Redirecting you to
Click if you are not redirected within 5 seconds
Search
USD
English
Contact Us
Free Trial
Podcast Dec 12, 2024

Root Causes 446: Sectigo Assumes Five CABF Offices

Tim has stepped into the position of vice-chair of the CA/Browse Forum, and Sectigo now holds five chair or vice-chair positions in that body. We explain how leadership is chosen, the offices Sectigo holds today, and some of our vision for CABF in the next two years.

  • Original Broadcast Date: December 12, 2024

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    Speaking of glad to be here, I am very pleased to be able to say, and if you didn't see the announcement of this, that I have recently assumed the position of Vice Chairman of the CA/Browser Forum.

  • Jason Soroko

    Congratulations, Tim. That's really, really good. I have worked shoulder to shoulder with chair people of the CA/Browser Forum in the past, and I'm glad I'm back at it.

  • Tim Callan

    This represents a high water mark not just for Sectigo, but from what I can tell, for any organization in the history of CA/Browser Forum, because we hold five official positions right now, and maybe I'll just run through the five.

    So I'm now Vice Chairman of CA/Browser Forum. I also continued to have my seat as Vice Chairman of the Definitions in Glossary Working Group. So that's two, which I normally just refer to as DGWG. So if I say that, that's what that is. So that's two chairs. Martijn Katerbarg, you're my Associate here at Sectigo, is the Chairman of the Code Signing Working Group and he continues as Vice Chair of the S/MIME Working Group. And then lastly, our General Counsel, Brian Holland is Co-chair of the IPR group, the group the Intellectual Property Group. So those are five positions we hold at CA/Browser Forum and like I said, it's hard to get an official record of this, but from what I can tell, looking back at history, I do not think that any organization has had quite that many chairs all at once. So that's kind of exciting.

  • Jason Soroko

    Shows a lot of commitment from Sectigo, which I'm really happy about. I'm certainly very proud about it. But, I think what's important there is, there's a lot of really good work to do.

    You and I have covered the CA/Browser Forum. You've covered it intensively on this podcast for quite a long time. And I'm really glad where it's going in terms of its really rational thinking. Its ability to think through problems and to get us ready for the future and that's good because the future is coming, and not the least of which are topics such as the shortening certificate lifespans and topics such as PQC.

  • Tim Callan

    Absolutely. And another big, obvious one, of course, is BGP attacks, which you introduced in this podcast I think more than a year ago and that's obviously an important thing. It requires a lot of changes. I think in general, CA/Browser Forum is one of these things where what you get out of it is what you put into it. It's a voluntary organization. There is no budget. There are no employees. Everything is done by the members, and everything is done by the members because the members understand that we need this in order to have a web PKI that works. And I don't want to sound like we're all a bunch of saints. Like this is how we make our living, so we understand if there's no web PKI, none of us makes a living. So we're doing this because it has to be done, but at the same time it still doesn't have its own budget or its own organization, or its own hierarchy or things like that. And so you just have to decide, this is the world I chose to live in, and it's important, so I'm going to make some investment. And fortunately, enough organizations do that that we're able to operate the CA/Browser Forum and really get some things done.

  • Jason Soroko

    That's great, Tim. And for me, very, very selfishly, I'm glad that you're here with us on the Root Causes podcast, and you're going to continue to give us the insight of what's going on over there.

  • Tim Callan

    I mean, it certainly does have an advantage that we have a very short, there's a very short path from the goings on in the world of public CAs to sharing it with our audience and that definitely is nice. I think also from my perspective, there's a lot of, I want to say, relatively straightforward, technical or guideline generating work that gets done. Where it's like this language is unclear. We've discovered that this language is unclear, and let's draft some new language that will be clearer, and pass a ballot and put that language in. And a lot of that work gets done and I think that's important. I'm also, though, very interested, if you haven't been listening to this podcast over the last let's say four or five months, six months, I'm very interested in raising the game across the board. I think we have too many CAs who are sloppy. We have too many CAs who are under resourced. We have too many CAs who don't acknowledge that their ultimate responsibility is to all the people in the world who use the internet, and this causes problems, and this causes slow movement toward better conditions and circumstances, and this causes non-compliance, and all of that stuff is where I think we can aim higher, and I want us to aim higher. And so part of the reason that I sought this position was to have a taller soap box to advocate these viewpoints and really try to get the CA community to say, hey, I should be striving for best possible excellence on my own, not because I'm being forced to by a rule, but because I know it's what's best for everybody, including me and that's one of the things that I hope to help drive in this position, and I hope that this position makes that easier than it has been previously.

  • Jason Soroko

    That's great, Tim. There's a lot there. There's a lot of thought behind what you said. I think that raising the bar is important, especially in the longer tail of smaller CAs with their capabilities. I think that some good thinking needs to go into how we could make that environment better for everybody.

  • Tim Callan

    There's a lot of discussion about a lot of that stuff. I don't want to try to catalog everything that's going on in CA/Browser Forum right now, but certainly at a certain level, damn near all the activity is ultimately driving toward that kind of goal. I guess the point I'm trying to make is there's a difference between all of us pulling the state of the art forward and us being pulled forward by the state of the art, and I think we're going to be better off if we're doing the first then the second.

  • Jason Soroko

    That's correct, Tim. That's good. So in terms of the term, what is the term length for people who aren't inside the CA/Browser Forum?

  • Tim Callan

    Chairs are for two years. We don't have, let's say, annual elections, just because it's not that big of a body, and the elections require a bit of effort, and so that feels like that would be overkill. It's two years. So the chair positions we're in now should be where we sit for the next two years, and then after that we'll have elections again. They occur in the fall two years from now. You cannot repeat your position as the Chairman of CA/Browser Forum. So DigiCert’s Dean Coughlin is the Chairman now. He stepped in on December 1, the same time I stepped in. So he'll run for two years, and then he has to not hold that chair again. So, at that point, anybody can run. Might be me, might not. We'll see. But that's how long those run. I'm not sure that Vice Chair is termed, but I think the vision, the idea is that a Vice Chair then tries to step up and be Chair. So sitting perpetually as Vice Chair probably isn't kind of the idea.

    Now, there's a bunch of working groups. We talked about a lot of them. The working groups do not have term limits on them, and they're also two years. The reason for that is because, it's not a huge organization, and there are different levels of participation, and there are lots of members of the organization that don't want to hold a chair. We determined a few years ago that if we force all of the working groups to cycle out their leadership every two years that that might generate a problem. There might be a difficulty getting qualified leaders who want to step in. If you'd rather have someone who's taking over the chair again, but they are passionate about driving, let's say the S/MIME working group, which is such a great example of that. If there's somebody who is really passionate about driving it, we don't want to deny that and have nobody or have somebody who isn't really going to work very hard at the job. So when you look at it that way, the decision was that the working groups can keep having the same Chairs, but for the main one, we need to cycle it out.

  • Jason Soroko

    Totally makes sense. You're right in saying that there aren't a gigantic group of people to choose from anyway. It is a small community and people who were willing to put in think about a two year commitment. It's a pretty solid amount of work in anybody's workday. It's a big commitment, and the population is low.

  • Tim Callan

    It is. That's a great point. I mean, I do want to tip my hat. There are a lot of people who have held a lot of positions in CA/Browser Forum over the years, and anybody who steps up and wants to have one of those roles certainly, I want to offer my admiration to them for doing that. It is extra work in our day. It is not considered a requirement in any way, except that it's a requirement that someone has to step up and do it. And so to the degree that organizations step up and do it, and some kind of the perpetual performers have been people like Apple and DigiCert, and I like to think us. That's important that people are willing to do that and seeing that happening is just really good.

  • Jason Soroko

    I gotta tell you, I'm not sure that the next two years will have any precedence in terms of just the sheer amount of need for the CA/Browser Forum to be thinking - - Tim it is just huge.

  • Tim Callan

    So this year, just this year, we have run more than 25 ballots, and the year is not over. To put things in perspective, a typical year, I'm going to say is probably 10 to 12. Right now, CA/Browser Forum is going crazy in terms of the amount of work that it's doing and that's not going to slow down. Shortening certificate lifespans, that's not even a thing yet. That's just a proposal. There's going to be a lot more work coming with that. We're not going to be done working on BGP and MPIC. S/MIME is still evolving. PQC is coming. So the amount of workload we have, it's not like it's going to quiet down and become very boring and become kind of rubber stamp job. I forecast the opposite. I think we're going to have another huge year next year in terms of ballots and I think the amount of activity that we have going on in CA/Browser Forum, which we will have and which we will need, is going to continue to be very high.

  • Jason Soroko

    I suspect that's the case, Tim. You've entered this at one of its most interesting times. So best of luck to everybody involved.

Root Causes - A PKI & Security Podcast

About Root Causes

Tim Callan and Jason Soroko explore the issues surrounding digital identity, PKI, and cryptographic connections in today's dynamic and evolving computing world.

View All