Root Causes 321: CABF Moratorium on New Certificate Consumer Members

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  We want to talk about a recent CA/Browser Forum ballot that has passed. CA/Browser Forum has a good number of ballots. Most of them we don't talk about because it's kind of way down in the weeds of making the digital certificate sausage, and we're just not sure it's interesting to people. This one was well out of the norm with no real precedent. So we thought it was worth bringing up and explaining what happened in CA/Browser Forum Ballot SC 64.

• 

  Jason Soroko

  I was looking at that, Tim, temporary moratorium on new certificate consumer memberships.

• 

  Tim Callan

  First of all, let's make sure we're clear on terminology. What we normally call browsers, even to the point where it's in the name of the CA/Browser Forum, according to the actual rules of CA/Browser Forum is called a Certificate consumer. And the reason for that is that's in recognition of the fact that it doesn't necessarily have to be what you and I think of as a traditional browser. A great example of that is one of the Certificate consumers is Cisco. And Cisco has a lot of devices out there and those devices connect to things digitally across networks, and absolutely care very much about digital certificates but there isn't really a browser that you sit at with a mouse as a human and look at right. That word consumer means the same as what we mean by browser.

  So therefore, this is a temporary moratorium basically on new members that would meet the consumer class. There are two classes of voting members in the CA/Browser Forum. There are CAs. Those are organizations that are qualified to issue publicly trusted certificates that are trusted by the ubiquity of consuming devices in the world. And then there are consumers, which are people who have the devices that needs to read and trust those certificates. Those are the two groups inside the CA/Browser Forum, and this was created way back in the beginning, when CA/Browser Forum really started to build some rules around itself, the recognition of the fact that there's these two sets of parties, and they depend on each other to have an ecosystem that works.

• 

  Jason Soroko

  Right, Tim. Google and Mozilla, would they be considered consumers in that categorization?

• 

  Tim Callan

  Mozilla is a consumer. Google Chrome is a consumer, but Google is also a public CA. So Google actually has a CA and a consumer, and they are represented by different individuals inside CA/Browser Forum. Same thing for Microsoft. Same thing. So that's how that works. You can be both. You can be a CA, and you can be a consumer. Most organizations are only one.

  This ballot, which was passed on - I'm going to get the date, it was pretty recently - which passed in late June or in mid-June of 2023. What it does is it sets that new applications of Certificate consumers to the server certificate working group, which is the working group that deals with TLS, new applications will not be accepted, either until one of two things occurs.

  Number one is that a ballot is passed with rules around who a Certificate consumer can be or the end of this year, December 31, 2023, whichever of those two things occurs first, that's when the moratorium passes. This is unusual. Like we've never had this before in CA/Browser Forum.

• 

  Jason Soroko

  That's interesting. So, you always present us, Tim, with a really good background for why the CA/Browser Forum is making certain kinds of what ends up being very prudent decisions. I'm all ears as to what the reasoning is for this.

• 

  Tim Callan

  Well, so this is a tricky one and this was a much debated one and I daresay a contested one. By way of example, there were more abstentions among the Certificate issuers than there were yes votes. And so, it basically goes as follows.

  There’s two arguments. Argument number one and the motivator behind this ballot goes the bar for getting into the CA/Browser Forum as a Certificate consumer is incredibly low, you can take a public open-source project like Chromium, you can branch it, you can put your own name on it and now you're a browser. You can call into the calls, you can show up at the meetings, you can take up everybody's time, you can grab the mic, you can vote as a browser, and you may not necessarily have a useful contribution to the web PKI. Like if we wanted, if we were just about power, we could create, we at Sectigo, could create our own browser pretty easily and nobody would have to use it. It wouldn't matter if a single human being in the world didn't use it. Once we had a browser, we can now vote as a browser in CA/Browser Forum and try to skew votes our way and things along those lines. Now, we didn't do that, but somebody could.

  If you look at the CA side of the of the CA/Browser Forum, there are very clear guidelines about how you become a member. You have to meet certain criteria, you have to have your roots in trusted root stores. It's an objective thing, it's codified, and anybody can read it. It's available to public.. You can go look at it. You know what you need to do. We can look at a CA and we can say they qualify, or they don't. There are clear rules. If they qualify, they're in and if they don't, they're out.

  On the consumer side, there aren't any defined rules at all. There's just a set of people that are consumers, pretty much because they were there at the beginning, pretty much. They're accepted to be consumers, and everybody just accepts it. The impetus behind the ballot, and the worry is, look, this is too loose, and this could be abused. It hasn't been, but it could be, and it's just too loose and this isn't what we're about. We're governing the webs, the web's trust model in a fundamental way. We're governing the web PKI. We got to hold ourselves a little stricter on this. So that's the argument on the one side.

  The argument on the other side goes, well, look, what are these rules going to be? I'm not sure I'm comfortable with that. What if they're overly strict? So I'll make something up. Let's suppose you say, can't be a member of CA/Browser Forum if you don't have at least 2% global market share? Okay. Well, perhaps if I'm not a member of CA/Browser Forum, that's what prevents me from getting to 2% global market share. Perhaps this is monopolistic behavior. So you start to get all of those worries. Now, again, none of this has happened. So it's not like anybody has done anything wrong or malfeasant, but we can all see the potential. On the one hand, we get the potential problem. I do.

  On the other hand, this idea of collecting power in a small group whose membership supports and reinforces itself is fundamentally uncomfortable, especially for technology people who are supposed to be controlling the web PKI trust infrastructure. And so when you look at it that way, there was a lot to be to be discussed on both sides. The ballot did pass, but the voting was very low, and the abstentions was very high. In general, I think that's reflective of the general discomfort that a lot of people felt about these ideas, even if we could see the reasoning behind them. Does that make sense?

• 

  Jason Soroko

  Makes total sense, Tim. In fact, let me give you an analogy that I saw recently in the industry and when I mean recently, it's like within recent years. I remember Mark Zuckerberg being in front of Congress, and he was making comments about it, hey, I embrace or I'm inviting more regulation in my industry, and it was just so transparent to anybody who was following the case being well, what you're really trying to do there, Mark, is you're basically making sure that there will always be a monopoly or a duopoly within what you're doing because it just makes the barrier to entry to smaller, maybe even more innovative players, which was his fear. The barrier to entry to making Facebook is I don't know, I don't think it's that high from a technology standpoint. And certainly if somebody comes up with a more clever idea, all of a sudden, those kinds of those kinds of big social media companies become just out of date and passé.

• 

  Tim Callan

  But this one isn't clean at all. So for instance, one of the arguments that came on the other side, which also is very compelling, is to say, there are browsers in CA/Browser Forum that just use the root store of whatever operating system they're running on. They don't actually decide which roots to trust and distrust. Okay? Why are they here at all. If the answer is that you're pointing to well, I'm the public face of the web that a human looks at, and therefore I qualify as a browser, then you turn around and you look at my earlier example, Cisco. You’re well, Cisco has a root store and it's using it for a whole lot of hardware that talk to a whole lot of other hardware but none of those things has an interface that a human looks at. So does that mean that Cisco shouldn't qualify? That doesn't seem to make sense. That's some of the impetus behind saying, well, we got to figure out what we mean. When we say it’s a Certificate consumer, what do we mean and let's be clear on what we mean and then let's tell that to the world and let's actually walk the walk. Of course, one of the concerns about that is that could mean that people who are currently members don't get to be members anymore. Also, that might make it harder. One of the things that browsers tend to do is they start out using the OS’s root store because it's easier. Then somewhere along the line, they graduate to maintaining their own root store. We've seen that progress with Chrome of all things. The most popular browser on the planet. You also think that maybe it would have been absurd to go back in time five years and say, well, Chrome has more than 50% market share, but they don't get to be in CA/Browser Forum. That's where it's all really thorny.

• 

  Jason Soroko

  It sure sounds like it.

• 

  Tim Callan

  At this point, we're waiting for the proposal of when are these criteria going to be? We don't know, like that proposal isn't out there yet. So it's hard to say. Maybe somebody has got a good vision for this and can lay something out that navigates all of the problems, but there are definitely problems that will need to be navigated.

• 

  Jason Soroko

  Geez, Tim, for a lot of these things that come into CA/Browser Forum the motivations are clear and then the follow through in terms of what the rules are usually fit the motivation very well, and everybody kind of walks away happy. This is one where the motivation is not as clear and if was, hey, there has been abuse, and we need to change it, great. But like you're saying, if we haven't seen examples of abuse, then is this proactive to try to avoid abuse? If it's not that, then what the heck is it?

• 

  Tim Callan

  This even goes to the more basic, like the thing about CA/Browser Forum and the web PKI and the world of domain names while we're at it, is these are all things that sprang up out of a technology basis at a time when the stakes were very low, and the participants were very few and they were all very technically sophisticated and then it became the new playing field. It became the new place where lives are lived, and fortunes are made and lost. And political futures are determined and all kinds of other extraordinarily important things happen. We've seen so many stories in the last few decades about how the technology is just ahead of their social equivalent - the laws, the mores, the customer understanding. All of those things along those lines, the ordinary consumer. You get this here, which is, well how did we originally decide who was a browser? Well, we just kind of all agreed we said, yeah, they seem like browsers to me. And back in 2006 that was fine. Maybe today it's not and how do you navigate? How do you move from the one thing to the other and we bump into this when we're looking at interconnected global technology issues. We just bump into this one all the time. We're doing it again.

• 

  Jason Soroko

  The big dream we had to make fogy web. Remember our browser. It was perpetually going to be able to allow to type in something.com in an address bar. That was our main design.

• 

  Tim Callan

  Yes, that’s right. The Callan browser. I was gonna make the Callan browser so I could go vote as an individual at CA/Browser Forum, but I probably won't do that now. So that's what's going on. This isn't gonna probably affect the average consumer or listener in a very immediate way but so much of what happens in the global web PKI and the global trust architecture is happening in this organization that things like this do matter, and they're worth being aware of, and they're worth keeping an eye on.

• 

  Jason Soroko

  Sure are. Well, thanks for bringing that one up, Tim. A lot of these things, the CA/Browser Forum, so glad you cherry pick the good ones for us and that definitely was one to sink your teeth into. It makes you think about what's going on here.

• 

  Tim Callan

  Let's make an agreement with ourselves which is once this does get resolved, and there are some criteria, let's come back to this. We'll do another episode, and we'll just spell out what they are.