For the first decade-plus of their lifespan as a technology, publicly trusted digital certificates operated with little oversight, transparency, or consistency in operating principles. To create predictable, reliable behavior among public Certificate Authorities (CAs) the CA/Browser Forum undertook the creation of its Baseline Requirements, which first went into effect in 2012.
The Baseline Requirements are a set of documented operational processes a CA must follow for its public certificates to be accepted by browsers for general use.
What's in the Baseline Requirements?
The Baseline Requirements are lengthy, with rules that vary depending on certificate type. The requirements cover virtually every possible aspect of security protocols as they relate to certificates, including physical and cloud-based security, authentication practices, certificate morphology, and more. It includes rules for domain validation, requester and organization validation, and maximum allowed term.
One requirement of the Baseline Requirements is that each CA must maintain and publish a Certificate Practice Statement (CPS) defining the CA’s issuance practices. Failure to adhere to the statements in the CPS constitutes a violation of the Baseline Requirements and can require remediation by the CA including potentially the revocation of certificates.
Do the Baseline Requirements Change?
In a typical year the CA/B Forum will pass multiple ballots to modify the Baseline Requirements each year. Most of these are minor, but a few each year lead to significant changes to how CAs operate. For example, a recently approved ballot outlined new standards for domain control validation, which will affect CAs' operations for years to come.
The main reason that the Baseline Requirements change so frequently is that portions of earlier drafts have proven vague or open to interpretation. As new issues arise and new technologies enter the marketplace, the Baseline Requirements must evolve to address them.
What Happens When a CA Violates the Baseline Requirements?
The CA/Browser Forum is a voluntary organization with no enforcement power. Rather, each of the major browsers has its own set of guidelines a CA must follow for its roots to be trusted by the browser and subsequently included in the root store. Major root store programs dictate that CAs must maintain compliance with the Baseline Requirements.
If one of the browser’s root stores decided not to trust a CA's roots, its public certificates would no longer be viable for use case requiring public trust. Furthermore, CAs are required to report and disclose any non-compliance they identify and allow the public to ask questions about the violation, ultimately holding the CA to account.
To learn more about the CA/B Forum's Baseline Requirements, listen to Root Causes, episode 201, "What Are the Baseline Requirements?"