CLM, right?
-
Jason Soroko
Totally.
-
Tim Callan
Now your CLM can tie into that portion of the API and it actually brings more capabilities back to the CLM. So, it doesn’t diminish the CLM at all. In fact, it’s the opposite. It makes the CLM more enabled to do the full set of things that you need for them to do as a certificate administrator.
-
Jason Soroko
You got it. If you’re standardizing on ACME for your automation, it’s a great thing for it to be able to integrate itself into the rest of your CLM is just another way of putting it. You got it, Tim.
-
Tim Callan
Excellent, Jay. So anyway, that’s the promoting automation thing. I think it’s an important direction that we see Chrome pushing the industry. We’ve seen that Chrome has both power and the confidence to implement programs like this, and this is their intention, and this is what they are doing. Moving Forward Together is there so that we can all understand their intention and prepare for it and try to make those changes as effective as we possibly can. So, again Jay, I think this is good practice. I think we should monitor this page and continue to bring these things from Chromium to our audience so they can get a sense for where the industry is heading.
-
Jason Soroko
Thank you, Tim. Hey, you know what? We are well on the way of kind of hitting your over/under on the number of times we are gonna be talking about Google 90-day announcement.
-
Tim Callan
I think I might have gone too low.