Root Causes 486: 47-day Maximum Term Ballot Passes CABF

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  CA/Browser Forum Ballot SC-081 has passed.

• 

  Jason Soroko

  So shortened certificate lifespans are here.

• 

  Tim Callan

  This is the Apple proposed shortening certificate lifespans ballot that was endorsed by Chrome, Mozilla and Sectigo, and it did pass a vote with a quorum. Overwhelming positive votes. That's it. So it's now a ballot. I mean it’s done. It’s a passed ballot.

• 

  Jason Soroko

  Tim, I got two general questions for you. One is, can you please remind everybody of basically the details, but then I'd like to hear a little bit more about the voting, how it went, even perhaps backing up a little bit into some of the changes that were made on that ballot to get it to this point. But who are the CAs and browsers that voted for, against, etc.?

• 

  Tim Callan

  First of all, let's just remind people the dates, like you said.

  This will shorten certificate lifespans and domain control validation reuse. In particular, what will happen, the first date is March 15, 2026. So almost a year from now. At that point, what happens is the maximum term for both certificate lifespan - SSL certificate lifespan and DCV reuse - drops down to 200 days. As a reminder, what that's supposed to do is it's supposed to facilitate a six month renewal cadence. So it's six months plus a little. Give you a little bit of fudge factor.

  Then a year later, March 15, 2027, we go down to 100 days. That is a three month cadence plus a little. So again, you got a little bit of fudge factor but now the idea is you're doing it every three months.

  And then two years pass after that, and in March 15, 2029, that we have the final reduction, according to this ballot, of both certificate term and DCV reuse. Certificate term goes down to 47 days, which is one month plus a little.

  So the vision there is that you're on a monthly cadence. Then there is the DCV reuse, though. This is where the times no longer match. DCV reuse goes down to 10 days. The idea there is that we want DCV to be really kind of current and continual, and by reducing it to 10 days, you have less opportunity for that. So those are the key dates. Those are all in.

  As I said, the ballot passed. As a reminder how it works in the CA/Browser Forum, you have a set of what we call certificate consumers, which, in laypersons’ parlance, we call browsers, and then we have a set of CAs. Both have to pass it independently. So they both passed it independently. There were no no notes on the browser side, which you would expect. The CA side was almost all yes votes. There was a little bit of abstention, but, mostly yes votes. The other problem, or the other requirement, is that you have to achieve what is called a quorum, which is to say that more than half of the active participants in that particular working group must vote. We don't want something where nobody's paying attention, and you throw it up over the holidays, and three people vote, and now something goes in, so you have to achieve a quorum. More than half. So we also achieved quorum. So with all of those things covered, those are the requirements for a passed ballot. So the ballot is passed. It's not official yet and the reason it's not official is the next step in the process is we have an intellectual property review, which we refer to as IPR, and basically that is in place so that in the event if a ballot covers something that is already somebody's owned IP, if someone can come out for and say, hey, wait a minute, we have a patent on that, then there's an opportunity for us to see if we can get resolution of that particular issue. IPR is built into the process. It almost never comes up. It has come up once, and it doesn't make sense in this context. I don't see how anybody could claim to own the idea of making a certificate shorter. So I don't, can't see a way that that would actually happen, but is, it is part of the prescribed process. So that's where we are now. We're not through IP review. I can't fathom how that would be an obstacle.

• 

  Jason Soroko

  So Tim, to get to this point, I know that when the proposal first came out, the dates were in a little closer than where they are now and I think by pushing it out a little bit, we got to this point where, wow, this overwhelming vote positive. I think that's the big message right now for the industry to note. Tim, I'm going to put you on the spot. Is this the first time a shortening certificate lifespan ballot has been voted on successfully.

• 

  Tim Callan

  Well, so depends on how you define that. When we all originally passed the EV guidelines, they did cap the term for an EV cert at two years, which had never been done before.

  When we passed the Baseline Requirements, the server certificate Baseline Requirements, they also capped a cert at that point at five years. That had never been done before. So you could contend that those were but they're different from the what you're seeing now. This sort of driving it down thing. The one year ballot, in particular, could never pass. So three years, two years, those things did get through CA/Browser Forum. The one year ballot got stalled. That was the noteworthy, that sort of set the tone. That was back in 2000. The one year ballot got called. Apple said, well, we're going to do it as root program requirement. Chrome followed. Mozilla followed. At that point, CA/Browser Forum just went ahead and passed it as a ballot.

  And so, a lot of us were concerned that we were going to go through a similar process this time. We didn't want to. I very much wanted this to be something that the industry could agree on together. I think, for reasons that probably make great sense, I believe that the browsers wanted a similar thing, and I'm happy to see that's what happened. There were adjustments that were made as part of this process, and the biggest one was that extra year for the final stage in the step down. Because there are a lot of concerns where people were saying, we don't know if everyone in the industry will be ready. I struggle a little bit with that argument, because if people can be ready for 100 days, aren't the requirements for being ready for 100 days and being ready for 47 days basically the same?

  However, what happened was the compromise that Apple made and Apple built into the ballot proved to be passable as a ballot in the CA/Browser Forum and I think that's a great resolution.

• 

  Jason Soroko

  That is the important news. I think on top of that, Tim, another consideration for maybe it could have been moved up a little closer to the current time, was this decoupling of public and private certificates, which is something we'll be talking about a little bit later in this podcast series. That's going to force a lot of a certificate agility into the system by definition, but it is what it is. I'm really glad that it passed.

• 

  Tim Callan

  I mean, we could maybe quibble about small things, but honestly, they're small things. The big picture is very good. It's right on the money. This is a positive trend, and this also is an example of the process working, which I really like. That the voluntary industry standards body that is CA/Browser Forum, that has no government mandate, could work through this and come to a resolution that is now becoming a new standard that everybody's going to be following that is good for the benefit of the WebPKI, and we did this without any force from an outside party. That's terrific. How often in life does that happen?

• 

  Jason Soroko

  I wish you could have been with me at the ICMC Conference this week here in Toronto. There was a question when I was on stage that was exactly about that, which was, do you foresee legislation coming for publicly trusted certificates in order to force certain kinds of things, and I said the self-policing mechanism through the CA/Browser Forum is what's working.

• 

  Tim Callan

  That's exactly right, and not to put too fine a point on it, that's one of the things we're cognizant of, and one of the reasons we're doing it. You know me - if you don't know my views on who's better off to govern technology, technologists or government, then just listen to almost any episode of this. I just I feel that if we start having legislation make technology decisions for our industry, the inevitable consequence will be a worse industry and to the degree that we can responsibly make the changes that must be made to keep the WebPKI current and secure, to protect the billions of citizens who use it, to the degree that we can do that, legislation will not occur, and everyone in the world will be better off. So to see the CA/Browser Forum work through this process and make this important change without outside pressure, is encouraging. Heartening. It's really the kind of thing I want to see.

• 

  Jason Soroko

  It's one of my favorite news items this year so far. Tim, thank you so much.