Root Causes 45: What Is the CA/Browser Forum?

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  Today, we are going to talk about the CA/Browser Forum. If you're in the world of public certificates and this is mostly TLS, but it also includes other public certificates like code signing and S/MIME, there's much discussion of the CA/Browser Forum. When I talk to people who follow the industry fairly closely, I find they have an incomplete understanding or possibly some misconceptions about what the CA/Browser Forum is and how it works, so we thought today we sort of explain the whole thing.

• 

  Jason Soroko

  I'd even go back further than that. Obviously, professionals in the security industry have heard of it. I think for the average person who just runs a browser might not fully understand it, know that it's there, know that there's a lot of people who think about the browsers and how security works. It's a pretty big deal. You've been around it for a long time, Tim.

• 

  Tim Callan

  I've actually been around since the beginning. The first meeting that I went to was technically the second CA/Browser Forum meeting and it wasn't named at the time. It was not called the CA/Browser Forum. We didn't have rules or anything else and the reason that we got together, the reason that it was formed was it was a very chaotic time in terms of authentication standards. Every public CA sort of made up their own authentication standards and they were radically different and there were radically different levels of attention to that. Some CAs were very vigilant and some CAs were not at all. There might be somebody who didn't give any thought to physical security at all, for instance. They would have IT security, but you can just walk right into their place of business and not be stopped. And so, what we did with the CA/Browser Forum was to build some consistent, reliable, secure rules behind public certificates so that the public, the relying parties, really could feel like these certificates were doing something that was meaningful and valuable and they could rely on them.

• 

  Jason Soroko

  It's a really good idea. I think that the there was so much going on people did need to eventually come together to come up with the standards. Obviously, with all the different CAs coming up with different things it just didn't make sense. I think even in terms of the root store within a browser, how it worked, the fact that there’s standards, the fact that even we have an agreed upon number of certificate types and what those definitions are, it just had to happen, and it was a positive move for the industry overall.

• 

  Tim Callan

  Yeah, that's good that you bring up the root stores because this is an important part of the whole thing. There are kind of three main sets of rules, if you will, in this in this public certificate ecosphere. One of which is the CA/Browser Forum requirements. So, CA/Browser Forum creates, votes on, and publishes requirements, and in general there's an expectation that public certs of that type are going to follow that requirement and we can get into why that expectation exists and how that's enforced and stuff like that. But then, very importantly, there's the browser root stores. And that to a great degree is really where the power is because browsers can choose to trust or distrust or treat different roots in different ways and at the end of the day, they own their software, they control their software, and they can do whatever they want. It doesn't matter if you're following CA/Browser Forum requirements and you get knocked out of the root store, you're still out of the root store. It's still not working. So, BRs are necessary but not sufficient, if you will.

  And then the last one, of course, is that every CA is publishing Certificate Practices Statements; where they talk about what they do around their certificates and they go into normally more detail than the BRs and the root store programs do, and there's an expectation that the CAs will follow their publicly visible Certificate Practices Statements, we call them CPS, as a rule, as a practice and that's something that public can look and read and rely on.

  So, all three of those together come together to form kind of the set of background rules and expectations for a public certificate.

• 

  Jason Soroko

  That includes things such as a DV certificate which many people use on their websites. Domain validation. What does that mean? What is the definition of that validation? How does it work? All of that comes out of the CA/Browser Forum. But the other things that the CA/Browser defines - - it's not just the BRs. The BRs also have a lot of rules, Tim, with respect to when problems happen, and how problems are brought up, how the bugs, the various kinds of issues that CA's may have, the browsers may have, and how those kinds of problems are also handled.

• 

  Tim Callan

  So, let's define. BR stands for Baseline Requirements and the CA/Browser Forum put these in place, I don't know, some years ago – six, seven years ago and basically what baseline requirements are is if you're going to have a public facing TLS cert, these are certain things that you're expected to do. And some of them are about your certs themselves. Some of them are about your authentication procedures. And, for instance, Jay, you mentioned domain validation, all TLS certs have to have the domains validated and there are rules about how you can and cannot do that and you must do it according to these rules or it doesn't count.

  And then the last one is there's operational requirements. It's things like infrastructure security and physical security. Things along those lines are codified as well and CAs are expected to follow them. All of that coming together forms what we call the Baseline Requirements and, as you said, Baseline Requirements also include response and remediation. So, there's a recognition that if you are a large CA that is issuing millions of certificates a year that maybe theoretically something happens that isn't exactly in alignment with the Baseline Requirements. Under those circumstances, there are actually codified rules for a remedy. So, if a CA becomes aware of a bad certificate, if they're notified of a bad certificate, they have 24 hours to revoke that certificate and presumably replace it with a good one, but revoke it is the key or in extenuating circumstances up to five days. That's also written into the Baseline Requirements. So that's something that CAs are expected to follow.

• 

  Jason Soroko

  Concepts such as revocation, we've had podcasts with this in the past but what does the CA/Browser Forum as a whole talk about with respect to when bad websites are found what the responsibility of the CA is and others?

• 

  Tim Callan

  The key there is there aren't rules around the usage of the cert per se. So, in other words, if it's found that my certificate is being used for something unseemly or criminal, the BRs don't address that. Most CPSs, though, will say either that they're going to revoke those things or that they have the right to revoke anything at all. And most CAs would. Like if you found out that your certs were being used for criminal activity, you would revoke them. And one of the important things to remember is that the CA doesn't understand intention, right? When you go and you buy your cert, the CA can't glean how you intend to use the cert. The CA has to look at actual behavior. So, in the event that it is used for, like I said, something criminal, then, at that point, the CA can go ahead and revoke. The BRs are really more focused on is it secure? Is it correctly authenticated? Is it accurate? Is it all running correctly? That's really what those rules try to nail down.

• 

  Jason Soroko

  One of the podcasts we had recently was on Kazakhstan and they were trying to get into that root store that we were talking about earlier. So, it's obviously not easy to get in there. What is the - - is it a voting mechanism? What is the mechanism that you're able to get in because I know that it's a tough thing to do it?

• 

  Tim Callan

  Kazakhstan was interesting because, of course, Kazakhstan applied for public root in these root stores and they may very well have been added to CA/Browser Forum, or another example is earlier this year, there was a lot of focus on a company called Dark Matter. Dark Matter is a Saudi company that a lot of security researchers feel is shady, and this company Dark Matter is a member of CA/Browser Forum. They're an observing member looking to get their roots included in the major root stores and there was a whole bunch of talk about that. So, you know, there is some difference between the two. How the root stores work is that anybody who maintains a root store has the right to put whatever they want in their root stores and the main root stores are, of course, the Google root store powers the Google stack. The Mozilla root store is very important because it covers Firefox and Mozilla products, but also a lot of other infrastructure stuff just depends on and uses the Mozilla root store. Apple has a root store which sits covers the Apple technology stack, Safari, and Apple Services and iOS and Mac OS. The Microsoft root store does something very similar. It’s Edge and Internet Explorer, but it's also Windows ecosystems and Microsoft services. So, if you look at those four, between those four, they've got to be covering 99 plus percent of the usage that's out there in the world. Those are the root stores that really matter and they all have their own root programs and the root programs are similar but they're not identical. And if you want to be in their roots, you have to follow their program and do the things you're supposed to do and you can get included in those. And without those, the rest of it doesn't really matter. Like, that's the first thing to do. And then when you get those roots included, then joining CA/Browser Forum and becoming part of the community is a very smart thing for a CA to do after that.

• 

  Jason Soroko

  How many CAs and browsers are part of the CA/Browser Forum? Do you happen to have those numbers?

• 

  Tim Callan

  It's a lot. It's like 40 CAs and maybe 8 or 10 on the browser side. You have the four I just mentioned and then there are some smaller market share browsers. There's Opera, and I think Brave is a member and things like that and then Cisco is also a member because even though they don't have a consumer-facing browser, a lot of Cisco components are using roots and so, Cisco is very active in the CA/Browser Forum. And this is an important point. There are different kinds of members. There are what we call browsers, and that's a little bit of a misnomer because Cisco is in there, but they're people with software that uses the certificates. Then you have CA's. Those are people who issue the certificates. Again, a surprisingly high number of those, considering that most IT professionals can probably name five, right? There's about 40. Then there are some other parties. For instance, Web Trust auditors, or you can be an observer, in principle, if you wanted to just come and participate because you're an important relying party, like a large company, a large enterprise, you could. We don't see a lot of that participation. We see guests, academics and security researchers and whatnot kind of pop in to work with the CA/Browser Forum on the thing they really care about and then they tend to go their way after they're done. So, in reality, it's mostly the browsers and the CA's and then a few extras like WebTrust auditors.

• 

  Jason Soroko

  Not that long ago in our industry we saw Google have concerns about Symantec’s SSL business due to various reasons, and Symantec had to sell off that business. So, was that a unilateral decision by one of the members? Or was that a CA/Browser Forum decision?

• 

  Tim Callan

  This is a very good point. We're coming back to kind of what's the power structure here. So, in that case, that was Google's decision to distrust the Symantec roots, which used to be VeriSign. That business became Symantec. That was the company that started it all. Took it right out of the industry entirely and that was a decision that was made unilaterally by Google. It was not a CA/Browser Forum decision. There was not a ballot. There was not a vote. We've seen other examples of this. Certificate Transparency is another one, where CAs must write to Certificate Transparency logs. If they don't do so, then they will be out of compliance with the requirements of the Google and Apple root stores but that has never been a CA/Browser Forum requirement. It is just a requirement of those root stores. So, the browsers have the power to do that. I think that they should do it seldom and for very good reason because if we have a bunch of browsers all out making their own rules, we have chaos and ultimately it becomes very hard for CAs to follow those rules, and ultimately that can lead to errors and problems and things along those lines. So, as much as possible, it's better for everyone if the browsers can align and agree and there can be a single set of codified rules that are captured in CA/Browser rules, because then it's easy for everybody to be able to know that they're compliant. So, in general, that's what we want and what we'd like to see; but we do know that browsers have the power to choose not to or to choose to do things unilaterally. We have seen them do that in the past and we surely will see them do that again.

• 

  Jason Soroko

  Yeah, it makes sense. And obviously the browsers that have the most number of users obviously wield the, probably the disproportionate amount of power.

• 

  Tim Callan

  Right.

• 

  Jason Soroko

  So, Tim, you talked about certificate transparency logs. I'm thinking that's probably a whole separate podcast by itself because it is a pretty interesting topic.

• 

  Tim Callan

  There's a lot to discuss with that. So the browsers do have the power but there is a basic expectation we should follow BRs. Now, how the voting works, this is another important point. We have members divided into three categories. There's CAs, there's browsers, and there are non-voting members, which are things like things like WebTrust auditors. When voting rolls around for a ballot to pass it must be passed by both groups. I might be not quite right on this, but I believe that it needs a majority of the browsers and a 60% of the CAs or maybe that's flipped. Maybe it's 60% of browsers and the majority of the CAs. But either way, you have to get a majority of both of those groups, and they're counted separately. For example, there was a recent ballot that Google put forth to bring certificate lifespan down to one year, down to 13 months to be precise and the ballot failed. But, if you look at the individual voting, what you'll see, which is interesting, is that it passed the browsers (100% of voting browsers voted in favor of it) and it failed the CAs. Seventy percent of the voting CAs voted against it. Only 30% voted in favor. So it didn't pass and therefore, the ballot didn't pass in the CA/Browser Forum.

  Now, what could happen is browsers might decide to make this requirement anyway. They have the power to do that. They could say, any cert that is more than 13 months old, I'm just going to distrust. That would have the same de facto result, but it would do it without a passed ballot. So, you know, that's the kind of thing that can happen. That's the kind of thing we keep our eyes our for. And again, in general, just in the spirit of not having chaos and keeping CAs able to be compliant, that's the sort of thing that that I want to discourage, and we'd much rather do things through the CA/Browser Forum as much as we can.

• 

  Jason Soroko

  It's been around a long time. It has made a lot of good decisions. I think the fact that the internet works the way it does in a fairly stable way is a testament to the good work that has been done and the spirit of cooperation. So, I think more good has come out than anything else. So how often does the voting cycle happen, Tim?

• 

  Tim Callan

  It's really whenever it happens. Anybody can bring forth a ballot at any time. In reality, it's a lot of work to bring forth a ballot so it tends to be done seldom and for good reason because you're expected to put your ballot together. It's expected to be correctly formed with all the correct information. If that's not the case, it's not a legit ballot. But if it's considered to be a legit ballot, then it goes out. There's a discussion period which is I believe two weeks, and then at the end of that, it may be brought forth for vote. You can put a ballot out for discussion and then withdraw it if you’d like. But at the end of the discussion period, you may put it to vote, and then voting lasts eight days and then at the end of eight days it passed or it didn’t.

• 

  Jason Soroko

  How often does the group physically meet?

• 

  Tim Callan

  There's three main communication channels. First of all, there's a mailing list and a Wiki. So, people can go online and they can use those online channels. There's also a regular call. And there are regular calls of working groups and subcommittees as well. So, if you belong on a working group or a subcommittee you can participate in those. And then there are these what we call face to faces, which occur three times a year and always one of the browsers or CAs hosts, and usually it tends to be one of the larger ones but not always. We try to share it around. Sectigo hosted last year, by way of example, and we try to share it around and that entity that's hosting puts together a physical location and everybody comes to it and normally, the face-to-face lasts about three days and a lot of discussion happens there. And a lot of stuff either work on the mailing list and the calls is leading up to the face-to-face or work on the mailing list and the calls is outcome from the face-to-face. So, the face-to-face, it's a very intense several days and then we either go away and work on what we discussed or we're doing work leading up to that so we're able to go in and use that time very well.

• 

  Jason Soroko

  That's fantastic, Tim. Hey, you know, again, I think that everything you've just talked about here really shows the sheer amount of work that the industry goes into to make browsing and the security with browsers work seamlessly. It's a very thoughtful process. Just so much, you know, so many people's hours spent just thinking through this and getting it right and it's been going on year after year. Is there anything else that we need to know about the CA/Browser Forum?

• 

  Tim Callan

  Maybe the big for the listeners to be aware of is that this is a purely voluntary organization. This is one of the things that I run into where people just don't get this and you wouldn't assume it but there is no force of law. There is no rule. There's no governmental mandate. This was a group of people who work in the industry who get together and try to be cooperative even though in theory they're competitors and make rules and guidelines to make everything secure. And the reason we do that is that we believe that all of us are better off - not just those of us in these jobs but those of us who use the internet - if this is done than if it isn't and so it's a time when people who otherwise would be competitors have to put that aside and sit down and think about what's for the greater good. In that sense it's very unusual. It's not like the FCC required this or something. This is just an activity that the industry does that the industry created on its own, in order to keep the industry healthy and mature and, for the most part, even though it can be aggravating sometimes if you're there in the room, for the most part, it's actually an effective and functional process. And so that's a pretty cool thing and that's the thing that not everybody understands about the CA/Browser Forum.

• 

  Jason Soroko

  That's great, Tim. Well, obviously, we'll be keeping very close eye on all that as we do as members and as a principally important Certificate Authority within that. But that is illuminating, Tim, and I got to thank you for sharing that. I know you've been around the public trust business for a long time.