the Chromium logo

The Chromium Projects

Moving Forward, Together

Last updated: 2023-03-03

For more than the last decade, Web PKI community members have tirelessly worked together to make the Internet a safer place. However, there’s still more work to be done. While we don’t know exactly what the future looks like, we remain focused on promoting changes that increase speed, security, stability, and simplicity throughout the ecosystem.

With that in mind, the Chrome Root Program continues to explore introducing future policy requirements related to the following initiatives:

We hope to make progress against many of these initiatives in future versions of our policy and welcome feedback on the proposals below at chrome-root-program [at] google [dot] com. We also intend to share CCADB surveys to collect targeted CA owner feedback more easily. We want to hear from CA owners about what challenges they anticipate with the proposed changes below and how we can help address them.

Encouraging modern infrastructures and agility

We think it’s time to revisit the notion that root CAs and their corresponding certificates should be trusted for 30+ years. While we do not intend to require a reduced root CA certificate validity period, we think it’s critically important to promote modern infrastructures by requiring operators to rotate aging root CAs with newer ones.

In a future policy update, we intend to introduce:

In a future policy update or CA/Browser Forum Ballot Proposal, we intend to introduce:

In hopes of promoting the issuance and use of short-lived certificates, we presented a set of proposed changes to the Baseline Requirements that incentivize the security properties described above. These changes are currently under review and consideration by the CA/Browser Forum Server Certificate Working Group members.

In this same proposal, we introduced the idea of making Online Certificate Status Protocol (OCSP) services optional. OCSP requests reveal details of individuals’ browsing history to the operator of the OCSP responder. These can be exposed accidentally (e.g., via data breach of logs) or intentionally (e.g., via subpoena). Beyond privacy concerns, OCSP use is accompanied by a high volume of routine incidents and issues (1 and 2). Concern surrounding OCSP is further elevated considering the disproportionately high cost of offering these services reliably at the global scale of the Web PKI.

Focusing on simplicity

One of the 10 things we know to be true is that “it’s best to do one thing really, really well.” Though multipurpose root CAs have offered flexibility in addressing subscriber use cases over the last few decades, they are now faced with satisfying the demands of multiple sets of increasingly rigorous expectations and requirements that do not always align. We believe in the value of purpose-built, dedicated infrastructures and the increased opportunity for innovation that comes along with them. We also think there’s value in reducing the complexity of the Web PKI to increase the security and stability of the ecosystem. By promoting dedicated-use hierarchies, we can better align the related policies and processes that CAs must conform to with the expectations of subscribers, relying parties, and root program operators.

In Version 1.1 of our policy, we announced the Chrome Root Store will only accept applicant root CA certificates that are part of PKI hierarchies dedicated to TLS server authentication certificate issuance.

In a future policy update, we intend to introduce:

In a future policy update or CA/Browser Forum Ballot Proposal, we may introduce:

Promoting automation

The Automatic Certificate Management Environment (ACME, RFC 8555) seamlessly allows for server authentication certificate request, issuance, installation, and ongoing renewal across many web server implementations with an extensive set of well-documented client options spanning multiple languages and platforms. Unlike proprietary implementations used to achieve automation goals, ACME is open and benefits from continued innovation and enhancements from a robust set of ecosystem participants.

Although ACME is not the first method of automating certificate issuance and management (e.g., CMP, EST, CMC, and SCEP), it has quickly become the most widely used. Today, over 50% of the certificates issued by the Web PKI rely on ACME. Furthermore, approximately 95% of the certificates issued by the Web PKI today are issued by a CA owner with some form of existing ACME implementation available for customers. A recent survey performed by the Chrome Root Program indicated that most of these CA owners report increasing customer demand for ACME services, with not a single respondent expressing decreasing demand.

Unifying the Web PKI ecosystem in support of ACME will:

in ways that, historically, other automation technologies have been unable to accomplish.

In a future policy update, we intend to introduce requirements that all Chrome Root Store applicants must:

Increasing accountability and ecosystem integrity

We value high-quality, independent audit criteria that result in accurate, detailed, and consistent evaluations of CA owners’ policies and practices, regardless of their intended scope of certificate issuance or geographic location.

In a future policy update, we intend to introduce:

Streamlining and improving domain validation practices

The Baseline Requirements allow for the reuse of data or documents related to previously completed domain validations for up to 398 days. However, with the existing policy requirements in place, it’s possible for a CA to rely upon “stale” information for much longer than this (i.e., a new 398-day validity certificate can be issued that relies on information that’s 397 days old).

In a future policy update or CA/Browser Forum Ballot Proposal, we intend to introduce:

Multi-perspective Domain Validation (sometimes called Multi-Vantage-Point Domain Validation) is a promising technology that enhances domain validation methods by reducing the likelihood that routing attacks (e.g., BGP hijacking) can result in fraudulently issued TLS server authentication certificates. Rather than performing domain validation from a single geographic or routing vantage point, which an adversary could influence, multi-perspective domain validation performs the same validation from multiple geographic locations or Internet Service Providers and has been observed as an effective countermeasure against ethically conducted, real-world BGP hijacks.

In a future policy update or CA/Browser Forum Ballot Proposal, we may introduce: