CA/Browser Forum 01-21-2021

DigiCert's Introduction to the CA/B Forum

DigiCert

To secure the web, certain standards are set that certificate authorities and browsers must meet. The Certificate Authority/Browser (CA/B) Forum is the standards-setting body that collaborates on aspects of website security. Composed of about 50 Certificate Authority (CA) and nine browser members, the CA/B Forum represents key parties in website security. The current industry standard for securing websites is TLS/SSL encryption, but there is much more that goes into online security that the Forum sets.

This post will cover some insight into how the Forum works and DigiCert’s role in it as a CA. First, let’s define what the Forum does.

What is the CA/B Forum?

Simply put, the Forum is a voluntary organization of leading CAs, like DigiCert, and vendors of internet browser software, like Google Chrome and Apple Safari. Since 2006, the Forum has defined standards for the CA industry based on industry best practices. These standards improve the ways that everyone uses TLS certificates, benefiting all internet users and securing their communications.

What does the CA/B Forum produce?

The Forum produces standards, called Baseline Requirements, which all public CAs, whether members of the Forum or not, must adhere to. CAs undergo audits at least annually to verify compliance with these standards, and the resulting audit reports are provided to browsers. Any deficiencies must be remediated, which may require the revocation of certificates. As a standards-issuing body, the Forum is not involved in enforcing the requirements and has no authority to grant exceptions to its requirements.

CA/B Forum history

The first Forum meeting took place in 2005 and the Forum began to gain popularity and trust by 2006. In 2007, Extended Validation (EV) certificates and EV guidelines were adopted by making improvements to existing identity validation requirements, which were not standardized at the time. CAs and browsers came together informally to come up with industry standards about issuance, revocation and other security decisions. They then published Organization Validation (OV) and Domain Validation (DV) certificate standards. While founded in the U.S., over time, the Forum membership has also grown to include additional members from other regions, including Europe and Asia.

Why it Matters

The Forum makes decisions based on knowledge from both browsers and CAs. CAs often collect information and opinions from their customers to make informed decisions and bring updates to the Forum discussions.

DigiCert is on the frontline for our customers and certificate users. We relay informed suggestions and developments to the Forum after listening to your requirements. But this can only work when all members work together and understand that best practices work best when they are based on all of the key stakeholders’ needs.

How the CA/B Forum works

The standards for website security are not static. They adapt to industry needs and are ever-changing. The Forum revises standards through a balloting process.

Anyone in the Forum can propose an idea or change to the Baseline Requirements. Once a general consensus is reached that the proposal will benefit security or operations, the individual can put forth a ballot with the additions defined, such as with a red line over the old requirement.

The Forum holds an organized discussion around the proposed changes, and the proposer may elect to edit or completely replace the draft text in response to the discussion. Once the proposer thinks the ballot is ready, the ballot moves into the voting period. For a ballot to pass, two-thirds of CAs and a majority of browsers must vote to pass it.

The Forum communicates in a variety of ways through email lists, telephone calls, face-to-face meetings and the CA/B Forum website. The email lists where discussions take place, and minutes of all telephone calls and face to face meetings, are publicly available and can be used to track what’s going on in the Forum.

Participation is also allowed from non-voting interested parties. These interested parties can be anyone that wants to respond to what's going on in the Forum. Interested parties can post to and read mailing lists and reply but cannot vote.

In 2016, the Forum reorganized to allow for additional working groups that could work on specifications for other types of certificates, such as code signing and S/MIME. For these working groups, CAs are referred to as “Certificate Issuers,” and applications and operating systems that trust such certificates are referred to as “Certificate Consumers.” The name CA/Browser Forum is now somewhat anachronistic, as for two out of three classes of certificates, the Certificate Consumers are not browsers.

DigiCert’s contributions to the CA/B Forum

DigiCert is a co-founding CA member that participates in the Forum to ensure the internet is a safe and secure space for our customers and their users. Additionally, DigiCert employees lead several working groups within the Forum. DigiCert's Dean Coclin is the new Forum chair and chair of the Code Signing Working Group, Tim Hollebeek chairs the validation subcommittee and Stephen Davidson is the S/MIME working group chair.

Here are some of the topics DigiCert has been involved in lately:

  • Requirements for Certificate Profiles: DigiCert has been heavily involved in the project to improve how the requirements for certificate profiles are expressed, bringing additional clarity to what is and is not allowed. The current way they are expressed is confusing and fragmented, leading to many disagreements about whether various certificates were properly issued or not.
  • Quantum Computing: DigiCert regularly provides the Forum with updates regarding quantum computers and post-quantum cryptography.
  • Code Signing: DigiCert is working with Microsoft as part of the Code Signing Working Group to figure out how to transition code signing to stronger cryptographic algorithms, without disrupting the large number of applications and devices that already use code signing.
  • S/MIME: DigiCert is helping the S/MIME working group inventory existing email standards. The group is making progress towards version 1.0 of the S/MIME Baseline Requirements.
  • Improvements to identity validation: Unlike some other CAs, who believe identities in certificates exist solely to prevent phishing and that existing validation practices are sufficient, DigiCert believes strong identities are fundamental to a strong web PKI, and has offered several important improvements to identity validation, some of which have been adopted.

Although the entire Forum works towards policies that enable a more secure internet, within the Forum there are differing opinions on how to get there. From DigiCert’s perspective, we advocate for policies that benefit digital security and the security industry.

What the CA/B Forum decides

Decisions made by the Forum manifest themselves in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates.

Recent Decisions

  • In August 2019, CA/B Forum Ballot SC22 was introduced by Google to reduce TLS certificate validity periods to one year. The ballot failed in the Forum, which meant certificate maximum lifetimes remained at two years. However, in 2020 Apple unilaterally decided to move to one-year certificate validity periods and many major browsers followed. DigiCert supports one-year certificates.
  • Server Certificate Ballot 25 tightened up the technical requirements for HTTP-based domain validation.
  • Server Certificate Ballot 30 required the disclosure of which registration agencies the CA uses to verify identity information. This was one of the identity improvements proposed by DigiCert.
  • Server Certificate Ballot 31 moved several requirements that originally existed in various root programs into the Baseline Requirements. Managing these requirements through the Forum process, while not perfect, is generally better than unilateral action by root programs.
  • Server Certificate Ballot 33 added a new validation method based on the IETF RFC 8737, replacing a previous IETF validation method that was withdrawn due to security issues. The ballot was endorsed by DigiCert.
  • Code Signing Ballot 4 moved various timelines for transitions to stronger encryption methods back slightly, to give the industry time to make a smooth transition. The ballot was proposed by DigiCert.
  • In 2020, the ballot creating the S/MIME working group passed. The CA/B Forum recently passed a ballot to create a new working group on minimum security standards for publicly trusted S/MIME certificates. DigiCert’s own Stephen Davidson chairs this working group.
Looking Ahead

When making these decisions, there are always plenty of issues and discussions at the Forum meetings. No doubt this complexity will continue into the future. We anticipate further communication around the following:

  • Validation rules for certificates. We expect further tightening of validation rules and validation lifetimes for certificates to increase web security. Browsers have indicated a desire to shorten lifetimes even further while also shortening validation data reuse. The number of allowed fields in certificates will likely continue to decrease, in line with browser desires.
  • Additional moves by browsers to restrict or eliminate validation methods. For example, Chrome is pushing for the elimination of HTTP-based validation for wildcard certificates on an accelerated timeline. It is unclear at this time how that will play out.
  • Organizational Unit field in certificates. This field has historically been used for a wide variety of purposes, but browsers are disinclined to let that continue. It is likely to be banned in 2021.
  • S/MIME Standards. This working group is making excellent progress in coming up with a profile for Secure Mail certificates. Once this is completed and accepted by the Forum, audit standards will follow.
Stay Informed

In this article, we've introduced how the CA/B Forum works. Of course, we've just skimmed the surface. We also post regular updates about the Forum decisions and latest industry trends on the DigiCert blog. So, if you would like to learn more about DigiCert and the CA/B Forum rules and standards, you can keep up-to-date on our blog. If you would like more information on how DigiCert can help you, get in touch.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

Why certificate automation is an absolute must

11-15-2024

4 steps to secure the IIoT device lifecycle