On a sunny day in May 2014, the mom of another volleyball player invited me for a walk outside. We had enjoyed plenty of these walks before, during the many volleyball tournaments where our daughters played on the same team. There is nothing quite like being in a convention center packed with thousands of girls playing volleyball and yelling and screaming, while referees blow their whistles non-stop on every court. We were definitely eager to get outside and talk about anything but volleyball.
The other mom, Poonam, asked about my work at Mozilla and expressed an interest in my role and the tools I used to curate the list of root certificates that were trusted by default in the Firefox browser. I explained that I had
created a spreadsheet containing all of the necessary details for each Certification Authority (CA) and that I dreaded the arduous but necessary process of updating and publishing it. Poonam suggested that a Customer Relationship Management (CRM) tool could make that part of my job easier. A couple of weeks later she invited me over to her house for tea, and she showed me a mock-up of how a CRM could be customized to help me curate the CA data. I was immediately sold on the concept.
The next two months were a whirlwind of meetings with various CRM providers, CRM Admin Consultants, and Mozilla organizations who I had not previously worked with. In my usual manner, I created detailed spreadsheets comparing the pros and cons of the options. After much discussion the final decision was made to use Salesforce and to hire Poonam’s company as the Admin Consultant. On July 31, 2014, I received my “Welcome to Salesforce” email for my 30 day trial of the Salesforce CRM, which became an official
salesforce.com organization on August 5, 2014.
On December 3, 2014 I
announced in the mozilla.dev.security.policy forum that the spreadsheet that I previously maintained would now be maintained in Salesforce and available via links in a Mozilla wiki page (now available at
https://wiki.mozilla.org/CA/Included_Certificates).
In October 2015, Ben Wilson became the first CA Community user of the “CA Community in Salesforce”. Then in February 2016 I issued CA Community licenses to the Primary Point of Contact for each CA who currently had root certificates included in Mozilla’s root store, as
announced in MDSP. Then CAs began directly entering data about their CA hierarchies into the CA Community in Salesforce.
As word about my new tool spread, other root store operators began expressing interest in using the CA Community in Salesforce. In October 2015 I began brainstorming whether major root store operators could share a common instance of Salesforce where CAs would be able to provide their data in one place for all of the browser root stores they are participating in. The root store operators would be able to share in verification of data, but continue to make independent decisions. The idea of sharing Mozilla’s CA Community in Salesforce with the other browser root store operators came into fruition, and the name changed to the “Common CA Database” (CCADB). Microsoft joined as Mozilla’s first CCADB partner in June, 2016. About a year later Google, Cisco, and Apple also joined the CCADB in that order.
In April 2019, I posted an article to the Mozilla Security Blog called “
Mozilla’s Common CA Database (CCADB) promotes Transparency and Collaboration”, which explained that the CCADB is helping us protect individuals’ security and privacy on the internet. The CCADB makes root stores more transparent through
public-facing reports, adds automation to improve the level and accuracy of rule enforcement, and enables CAs to provide their
annual updates in one centralized system.
As the CCADB grew in scope, I began holding “CCADB Council” meetings with the CCADB partners where we discussed any CCADB problems or questions and prioritized future enhancement requests. In 2021 the “CCADB Council” morphed into the “CCADB Steering Committee” and the meeting frequency increased to biweekly. The purpose of the
CCADB Steering Committee (SC) is to collectively determine the direction and priorities for the CCADB, and to share the workload of designing and testing updates to the CCADB. Additionally, the CCADB SC rotates responsibility for reviewing and processing data that is common to all of the root store members, such as CA certificates, policy documents, and audit statements. The Bylaws that govern how the CCADB SC operates are now posted on the CCADB website:
https://www.ccadb.org/rootstores/bylaws.
In November 2022, the CCADB Public discussion forum was created,
https://www.ccadb.org/cas/public-group, with the purpose of discussing topics related to CAs and Root Store Programs who use the CCADB.
My latest project has been to transfer the ownership and maintenance of the CCADB from Mozilla to the Linux Foundation. The CCADB has become a cornerstone of the Web PKI, so it should be a shared resource, operated independent of any one root store. Additionally, the CCADB and the corresponding CCADB Public discussion forum are used for data and topics that are not specific to Mozilla. This project should be finished by Mozilla and the CCADB SC in the next couple of months.
With my retirement on February 29, I leave the CCADB in good hands. The CCADB SC continues to work very well together towards the endeavor of helping to keep the web safe.
The new CCADB officers are:
Chairperson: Chris Clements
Treasurer: Ben Wilson
It has been a pleasure to work with you all, and I wish you all the best!
Kathleen Wilson