Free Trial
Contact Us
Podcast

Root Causes 218: PKI Nomenclature Oddities

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
April 20, 2022

Every technology space has its jargon. In this episode we go over some of the interesting, ambiguous, or amusing terms that are specific to the PKI and digital certificates industry.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanI think we have a fun one today. PKI and digital certificates is a jargony industry. All industries are jargony, and all tech industries are jargony. But we have our own special brand of jargon in our industry, and I’m a word guy. I notice words. Part of what my job has always been in my career is to communicate technology, aspects of technology and so, speaking about them, how you speak about them is important to me, and I’ve noticed what we’re calling PKI nomenclature oddities. So these are things that are unusual or funny or noteworthy or unclear in the world of PKI nomenclature, and I know of some, and I know you know of some, and we’re just going to talk about them today. What do you think?
Jason SorokoJason SorokoI think it’s great, Tim. I think it wasn’t that long ago you and I were actually having a podcast about the term PKI itself and what it really meant. So, there’s a lot of oddities in this little corner of tech.
Tim CallanTim CallanAbsolutely. These things do matter. Some of these things are a little silly and picky, but some of them aren’t. These things do matter, so it’s worth talking about. So, I just captured some notes this morning, and stuck them in six categories. It’s kind of like jeopardy.

So, it’s which word, can you count them, repetition, capitalization, what does it mean, and grab bag. So, which one do you - pick one. You want me to read them again? Which word, can you count them, repetition, capitalization, what does it mean, and grab bag. Pick a category, Jay.
Jason SorokoJason SorokoLet’s start with the capitalization.
Tim CallanTim CallanCapitalization. Capitalization for $400.00. So, let’s cover some capitalization things. Which one of these do I want to start with? I have four in this category. Let’s just start with the top one. So, how do you capitalize X.509?
Jason SorokoJason SorokoUsually have the small x? And then – oh no, but I have seen it with capital.
Tim CallanTim CallanI think I see it more with capital. I actually use the capital. I used to do the small x because I used to think that was proper. And I’ve kind of changed my mind over the years. I actually think the big X is proper, although the big X is ugly.And I think maybe the small x occurs because of the big X is ugly.
Jason SorokoJason SorokoAs a style issue, small x but proper I believe is large X.
Tim CallanTim CallanYes. So, that’s one I think, ok, we both agree large X. The other problem with large X of course is you have to hit the shift key, and we’ll run into that concept again later, like, things that make writing it, typing it unnecessarily difficult. Ok. So, now, this is the next one. This is a little meatier. HTTP or https? Capital or lower case?
Jason SorokoJason SorokoTo me that would be a browser choice. In other words, this is one where perhaps it’s subjective.
Tim CallanTim CallanI think it’s contextual.
Jason SorokoJason SorokoContextual. So, therefore, there is a context.
Tim CallanTim CallanSo, HTTP is an acronym for hypertext transfer protocol. However, http is also a description of the four letters that occur at the front of an URL, and one of those is always lower case, which are the four letters that occur at the front of the URL, and other one is always capitalized, which is the abbreviated acronym. And I think I will type it both ways depending on what I’m saying. Then there are some cases where it gets a little more general abstract, where it could be either, and then under those cases, you kind of pick one, I guess.
Jason SorokoJason SorokoThat’s a good answer. It’s dead right. When you’re writing about the acronym, it would be capitalized, and when you see it in the browser, it is – because of the fact that it’s part of the URL, it is not. Exactly right, Tim. Perfect.
Tim CallanTim CallanIf you were writing about that, you would do it the same. And then again, at a higher level there’s times, especially when you’re talking about https, where it could be either. You're saying, now, are we so, so in the event that this is using https, well which one do I mean there. I think either would be proper, and you could put either or them in, and it would be proper.

This isn’t exactly a PKI thing, but it’s a pet peeve, so I’m going to bring it up. IoT. It’s a thing we talk about a lot, write about a lot. I hate the fact I know why it’s that way, but I hate the fact that we have a capital and a lower case and another capital because my fingers just don’t want to do it.
Jason SorokoJason SorokoIt’s that word of which typically within an acronym or when it’s fully spelled out typically it will be - -
Tim CallanTim CallanIt would be lower case. But not always. Like, think about, it’s not of it’s on, but think about DOA, dead on arrival. How do you capitalize that? Capital D, capital O, capital A. I know there are plenty of other examples, and it feels like we all arbitrarily settle on one or another, and unfortunately, this one I think we settled on the wrong thing. I might start my campaign to start capitalizing IoT differently just because it’s inconvenient to type.

This is the last one. This goes way back into the arcane days of early digital certificates, but we all know, I figure we all know, you and I know and probably most people who listen to this podcast know that the first company that ever issued an SSL certificate was Verisign, and Verisign was major in SSL for a long time. So, Jay, in the word Verisign, do you capitalize the S?
Jason SorokoJason SorokoI use to. So, good enough for me, good enough for everybody.
Tim CallanTim CallanThis is a real interesting one. So Verisign actually changed the capitalization of its name. In 2010, they went from capital S to lower case s. Today, you would do a lower case s, but back then when they were an SSL powerhouse, you would have done a capital S.
Jason SorokoJason SorokoSee, that just means I’m old.
Tim CallanTim CallanMe too. That’s it. So, pick another category. Again, they are which word, can you count them, repetition, what does it mean, and grab bag.
Jason SorokoJason SorokoCan you count them.
Tim CallanTim CallanCan you count them. So, the idea here is, is this an enumerable or a non-enumerable noun? When I say enumerable, I mean you can associate number with it. So, for instance, you cannot say I have five gold, but you could say I have five bars of gold because bars is an enumerable noun and gold is not. It’s the difference between an object and a substance. So, let’s start with the one I hear the most. Can I go out and purchase an SSL?
Jason SorokoJason SorokoAn SSL. An SSL certificate. So, you’re talking about that in the singular?
Tim CallanTim CallanPeople say, SSL, so I’m going to go get an SSL and stick it on that server. Is that proper English?
Jason SorokoJason SorokoNo.
Tim CallanTim CallanI tend to agree. I think SSL is a protocol. It stands for a certain thing; therefore, it’s a substance, and I think the object is the certificate.
Jason SorokoJason SorokoIt is, Tim. To my ears anyway. You could, you always – if you say the sentence fully it would be an SSL certificate, making it only singular.
Tim CallanTim CallanCorrect. I do hear it, but I do hear it a lot. It is something that’s very much in common parlance, and people say it all the time, including very knowledgeable people. But I agree. It feels wrong to my ear, and that would never come off my tongue. I would always follow that with the word certificate. I bet you I know your answer to the second one, along the same lines, but can you have a PKI?
Jason SorokoJason SorokoA PKI. A PKI is to me a singular system.
Tim CallanTim CallanSo, could I have three PKIs? Like, is that valid? Can PKI be that noun on its own or would it have to be a PKI instance or some word along those lines?
Jason SorokoJason SorokoIt’s funny. We have dealt with multiple PKI systems, but I always have to throw on that extra word that does allow for the concept of multiple. I tend not to use PKI other than in the singular.
Tim CallanTim CallanYou’re using it as general. You’re talking about then the architecture not as a single CA, or a single instance. Because PKI, the last word in PKI is infrastructure. It’s short for infrastructure. And can you have more than one infrastructure? Sure. I can have this infrastructure over here and that infrastructure over there. That’s perfectly fine. But I agree. If feels a little funny just to say, how many PKIs are you running? I’m running four. It feels wrong.
Jason SorokoJason SorokoIf feels wrong, but you are right in saying it is technically correct. You could use that in a sentence. I don’t think the grammar police would come. I think it is correct.
Tim CallanTim CallanI do. I hear people say that. Even though I don’t think I would. But that might be me. I might – that might be my own, how I learned things, and it might not be correct. That’s all I had for that, can you count them.

By the way, if you want to throw yours in on any of these, bark out something or if they’re all grab bag, we can do them in grab bag.
Jason SorokoJason SorokoSure. No, these are too good, Tim. Let’s keep going.
Tim CallanTim CallanWhich word, repetition, what does it mean, or grab bag?
Jason SorokoJason SorokoLet’s go right to the beginning. Which word.
Tim CallanTim CallanWhich word, for $100.00, Alex. This is a big one. I’ve got a lot of these. Let’s start with the biggest one. SSL or TLS?
Jason SorokoJason SorokoIt’s TLS.
Tim CallanTim CallanBut the market talks about SSL.
Jason SorokoJason SorokoAnd the market talks about other things that mean nothing, too.
Tim CallanTim CallanNice. Nice, puristic response, Jay. I actually almost always say SSL. Because my audience says SSL. The people I’m talk to say SSL.
Jason SorokoJason SorokoSo do I. I use it every day.
Tim CallanTim CallanI use TLS when the fact that it’s TLS matters. Like if you're talking about the current version of the protocol, I’ll say TLS. But if you're just talking about a cert that you put on a server that identifies the server and enables encrypted communication, I say SSL. Just because that’s what everyone else says.
Jason SorokoJason SorokoWell, the thing is when you have a term that is technically deprecated but there is no other option to help to distinguish and therefore, it requires an entire sentence to distinguish which TLS you're talking about, it doesn’t make sense. The older term is going to remain, and there’s a good example.
Tim CallanTim CallanThat’s a good example of why. I think that’s a nice explanation of at least part of the reason why that term has stuck around. It certainly has stuck around for a long, long time, hasn’t it? I think also maybe nobody was pushing for the new word back in the day, and now we have a whole generation of IT professionals who have grown up saying this from the time they were freshman in college, and it’s just the word they know. Certificate Authority or Certification Authority?
Jason SorokoJason SorokoThat’s a good one. You know what? To me, it was always Certificate Authority. Because it’s about who is the, basically the centralized authority over the set of certificates. To me it’s Certificate Authority.
Tim CallanTim CallanI’ve always said Certificate Authority. When all this stuff started to come into my consciousness shortly before the World Wide Web exploded, like in the early 90s, everybody used, in this world, just said Certificate Authority, and that’s just what it was, and it wasn’t until a long time later that it occurred to me that perhaps Certification Authority could be the right term. You do hear this sometimes. Like people write Certification Authority. I see it written more than I hear it spoken. Certificate Authority also just rolls off the tongue better. That’s the other thing. It’s easier to say.
Jason SorokoJason SorokoIf we’re playing with words, it is the certificate. Certification is something else, and it’s something that a Certificate Authority would do. It’s a subset of activity rather than the thing.
Tim CallanTim CallanSo your point is that certification is part of what I do but a functioning certificate ecosystem is more than certification. It’s also a revocation and status monitoring or status reporting and things along those lines.
Jason SorokoJason SorokoIn other words, the word certificate is really, really the thing and in fact, in our realm of the world, certification can mean a few different things, and in fact, it’s not even the correct term. We would typically either say verification and because what is it that a CA is certifying. That word is typically not used. We have other very specific words for – that surround what you might consider to be certification. Regardless of how it’s used, that would be a subset of the thing in total.
Tim CallanTim CallanHow nerdy are we that we’re having this conversation?
Jason SorokoJason SorokoWell, that’s what this is. We’re getting in the weeds of nerdy here.
Tim CallanTim CallanI’m letting my nerd flag fly on this one. Ok. So, the domain validation. Domain validated.
Jason SorokoJason SorokoI will tell you that this might be a contextual one. Tell me if I’m totally wrong. The term is domain validation. Because you might not have validated yet, and you want to know, hey, what is my domain validation methodology. That’s how you would say that. You wouldn’t say what’s my domain validate. One really does come out as the winner because of the way that it would be used in general.
Tim CallanTim CallanI agree with you on all of that, and but here’s what’s interesting. Nobody says organization validated. They always say organization validation. Always. And nobody says extended validation. Nobody says extended validated. They say extended validation. So DV, weirdly, has these two usages in the world, and they’re both common. OV and EV has only the one.
Jason SorokoJason SorokoIt has to do with the domain because that’s a really specific thing. You are validating the domain. With the other ones, you're validating something else.
Tim CallanTim CallanExtended validation has the further problem that you wouldn’t say extended validated because that would be ungrammatical.

Do you say expiry or expiration?
Jason SorokoJason SorokoThat’s a good one, Tim. I’ve used both completely interchangeably.
Tim CallanTim CallanI say expiration just because that’s the word I grew up with my entire life. I never heard this word expiry until I got into the certificates world, and it never sunk in. I always say expiration. Always, always, always.

Do you say cert or certificate?
Jason SorokoJason SorokoIt depends on how quick I want to get the word out.
Tim CallanTim CallanThere you go. I agree. Depends on how formal I am. I never write cert. I will write cert in an e-mail to a colleague. I will never write cert in let’s say a blog post or an article or something like that. Just won’t write it.
Jason SorokoJason SorokoNo, the word is certificate.
Tim CallanTim CallanBut I say cert all the time when I’m talking.
Jason SorokoJason SorokoRight on.
Tim CallanTim CallanBecause as you said, it’s just quicker. Multidomain certificates/MDC or SAN or UCC? They’re all synonyms!
Jason SorokoJason SorokoI know. These are really good, Tim. You're pointing out why people coming into this could get so confused.
Tim CallanTim CallanI know. It’s horrible.
Jason SorokoJason SorokoTo me - maybe again this is showing my extreme decrepitude of age. I’m a SAN guy, and that’s just what I use.
Tim CallanTim CallanI will say UCC if it’s specifically UCC. I will say SAN, but that bothers me because SAN actually means something else. We shouldn’t actually say SAN, we should say MDC. So I try to say MDC. When I’m writing, again, in an article or something, I’m always saying MDC because that’s like the proper word. When I talk, like to you, I tend to say SAN.

We already touched on this, but do you say x dot 509 or do you say x509? I have used both, and if I were to speak at a conference I might use both, maybe not in the same sentence, but I might use both within a talk.
Tim CallanTim CallanI’m the same way. I just, one or the other comes out of my mouth, and I can’t figure out why it isn’t consistent, and it makes me wonder what’s going on in my brain, but it isn’t.

Now, this is interesting because this is a new one, and this is a topic near and dear to my heart, both of our hearts. This is where things are evolving is interesting, but what is the term that you currently favor to discuss cryptography that will be secure against quantum computers?
Jason SorokoJason SorokoThat’s a good one. It comes up so many different ways. I will say, Tim, the one that rings the most true in my head just because of the way things are going, is quantum resistant cryptography because everything else does, to me, has some problems with it.
Tim CallanTim CallanThat’s interesting. I say quantum safe, and I get your point that nothing is truly safe but quantum resistant is a mouthful. I say quantum safe. I also hear a lot of people say postquantum or PQC, and I think those are legit. Right now, I’m kind of in favor of quantum safe.
Jason SorokoJason SorokoQuantum safe – that word safe is a little softer than quantum secure, calling it something like that. So, there’s an implication that no, nothing will ever be 1 million percent perfect, guaranteed, signed by higher authority, but definitely, for me it’s still quantum resistant, but that is a true synonym to quantum safe.
Tim CallanTim CallanAnd quantum resistant is good. I could see that. It’ll be interesting to see if the industry settles on a term because this is going to be talked about more and more. You and I started on this topic pretty early, but I’m seeing a lot more discussion about it now. We’re going to need to settle on a word.

Getting down there. There are three more categories, Jay. We got repetition, what does it mean, and grab bag.
Jason SorokoJason SorokoWhat does it mean?
Tim CallanTim CallanWhat does it mean? Ok. These are things where they – I think they either mean multiple things or they mean no things. What does CA mean?
Jason SorokoJason SorokoCA? What does CA mean? We touched on this. Certificate Authority.
Tim CallanTim CallanBut is that a public company like Sectigo that can sell you a public certificate that you can put on your - -
Jason SorokoJason SorokoNo. You can set up a Certificate Authority for absolutely no beans at all with some open-source software. That would constitute a Certificate Authority.
Tim CallanTim CallanSure. What I would use the word for that would be Certificate Authority, but at the same time, if I was describing that other thing, what would I call it? I’d call it a Certificate Authority. Now, I tried to disambiguate that personally by saying a public Certificate Authority, but I’m like the only person in the world who does that.
Jason SorokoJason SorokoThe term Certificate Authority really and truly does mean – even though we use it very loosey-goosey, it absolutely means the mechanism with which you are issuing certificates, and in fact, within a PKI, used in the singular, you can have multiple CAs. A root CA, an issuing CA, various types of subordinate CAs, and so, the CA itself means something very specific. It typically, the one thing it does, it issues certificates.
Tim CallanTim CallanI agree on all of that. I think the point I’m getting at here is – and yet this other usage has become so common that it would be valid to include that in the dictionary, and it means a very different thing that is not even a subset of what you said. It’s actually a different animal that’s closely related but it’s a completely different animal. I mean a CA is a company. If I asked somebody if Sectigo is a CA, they would say yes.
Jason SorokoJason SorokoYou're right. I’ve used that term, and I’m exactly like you. I will typically say a public CA, but keep in mind as well, those vendors, it probably comes from past history. When the very first CAs for what was then SSL certificates, you typically had a CA, and that’s what you were running, and that’s what you were the vendor of, and now, of course, things have gotten far more complex than that, and that old term just kind of stuck.
Tim CallanTim CallanSure did. So, next one. This one, actually we did a whole episode on this, so we don’t need to belabor it, but it’s very in the spirit of what we just discussed, which is crypto. Maybe we’ll just point to you at our old episode. Go look at our episode on crypto. Crypto used to mean cryptography, and now, suddenly it’s started to mean cryptocurrency.
Jason SorokoJason SorokoPerfect example though for this podcast.
Tim CallanTim CallanI see it all the time. I’ll see some headline. It’ll be something doubles down on crypto, and I’ll go, oh, let’s find out about this, and it’s all about cryptocurrency. I see that headline all the time. What does it mean? I’m going to do the opposite. A what does it mean. It means absolutely nothing. High assurance.

High assurance. This is an SSL term. This has been around forever, and it’s still around. And it’s kind of used to mean a certificate with a high degree of information and validation, and it’s a term that predates the specific words we have, like EV and OV. And the reason is because it means nothing. It’s just this word that people started to use to say well this is a high assurance certificate, and they meant as opposed to a DV Certificate. But there was no codification of what constituted high assurance. It’s so, so squeezy.
Jason SorokoJason SorokoThat’s brutal, Tim. That is a really brutal term because of the fact that a lot of IT people who might not be directly working with certificates, or SSL specifically, they use that term HA usually with a number of 9s. And that means something completely different.
Tim CallanTim CallanMeans something completely different. The other problem, of course, is at one point I remember when we were naming Extended Validation SSL. There was this groundswell of support to refer to it as high assurance SSL, and the way I scuttled that idea is I pointed out that the acronym was hassle.
Jason SorokoJason SorokoI hadn’t thought of that.
Tim CallanTim CallanAnd everybody said, oh, we can’t call it hassle, and so we got to name it a different word, which was going to be better, so we got a word that was more precise.
Jason SorokoJason SorokoThat’s perfect.
Tim CallanTim CallanDo you want repetition or grab bag?
Jason SorokoJason SorokoLet’s do repetition.
Tim CallanTim CallanRepetition. Here’s one I hear a lot. PKI infrastructure.
Jason SorokoJason SorokoYou're using – you're throwing in the word infrastructure which is the last term of PKI. It’s a repetition.
Tim CallanTim CallanYes. Here’s another one. We talked about MDCs and SANs, and UCCs earlier. So, I frequently hear UCC certificate, which is United Communication Certificate Certificate. And I also frequently hearing MDC certificate, which is Multi Domain Certificate Certificate.
Jason SorokoJason SorokoHow do you know when you're using acronyms too much? When you're breaking down the acronym.
Tim CallanTim CallanThat’s it for repetition. It’s a short category, but I think those were fun. Then, we’re down to grab bag.
Jason SorokoJason SorokoWe’re down to grab bag, and in fact, I’m thinking of a couple, Tim, so go right ahead.
Tim CallanTim CallanWhy don’t I give you – I only have one in grab bag. So I’ll give you mine, and you can give me yours. Is that fair?
Jason SorokoJason SorokoThat sounds good.
Tim CallanTim CallanMine is kind of complicated. So, I’m certain you're going to get this right, but I’m going to start here anyway. What is the full term that SSL stands for?
Jason SorokoJason SorokoSecure Sockets Layer?
Tim CallanTim CallanThat’s right. And I frequently here all three of those words mutilated. I will hear secured, Secured Sockets Layer; I will hear socket, Secure Socket Layer; and I will hear layers, Secure Socket Layers. And any mix of those. Secured Sockets Layers. I know why. It’s weird to have the plural in the middle. Like our brains don’t want to do that. Having the plural in the middle and the singular at the end, just confuses everything, and it’s Secure Sockets because the sockets are secure. It’s not Secured Sockets, but I can see where all that happens. But I hear every possible mutilation of that one or read every possible mutilation of that one. Have my career all of them.
Jason SorokoJason SorokoI think the reason I usually get that right is because I’m old enough to know what those words actually meant.
Tim CallanTim CallanIf you think about it, it’s a good point. If you think about it, the meaning of those words is actually clear. It’s just again, if what you’ve learned is this acronym, and that itself has become the word, and you don’t think much about what they are.

What do you got for grab bag?
Jason SorokoJason SorokoTim, I got two and I think this might have fit into your category of words, what do they mean. But, this is really two examples of interchangeability of words where no you shouldn’t, you shouldn’t interchange the words.

The first one being – maybe this is way too obvious. Keys and certs are quite often interchanged and they shouldn’t be.
Tim CallanTim CallanYes. They’re very different things.
Jason SorokoJason SorokoBut you’ve heard people say keys when they mean certs, and you’ve heard people say certs when they means keys.
Tim CallanTim CallanAbsolutely. Depending on the context, maybe to some degree the cert for keys substitution might be acceptable or no, sorry. The key for cert substitution might be acceptable because it’s the container and the thing contained, so I might say, hey– if I’m in the grocery store I might say, hey, can you give me one of those peanut butters? I don’t want you to open up the jar and scoop it out in your hand. What I actually want you to do is hand me the jar of peanut butter. But I leave out the jar part because what we care about is the thing inside. So, the cert is a carrier for the key.
Jason SorokoJason SorokoPerfect. Perfect reason why our brain will do that. Exactly.
Tim CallanTim CallanBut I agree. Keys and certs are not at all the same thing, and you do not want to get them confused.
Jason SorokoJason SorokoHappens all the time. Even amongst people who have done this for many, many years. The brain just does it.

And the last one, Tim. The word encryption and the word cryptography. Sometimes interchanged and most of the time they really shouldn’t be.
Tim CallanTim CallanEncryption is enabled by cryptography. But they are not synonyms.
Jason SorokoJason SorokoThat is correct. Encryption is something very specific. Typically, you are turning some sort of message into a cypher and how you do that is with some form of cryptography. As you just said, Tim. And so therefore, in the most simplistic sense, that’s the difference. However, the terms are both so heavily used that they just sometimes they stomp on each other in a sentence and I know when the person has done it wrong, but, does it matter. Well, it does matter if you're explaining something it does matter if you're explaining how the system is working, what it’s doing. It really does matter, so, hey, it’s one of those things, be careful out there.
Tim CallanTim CallanI think you’re touching on another point with a lot of what we’re talking about here today, which is oftentimes the meaning is clear due to the context, and picking on it is just being nit-picky. But sometimes the distinction matters, and if you don’t get it right, you can lead to misleading conclusions.
Jason SorokoJason SorokoExactly. I would say that that’s true probably for the cert and key example even just a little bit more. But there you go, Tim. Those are the two I came up with.
Tim CallanTim CallanLovely. So that was it. PKI nomenclature oddities. I am certain that there are other ones that I didn’t think of because I run into this stuff all the time, and as soon as we get off of this recording, I’m probably going to think of them, but if I think of enough, maybe we’ll return to this topic again some day.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud