Free Trial
Contact Us
Podcast

Root Causes 296: SHOULD We or MUST We?

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
April 21, 2023

The CA/Browser Forum guidelines contain many prescribed requirements, with language containing the word SHOULD or MUST. In this episode we explain the specifying power of these two words, why they are used, and what they signal about the intent behind a guideline and how the rules might evolve.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanThis is one of our delve deep into the guts of the CA/Browser Forum guidelines, if you looked at the baseline requirements or the EV guidelines, you see frequent use of the words SHOULD and MUST, in all caps, and what we wanted to do today is discuss these two words, why they are used the way they are, the difference between them and basically what it all means in terms of requirements. Sound good?
Jason SorokoJason SorokoSounds good, Tim.
Tim CallanTim CallanOk. So, again, I know of us aren’t reading the BRs and the EVGs in depth but they are public documents that are available. The current version of these are available for anyone in the world to look at and this is an important part of the transparency behind the CA/Browser Forum. Right? Part of the idea is that it’s just right there, everybody can see what CAs are doing, everybody can see what the browsers are requiring because certificates, in general, public certificates need to be as transparent as they possibly can be. That’s a very important part of it. And because of that, all of these guidelines are publicly available. Anyone can go read them and frequently, people do. Not just industry people like me but, interested parties, security professionals, academics, CISOs, all of these groups sometimes find themselves delving into these rules and when you do, these are long documents. Lots of pages of each with very a lot of oftentimes Byzantine information in there and one of the ways to help navigate is to understand sort of what some of the general principles are behind this and I think we talked about some of these ideas in some earlier podcasts. Like we talked about default deny is one principle at one point. Today, we are gonna talk about SHOULD and MUST. So, as you go through these guidelines, as I said in the beginning about two minutes ago, you will see a lot of use of the word SHOULD and the word MUST. And these might seem intuitive but there is some specific expectations around these particular words.
Jason SorokoJason SorokoTim, I’m curious to know obviously, let’s get the definition from you but, the next question for me is gonna be what are some things of note that people should know within the industry that where it’s made a difference.
Tim CallanTim CallanSo, let’s start with MUST. So, MUST is exactly that. So, if the guidelines say that the CA MUST perform or may not is another version of that. There’s also a may not and a should not. If the guidelines state that the CA MUST perform DCV before issuing a certificate, for instance, that the main control validation must be done, that is a hard requirement. That means you do that every time for every certificate and if you ever fail to do that, that’s an incident. That’s a mis-issued certificate.

So, for instance, if any cert is ever issued without a – using the DCV, for example, that is just mis-issuance pure and simple. That makes good sense. Ditto for may not. So the CA may not reuse organizational information beyond 398 days. It’s a very simple thing. You may not do it. It’s that clear. If you ever do it, that’s a violation of the guidelines. That’s an incident. And that potentially, depending on the violation, is a mis-issued certificate.

So, that all kind of makes sense. But there’s a bunch of SHOULDs in there. And the thing that’s perhaps a little more interesting is what does SHOULD mean. Jason, if I tell you you SHOULD do something, just in layman’s terms, how do you interpret that?
Jason SorokoJason SorokoGeez, it almost speaks for itself. It’s something I should do. So, SHOULD to me means that it is absolutely a guideline. It’s something that’s recommended. It’s something that is almost all the way to being a hard rule. Like a MUST, but it’s not.
Tim CallanTim CallanBut it isn’t. And that is a good starting place when you think about the CA/Browser Forum guidelines, which is SHOULD means that this is a best practice. This is considered to be a good idea. This is not controversial that this is a good idea. It’s no longer being debated that all else being equal we would prefer things were this way. However, it has not yet been codified as a hard requirement. And so from an enforcement perspective, unless it’s a hard requirement, it’s no requirement at all. So, there could be a SHOULD that says I SHOULD do the following things with my certificates and if I did it with zero percent of my certificates, I would not be in violation of the guidelines. So, SHOULD is not carrying with it any kind of you are gonna do it 75% of the time or you are gonna make a best effort or anything along those lines. If it says SHOULD, if my web trust auditor comes and looks at my processes and determines that I have taken no effort at all, have put no energy whatsoever into doing this thing, that will not be a finding because SHOULD is not MUST. So, this is a very important point. So, anything in the guidelines that says the word SHOULD is not something that you can assume is going on. It can be not going on and there will not be a mis-issuance; there will not be a web trust finding; it will not be determined to be a problem today.
Jason SorokoJason SorokoThat is the rule. That is the definition. So, Tim, where are some of the SHOULDS and how do most CAs interpret them and use them?
Tim CallanTim CallanSo, why the heck would we have SHOULD, right? This is then perhaps the next question is well, why do we have SHOULD at all.

The reason we have SHOULD – and this is a very important point – is the process is that SHOULD - - for things that are going to turn into a MUST, as soon as we are clear that it is going to turn into a MUST or has a very good chance of turning into a MUST, we introduce it as a SHOULD. And what that does is that signals to CAs that this is coming as a hard requirement and this is your chance to get it implemented, figure it out, shake out the bugs, make sure you know how to do it because in a future ballot when it becomes a hard requirement, at that point it will no longer be flexible.

So, let’s go with an offline example, an analogous example. I might say that I’m gonna have a requirement in a year that all vehicles have some new anti-crash technology – or in five years. So, I would put in a SHOULD saying manufacturers should get this in and now the manufacturers will go oh holy smokes. This is coming. We better start working on this. And they start working on it so that when the SHOULD turns into a MUST, they are able to sell cars because those cars have the new anti-crash technology. That’s basically the idea and that’s how we do it. That’s how we signal it.

So, there frequently will be ballots that introduce things and part of what they’ll do is they’ll introduce some SHOULD language about something and it telegraphs where the rules are going. And so this is useful for a lot of people. It’s useful for the CAs, obviously, because they are the ones who ultimately have to implement this. It’s also useful for those consuming the software. Consumers, which we oftentimes just refer to as browsers but it’s operating systems and routers and all kinds of things who will know that certificates are going to be a certain way and behave a certain way and they can also put it on their roadmaps. They can understand I shouldn’t see this extension. I will now always see this extension and based on that I can act on it. I can do things.

And it also helps the community at large. So, if you are one of the earlier mentioned researchers or if you are an academic or just a community watcher, you also have a sense for where these things are going. You can start to think about the implications. If you are the kind of person who writes papers about these things or talks about these things or gives lectures on these things, you start to see where it’s all going and so it's actually an extremely useful - - although, I deliberately kind of set it up a certain way, Jason. I wanted to talk about there is no enforcement power at all. But despite the fact that there is no enforcement at all, it’s actually extremely important in terms of directing the community. Because what it does is it gives us a chance to telegraph this activity in advance and it helps guide the direction of the community and in that way it’s not unlike things like minutes of the face to face meetings, or the Chromium Projects Moving Forward Together page or other places where important influencers in the community have a chance to send clear guidance about what they are thinking and what direction these rules are probably gonna go.
Jason SorokoJason SorokoSo is it most often used as a heads up then for the industry? Ok. Got it.
Tim CallanTim Callan100%. As a heads up for the industry but also real specifically to get the CAs going. Once it shows up in the BRs as a SHOULD, CAs are supposed to be - we are - paying deep close attention to everything in the BRs. So, as soon as it shows up in the BRs or the EVGs, then the CAs have to reckon with it. And even if it’s a SHOULD, they look at it and scrutinize it and read the language carefully and ensure that that matches their CPs and CPSs and I’m sure that matches their practices and once they do that, they’re just kind of forced to wrap their heads around it. And hopefully the idea is that one thing happens and the CAs go, gosh, this is a SHOULD. That means that somewhere along the line it’s gonna become a MUST and I have to start figuring out how I’m going to do it when it is a MUST.

And then a lot of times, CAs just do it. We do a whole bunch of stuff in the BRs that are just SHOULD just because we think we should. And that’s great, too, because it starts to bring about those recommended practices even prior to them having teeth.
Jason SorokoJason SorokoWell, that’s great. I think that it’s a really effective mechanism then because I have seen those kinds of things. The CAs do take them seriously. So, in terms of the spirit in the way that the word SHOULD is being used, it makes a lot of sense there, Tim.
Tim CallanTim CallanIt’s a little peak into how these things evolve over time and how we evolve them without breaking things. Because that’s another piece of this. It’s hard, think about just the vast ecosystem that depends on these certificates and the thousands or tens of thousands of pieces of software and hardware and services that depend on these services and to keep all of that moving without breaking things - - To modify them without breaking things, part of what’s important is you have real clarity on where things are going and you telegraph that in advance in a very public way that makes it easy for people to understand and adjust and this is one of a series of mechanisms we have to do that.
Jason SorokoJason SorokoThanks, Tim. Interesting. CA/Browser Forum, of course, not that long ago – late February, early March, and next meeting we will see what else comes out but always interested to hear what comes out of that group of people. I know you are heavily involved, Tim, so thanks for keeping us informed.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud