Podcast
Root Causes 311: What Is CCADB?
Hosted by
Tim Callan
Chief Compliance Officer
Jason Soroko
Fellow
Original broadcast date
June 16, 2023
We describe CCADB, the Common CA Database. We explain the role of CCADB in the WebPKI and how this role is evolving.
Podcast Transcript
Lightly edited for flow and brevity.
Tim CallanSo, this a “what is?” episode, and we want to talk about CCADB
Jason SorokoThe Common CA Database.Tim CallanCommon CA Database. I’m going to remind listeners of our Episode #237, “Why Mozilla Is so Important to CAs,” and in that episode we talk about the fact that Mozilla plays this very central role in the web PKI world that’s disproportional, that there’s a bunch of very important browsers with broad sets of user bases like Apple and Chrome and Microsoft, and yet, we go to Mozilla’s world when we deal with all matters for public CAs. And that situation basically was the genesis of this thing that we call CCADB or the Common CA Database. So, what do you know about CCADB?Jason SorokoYou know, basically it is, you know, I think what’s important about it is that as you say, Mozilla is running this, but really what’s important to know is that anybody who is operating a root store, and that’s any of the browser vendor, will be using this in order to do various kinds of things to help improve transparency and interoperability. My knowledge about it is limited to just the fact that it’s a coming together through Mozilla, but in terms of your knowledge about it, Tim, what was the impetus behind this here?Tim CallanI think, so I think there’s two things there. I think you hit a certain point. It in a way is like CA/Browser Forum. What CA/Browser Forum does in an important way is codifies and normalizes the different major root store programs requirements so that CAs have one set of rules to follow. Instead of there being a published set of rules from Mozilla and a published set of rules from Google and published set of rules from Apple, and I’m looking at all of them, all those browsers are able to get behind the BRs and the EVGs so that I have one set of rules, and I can look at that one set of rules and know that all the browsers are going to be ok with it. And that’s mostly true. Some of them have their own little rules, but mostly that works well.So, CCADB is attempting to do a similar thing for the business of managing your relationships with root stores. It’s got that word database in it. It’s a Common CA Database. The first thing that CCADB was for was, there’s a place that CAs can go and publish essential information about things like roots that the set of subscribing browsers can then use. And what that means is I can put it all in one repository; that repository has all the information that those browsers will need; it’s in one place; it’s consistent; and I know that all I have to do is keep CCADB current and use the rules there, and I won’t have to go and do something different for each individual browser. So that I can communicate as a CA, the browsers can get the information they need as the browser, and it’s running through this common channel that’s consistently applied, where it’s all in one place, where the rules and expectations are known, and CAs can just go and keep their CCADB records current. And they know that they’re doing what they need to do for the industry to understand that. In that regard, that’s helpful, and it is helpful.
You might say, well, how many browsers are there, really? Is it really that big of deal? Sure. But on the other hand, how many CAs are there? If these browsers have possibly approaching 100 CAs in their root stores, that’s 100 different CAs that they all need to think about, and if they can count on the fact that there’s a single place where those CAs know they need to go, where everything is in the same order, it just reduces the opportunity for mix-ups, missing information, errors, and things along those lines. So, that’s point number one, that you were making - the consolidation. And I think that’s very important and valuable, and it’s very analogous to the CA/Browser Forum rules, to the BRs.
The other thing it does, though, that’s I think, interesting and important, (and this is where we go back to the Mozilla thing) is it removes more of this community web PKI CA activity from Mozilla’s umbrella and gives it its own umbrella. We’ve talked in past, and again, if you go back to the episode I referenced earlier - I think it was 237, whatever that was - you’ll see that part of what we talk about there is how these Mozilla properties, like Bugzilla, becomes surrogates for the whole industry. So, Apple and Chrome and Microsoft and Cisco and 360 are paying a great deal of attention to what’s going on in the Mozilla forum, even though it’s not their forum, it’s Mozilla’s forum. And one of the ways it gets a little bit weird is that like if I had a bug that was contrary to Mozilla’s policies that wasn’t contrary to anybody else’s policies, I’d still it write up in Bugzilla, and it would kind of get injected into this global web PKI kind of dialog.
So, part of what we get out of CCADB is you can think of it as an entity, and even though it’s being run by Mozilla, it’s an entity where they’ve started to segment things. So, for instance, there used to be one message board, what we used to call m.d.s.p, although it’s not really called that anymore, but it’s what everybody still calls it, where you would write about issues involving public CAs. And in theory, that’s Mozilla. The M stands for Mozilla. They wanted to differentiate matters that had to do with Firefox specifically from matters that had to do with the web PKI in general, so they created a second message board. Now there’s two message boards, and you can have a thread on either one, and one of them is named for Mozilla, and the other one is named for CCADB. So, the idea is to say, look, we recognize that it all started with us. This is me channeling Mozilla, now. I’m kind of putting myself in their shoes for a minute. And we know that it all started with us and because it all started with us, there is this weird fact that stuff that doesn't have to do with us is taking place in our yard. And what we’d like to do is have two yards and our yard is going to be for our stuff and our browser and our other open source projects. And then the yard next door is going to be for the web PKI that everybody depends on and everybody subscribes to. And so, it looks to me like there’s this long term vision to try to disentangle the things of Mozilla from the things of the public trust infrastructure and give them each their own home and their own place. And even though they can be synergistic and they can help each other, and even though Mozilla in its Mozilla way is running CCADB, they’re still trying to disconnect the stuff that’s proprietary and individual to Mozilla from the stuff that’s for all CAs and all public trust everywhere.
Jason SorokoThat’s great, Tim. You know, it’s kind of interesting though, you know, for those of us who were watching this industry for an awfully long time, it seems like a long time coming, really. These things were kind of handled differently or not as formally in the past. I think this coming together, though, this one-stop shop for these kinds of things is really positive, and I think - like a lot of things that of coming out of the CA/Browser Forum recently, even, you know, the whole industry is simplifying the message, consolidating the rules, taking off some of the rough edges, having a single place to look, all in the spirit of transparency and all in the spirit of doing things right, I think it’s all positive.Tim CallanIt’s interesting you’re touching on that. This is the story of the internet, and this is the story of computers. Where what started out as these very niche things that are being run by a specific set of individuals or companies for their own needs, expand dramatically and all of a sudden something that was intended to be private for a specific market or specific group of people winds up much bigger than that. And we very much see that in this case, where originally PKI was meant for private companies to use inside of their own networks, and then suddenly, the World Wide Web, which itself was adapted from something that was meant for a different purpose, took off. So we adapted a thing, a different thing that was meant for a different purpose and stuck it in this new world, and then you wind up with these kind of weird accidents, and this a good example of that. And, you know, if there’s an organization that’s ever going to kind of think about what’s the long-term good and what’s the public weal all about, it’s going to be somebody like Mozilla, and so, it’s not surprising that Mozilla would be the company that would say, hey, I want to change this, and I want to differentiate these things. But these are big projects. They take a long time. They’re slow going, and a lot of it is kind of figuring it out as you go. It’s very exploratory.Jason SorokoTim, for those people interested, and I would say anybody listening to this podcast is probably interested in PKI in general and publicly trusted certificates very specifically – if you go over to ccadb.org, a very clean website. What I love about it is just for the general person, if you click on resources, which is very clear link on that page, one of the first things I see down in the general section here, Tim, is crt.sh, a link right to it.Tim CallanYep. There you go.Jason SorokoSo, you know, if you want to know about Mozilla’s root store program, Microsoft‘s root store program, Google Chrome’s root store program – I could tell you, you could do a lot, it would take you a lot of searching in order to get to these, and here it is, one page, click, click, click. Right? This is great.Tim CallanRight. And this is another point, and I think it’s great you went there. I was going to mention the resources page in particular. This resources page is good for a couple of things. One is it’s good for non-industry people who are interested and want to understand. And you can come here, and there’s a lot of very valuable information right there. You can read the specific policies for the three participating browsers. You can get these general tools that are helpful to you, and that right there is useful. I think it’s also useful for a CA that is, I almost want to say, new or niche, so when we talk about public CAs, we tend to think about companies like Sectigo that are pretty well resourced, they’ve been around for decades, they have global impact, they have delegated resources. They have, you know, you referenced here crt.sh; crt.sh was developed and is maintained by Rob Stradling. Rod Stradling is an engineer at Sectigo. So, there’s expertise for you. If you think about somebody who perhaps is a small regional CA or is new to the game or is in some extreme niche, they may have challenges making sure that they understand and use all of the technology correctly and just that their knowledge of the industry and the specifics need to be really right. And on the other hand, it’s not acceptable for a CA not to be able to operate at that level. If they can’t operate at that level, they can’t be a public CA, and so, what CCADB can do, is make it easier. It can bring together the appropriate relevant things and have them all together, not just so that a browser knows this is where I’m going to get all my information for my CAs, but also that a CA has something that’s a little bit canonical where they say, I can go here and any information that I find here I can trust, and I can use this to make sure that I’m really operating at the level that’s expected of me if I’m going to be in this role. And so, that is a great page, and it serves both of those points.Jason SorokoThere it is, ccadb.org. Go check it out and thanks for bringing up this topic, Tim.Stay informed with expert insights
Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!
