Redirecting you to
Click if you are not redirected within 5 seconds
Podcast Apr 22, 2025

Root Causes 488: CABF Face-to-Face Meeting Update

We explain the major news items from the most recent CA/Browser Forum face-to-face meeting in Tokyo. Topics include MPIC, 47-day certificate term, and Temporary Restraining Orders.

  • Original Broadcast Date: April 22, 2025

Episode Transcript

Lightly edited for flow and brevity.

  • Jason Soroko

    Tim, you were recently in Tokyo. But you weren't there for vacation. You were there because the CA/Browser Forum face-to-face was there. I'd love to hear an update.

  • Tim Callan

    CA/Browser Forum have three face-to-face meetings per year. This one was in Tokyo hosted by the SECOM. They did a wonderful event, great venue, great facilities. Everything was done really well. There is a lot of sort of working time, working through, grinding through the details of upcoming bills, ballots and things. There was a lot of that. That's not super interesting.

    In terms of the high level items, one was that there was a scheduled agenda discussion of Ballot SC-081 which was the ballot to step down the certificate lifespan. We already gave an update on that in an earlier episode of this podcast, so that's kind of run its course.

    The second one that's worth noting was that there was a presentation on something called Open MPIC. We've talked about what MPIC is in the past. MPIC is multi-perspective issuance corroboration. Open MPIC is an open-source project that Sectigo owns and leads where any CA could use this code base to implement MPIC, and it's meant to make implementation as easy as it possibly can be, and much easier than building your own from scratch. So this is important. CAs need to support MPIC. It's a requirement. It's a requirement for good reason, because BGP attacks are real things, and at the same time, this one is technically advanced. So creating and maintaining Open MPIC makes compliance across the entire industry and the entire ecosystem, just much easier. We don't do things technically to make CIO’s lives difficult. We do things technically to make it better. Sometimes your life gets more difficult as a result, but to the degree that we can minimize that difficulty, that's a good initiative. So that's another thing we introduced and talked about.

    There was also a presentation on temporary restraining orders. So last year, as you may know, if you're a regular listener, that a company used a temporary restraining order to prevent a CA from pursuing a BR mandated revocation on time. The worry is that that will become SOP. That there are 500 CIOs across the US right now who have sent emails to their GCs saying, hey, draw me up some papers for a TRO so in the event I get one of these notifications, I can fill in three blanks and send the law firm down to the courthouse. If we want that not to happen, then we need to understand, number one, what can individual CAs do to declaw the possibility of getting those TROs. Second of all, what can we do as a forum to declaw that? And so that has been, that was, we had a good introduction to the topic on that. That's something that we're going to be looking to drive as a group and a community. Those were, I think those were probably the most interesting, important things that occurred at the CA/Browser Forum that the average listener will care about.

  • Jason Soroko

    That’s great, Tim. That is great. So I guess at the same time that the shortening certificate lifespan ballot was going on, I know this week, and I guess was there any other talk at that point in time in Tokyo that was interesting?

  • Tim Callan

    I think those were probably the big ones. There's a lot of like detail, of working through rules for S/MIME and rules for Code Signing that I don't know that the listener would profit from or care about. I think we are going to see deprecation of certain kinds of Code Signing key attestation that are considered to be not really very secure. So that came up. That will be worked on by the Code Signing working group. I think that's a good thing.

    I think we will be looking at a continued minimization and deprecation of email-based DCV methods, which you and I have talked about in the past. I think that will be a good thing, because they're just weaker and there's no real defense against a BGP version of an email DCV in the existing MPIC standards. So something has to be done there. I think there's recognition of that. Those are probably the big themes.

  • Jason Soroko

    When is the next face-to-face?

  • Tim Callan

    Next face-to-face will be in June, and it will be right here in Toronto.

  • Jason Soroko

    I'll probably join you. I hope I do. And we'll do the update together at that time.

Root Causes - A PKI & Security Podcast

About Root Causes

Tim Callan and Jason Soroko explore the issues surrounding digital identity, PKI, and cryptographic connections in today's dynamic and evolving computing world.

View All