Josh welcomes back Daniel Thompson explore the rather silly question of whether Santa Claus needs to be compliant with the Cyber Resilience Act (CRA). This episode was intended to be silly, but it ended up being an incredibly interesting conversation. Daniel explained a great deal about how the CRA works and how it could apply to Santa Claus. The TL;DR is even if he’s giving out free stuff, the CRA almost certainly applies. Daniel also fills us in on his book (you can email Josh to enter into a drawing for a copy), and his work on web browsers for the CRA. It’s an incredibly informative discussion.
Daniel’s work on the standards is funded by EFTA and the European Commission.
Episode Links
This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
Episode Transcript
Josh Bressers (00:00) Today we have a very special Christmas episode of the open source security podcast. I’ve got Daniel Thompson returning. He’s the CEO of CrabNebula export repertoire at ETSI security theater actor.
and the guy behind Complyland. So I asked Daniel to come back because Daniel is the smartest person I know when it comes to CRA. And I thought, wouldn’t it be hilarious to ask the question, can or is Santa CRA compliant? So Daniel, thank you so much for agreeing to this ridiculous topic.
Daniel (00:32) Yeah, of course. No, think, I think the most important thing to remember is that Santa operates on a very strict schedule as does the cyber resilience act. So as you may be aware, the very first parts of the cyber resilience act that are entering application are going to be in June of 2026. That is when the governments have to, or have the ability to notify a conformity assessment body to the commission as a body capable of
Josh Bressers (00:40) Ha ha!
Daniel (01:01) certifying the conformity to the standards. ⁓ Then the next episode, as it were, is going to be in ⁓ September of 26. That is when the vulnerability disclosure, the reporting mechanisms are in place and everyone has to tell if they’ve been naughty or nice. So I guess the first point in time where Santa could be compliant is going to be for the Christmas season of 26.
However, he doesn’t have to have full compliance for all of his products with digital elements because those are actually going to be ⁓ probably based on module H, although some people say ⁓ it’s a default class of product. If it were me, I would have put Santa and all of Santa stuff at critical two. I know there isn’t critical two. You’re saying Daniel, funny. No, but really, seriously, gifts are important because
We have to deal with not just safety, but also security. I mean, I think it’s NORAD, you know NORAD, they’re tracking him. So it’s also about defense, right? Now, ⁓ the first theoretical part of Santa’s compliance, like I said, is going to start in September. However, smart Santa followers know that he’s well prepared. So he obviously has his chosen conformity assessment bodies.
And like I said before, he’s probably taking the module H path. So if he’s doing it right, he also has an ISO 9001 set up and ready to go to be expanded upon to track his quality management system. Obviously there’s a quality management system. I have never had a present from Santa with someone else’s name on it. It just like doesn’t happen. So he’s very much into the QMS side of the things. So that’s why I’m saying it’s probably module H, in which case he will then
Drop his module H certification the day the standard relevant to his product is published, the vertical standards. ⁓ Operating systems is my guess is what he’ll certify against just because there has to be a machinery behind that. It’s like there’s IT, there’s OT, and there’s ST, frickin Santa, right? Santa tech. I don’t know how it works. Nobody does. But that’s probably what he’ll do. In which case he will be
compliant with the expectations of Module H, this quality management approach, well ahead of time, probably even before anyone else. So 26 is my bet.
Josh Bressers (03:36) Holy cow, that was a fire hose of information.
will say, you’ve taken a level of seriousness to that question. Much above what I expected, so well done, sir.
Daniel (03:50) Look,
I’m a serious guy, I work with serious people, and one of the things I’ve learned writing standards is that they don’t mean anything if we’re wishy washy about it, right? Words have meaning, meaning is important. We agree on these definitions, and that’s actually the latest news from Commission Land, from Comm, is they recently published the final definitions of the products with digital elements that are important and critical, which is great.
as an author of a standard that is based upon the meaning of this term, it’s good to have in my pocket before we send these standards out over to the HASS assessment at the commission. like butter.
Josh Bressers (04:37) So, mean, what is the definition of critical in that context, right? Like, what kind of products are we talking about that are going to fall under this jurisdiction?
Daniel (04:48) Well, thankfully I wrote a book about this, Humble Pitch. ⁓ And in the book you can find the previous version of the definitions of products with digital elements, the one that we got in July. And ⁓ like I said, there’s important class one, important class two, and critical. Now, critical, that’s what you asked about.
Josh Bressers (04:51) haha
Daniel (05:16) hardware devices with security boxes. I’m thinking that’s the gift box with the ribbon on it, right? You know, that’s why I think it’s probably critical, Santas gifts Or smart meter gateways within smart metering systems and other devices for advanced security purposes, including for secure crypto processes.
Josh Bressers (05:41) Okay, so I don’t think Santa’s delivering smart meters, hopefully.
Daniel (05:47) yeah, right. I’m
asking myself serious questions about my life choices at that point.
Josh Bressers (05:52) I mean, I won’t count anything out, but so when we think of an entity like Santa Claus, right? We’re talking about a lot of consumer stuff, right? Where does like consumer stuff fall in this universe?
Daniel (06:09) So there is a classification of important that talks about children’s, wait, let me just read it. Internet connected toys.
that have social interactive features or that have location tracking features. That’s an important class. Smart home products with security functionalities, including smart door locks, security cams, baby monitoring systems, and alarm systems. ⁓ Personable wearables.
Josh Bressers (06:30) which is a lot of stuff.
Daniel (06:47) that have a health monitoring purpose or personable wearables intended for the use by and for children.
Josh Bressers (06:56) ⁓ okay. And they, and they have to follow the CRA, I guess, guidelines, right?
Daniel (06:57) Right. That’s a special call out there.
Well, for each of these named verticals in the importance and critical classes, there is a harmonized standard written by the fine folks at CENELEC or ETSI, the European Standardization Organizations. And by fine folks, what I mean explicitly are a group surrounding a rapporteur, which is kind of like a subject matter expert.
meets a secretary, meets ⁓ a comment wrangler, meets ⁓ someone with not enough time. And they work together with titans of industry. So I have three that our company is working on, ⁓ browsers, password managers, and boot managers. And for example, at the browser manager ⁓ meetings, which happen lately on a weekly basis, they’re two hours long. ⁓
You have be an ETSI member to join, but thankfully Mozilla is an ETSI member, Google is an ETSI member, Huawei is ETSI member, Apple is an ETSI member. Although Apple doesn’t show up as much as we’d like them to. And if Apple, you’re listening, I’ll say hi again, please come and talk to us. We’d like to know what you think the difference is between WK WebKit and Safari. And I mean, I’m not going to go too deep into browsers right now. Maybe we can do that in a little bit, but basically,
All of these verticals try to support manufacturers in attaining what is called the presumption of conformity. What this means is, if you as a manufacturer have a product that has an explicit use case, the goal of this product is to be a VPN. That’s what it’s for. Then you have a vertical standard that describes the risks associated with
VPNs, we’re ⁓ writing risk-based standards, and there are a number of ⁓ stride-definable, CIA triad-explained concerns that the regulator has expressed that all products have to address.
If you as a manufacturer choose, you don’t have to, but if you choose to use a harmonized standard, then there’s a very clear set of expectations based on use case or environment or threat model that you then can pick and choose the requirements that mitigate those risks and assess your mitigation with tests, collect that evidence. And that is how you
prove that you have fulfilled your expectations or the expectations of the Commission to ⁓ be conformant with the law. Now, I said you can choose because you can also go to DECRA or to TOUFSUIT or to any other conformity assessment body and say, hey, I don’t like this standard. Let’s do it my way.
And you know what? The conformity assessment body is a legal entity. Ultimately, it’s like a lawyer. So they can’t break the law for you. They’re going to have to work hard and even harder than using one of the harmonized standards. So the standards aren’t required. What is required is that you prove your conformity and the standards give you a way to assess that you have done the right things based on the expectations of the commission and nothing else. ⁓
That was a lot. Maybe you have a couple questions.
Josh Bressers (10:53) No,
I did not know this. That is, I’m learning way more from this episode than I thought I would, which is a delight. Okay, so I wanna back up to the beginning of what you said, and you said in order to work with the regulators, you need to be a European. Is that correct?
Daniel (11:11) Well, yes and no. mean, every manufacturer of a product that places that product in the European single market is going to have to follow the laws of Europe. the…
Josh Bressers (11:26) right.
Daniel (11:32) direct contact with the regulator, you better hope not, right? Like you fulfill your obligations by declaring conformity. think the thing that everyone recognizes out there is the C E mark. You see that little letter, like the C like a half circle and the E like a half circle. That shows that the manufacturer has declared conformity. In some cases, for some products, they have to use a notified body, which is an authorized entity that verifies this.
Josh Bressers (11:48) Yep. Yep.
Daniel (12:02) right? And once you have declared this conformity, you keep this documentation around and if the regulator has to ask you for the documentation, that’s a big red flag for you because something’s going wrong somewhere. Now, a reasoned request from any market surveillance authority
means you supply them with a bunch of documentation. Now there’s public documentation, like the user manual, translated into all of the languages of Europe where the product is on the market.
This is mostly formality. It’s like this is a product to take pictures with your smartphone. You install it by downloading it from the app store. You update it automatically when the app store tells you there’s an update and it will do it for you. ⁓ If you choose to do it manually, you have to click this setting here. It is not recommended to do that, but it’s free world, right? ⁓ Turning off automatic updates might disqualify you from litigation opportunities according to the product liability directive.
So that’s the user manual. Then you have to have ⁓ one of your favorite things in the world, a software bill of materials. This is hotly contested. What it’s actually ultimately going to consist of, we’ll see. But I want to remind all of your readers out there, even if the commission only demands top level dependencies in your massively oversized NPM infiltrated dependency tree,
It’s okay to keep it all there because who’s going to be looking at this? Your engineers? Perhaps the conformity assessment body, but definitely the market surveillance authority. And if they have to pick a part of binary.
to find out which version of which corrupted.
module you’re using or where the problem in the code lies. And you to open up Ghidra. ⁓ It’s going to take a longer period of time. And one of the powers of the Market Surveillance Authority is to say, we don’t believe you until we can prove that you have done everything correctly. Your product is temporarily removed from the market. They will call their friends at Apple. They will call their friends at Google and just say,
This guy with this product, well, that product is off the market. Not necessarily everything that the manufacturer has done. But I’m telling you folks, bump up your SBOM game because there’s more coming. We also have the CBOM You might not be aware, but the cryptographic bill of materials is becoming a hard requirement for some government sourcing entities in Europe. I can’t talk about the rest of the world.
But it’s very relevant, especially since, and this is a little minor segue of mine, by 2030, you have to have hybrid cryptography in your product. Hybrid cryptography means both classical and post-quantum. Whether that’s Kyber 512, I can’t tell you that. It’s not my job. By 2035, it can only be quantum resistant. And I’m not going to say quantum secure because other people say it. I won’t say that. I don’t believe it’s a thing. But quantum.
Josh Bressers (15:06) Yeah, right, right.
Daniel (15:21) age cryptography. Maybe that’s a better word. okay, but there’s more. There’s more. You also have to have a cybersecurity risk assessment completed. So what’s a risk assessment entail? Well, how does your product deal with data? How does it deal with remote access? How does it deal with passwords? What kind of crypto is it using? mean, products are all different. Even within one product vertical, there’s so many topologies.
Josh Bressers (15:23) Yeah, yeah.
Daniel (15:51) Like it’s hard to make a general purpose diagram for a freaking password manager. I mean, it’s really hard, you know? And that’s one of the simpler products with digital elements that we’re working on defining. So you assess the risk. Hopefully somebody smart over at ETSI or CEN-CENELEC has drafted up a vertical together with titans of industry that define exactly what you have to understand and protect because assessing it
Josh Bressers (15:57) Yeah, yeah.
Daniel (16:20) includes tests. If you’re not aware, it’s not just these are the problems. You have to test and you have to have passing evidence because every single test, every single assessment for every single criteria of the conformance of your product, we call them requirements, has a pass fail. And if you fail, here’s what’s going to happen. The conformity assessment body is going to say you fail.
Josh Bressers (16:24) Right.
Daniel (16:48) They’re not allowed to tell you what you did wrong. They might tell you that it lies in your secure element. But the thing is, a conformity assessment body is not your consultant. So smart Santa’s out there, their consultant already set them up with the 9001, is prepping for the module H.
Josh Bressers (16:50) ⁓
Right, right.
Daniel (17:17) knows which verticals it’s going to apply to and then carry it out with the consultant first. It’s like a classical 27001 situation. You have a bunch of gaps, you fill the gaps, you write the documentation and then you hand it off to the assessor and the assessor’s like, works. Checkmark, great. But it’s not just a checkmark exercise because these
Conformity assessments really require testing. Like verify for me that you’re using TLS 1.3. Like maybe looking at the code path works, but you better believe Wiresharks in play. Right? Other tools that the tech community develops. I’m not favoritizing anything right now. I’m just saying that, you know, in the writing of these assessments, that’s what you have to do.
So if there’s no vertical for you to follow, I have a couple of words of advice. Find the one that closely matches your product. Look at the way that the assessments have been created for the requirements that you think you have. Use those as a jumping off point and just document everything you can because as you asked, like where does everybody else fit in? There’s important and critical. What about flappy birds?
What about my game on the App Store? Well, that’s what is called a default product. And default products do not have standards that apply to them other than generic horizontal standards that say, thou shalt code securely. I mean, important stuff, but it’s not going to give you the presumption of conformity. In fact, without a standard, a vertical standard there, you will not have the presumption of conformity. You have to prove it, which is why
Josh Bressers (19:15) right.
Daniel (19:16) taking
these building blocks is a great way for you to prepare because what we all sort of expect to happen and by we all, what I mean is the desk officers over at DG Connect, which is in charge of the standardization process, as well as those of us that have been writing standards for CEN-CENELEC and ETSI we expect manufacturers to come together and say, hey, we need a standard for memory safe programming languages.
and then write a standard for memory safe programming, like just as a piece of the larger puzzle so that you can then prove your conformity because you’re awesome and you’re using Rust or OCaml or something that takes care of memory instead of jockeying C++ like you’re a superstar. There are superstars out there. I am unfortunately one of the ones that needs Rust’s guardrails and I never write unsafe because I’m afraid of it.
So the moral of the story is, and we’re almost done, once you’ve gotten all this stuff put together, then the person in leadership responsible for this product, it could be the CEO, it could be the director of product, it could be the CISO, gets out their pen and puts their name, at least digitally, on the actual declaration of conformity, which is the legal document that you have to have.
and display to anybody who wants to see it. You might ask yourself, like, okay, but my SBOM changes daily, hourly? Like, I mean, there’s a lot of changes in there. How often do I have to update this declaration of conformity? Well, thankfully, only when you introduce a new feature and you’ve changed the risk assessment. When you add a new feature where there is a new risk associated with your product, that means
For all intents and purposes, you’ve created a new product. At that point, you have to re-declare conformity. You have to add the new assessments to the previous thing. If it’s a conformity assessment body that you used, you have to go back to them. They have to stamp it and sign it and agree to it. And these things take time. Second stocking stuffer for today is this is a gift for product owners because
Josh Bressers (21:17) on.
Daniel (21:43) Now, you plan features. There’s no more feature creep because feature creep in some industries means you could add three months on to the deployment of this product because it has to go through the compliance process. Whereas if you know the features ahead of time.
you can prepare for their existence and prepare for their assessment such that when the future lands, it’s not new, it’s always been part of the plan, you just add to the assessment. Now, does the regulator like hearing this? No. But in the default categories, there’s no other way to survive. What are you going to do? Every three months, sign a new declaration of conformity? Thankfully, that only triggers 10 years additional documentation period.
It doesn’t change the minimum expectancy of the product. The minimum lifetime of virtually all products with digital elements is five years. You are required by law to maintain the security of that product for five years. This means updates, patches. They don’t count toward changing the cybersecurity risk profile unless you’re forced to do something different to the architecture, which changes the risk. Right? So.
Josh Bressers (22:59) ⁓ interesting.
Daniel (23:02) Here’s something to chew on. Let’s pretend you use cryptography in your app and we’re just using, I don’t know, Edward’s Curves. Why not? Because everybody’s doing it. They’re fun. They’re easy to compute. Everybody knows how to do it, more or less. Pretty safe stuff. And suddenly quantum supremacy arrives and you’re like, uh-oh. Now you have to introduce a new algorithm. I don’t know, something
to do with letters of quantum blah it doesn’t matter, but you have to change stuff. Does that change your threat model? Were you ever anticipating attacks from a quantum supreme attacker? If you have a hybrid system in place or you have what we lovingly, God, I hate it, what we call crypto agility,
The ability to go from one algorithm to the next because sure, why not? ⁓ But if you’ve included crypto agility as your mitigation to the risk of future quantum supremacy, then you won’t have to redefine your threat model because you’ve already prepared for it, right? And in that context, I get to do a lot of discussions at work about what is and what isn’t security theater.
in that context, being prepared for the regulatory ban hammer by thinking with a security mindset. I don’t mean shifting security left. That’s BS. I don’t know who came up with that. I hate it. Everybody has to start thinking from a security mindset, including the CEO that signs the Declaration of Conformity. Because if it’s not, that person is a liar. And if they’re a liar,
they will get their product removed, they will probably be fired. If they’re fired, then they’ll get sued and the company will lose money. it just gets sad and Santa does not want people to be sad. I mean, I would put on my hat if I needed one, but it’s summer in Malta. So. ⁓
Josh Bressers (25:14) It’s always summer in Malta, Daniel. Okay. So I want to ask that was, I, this has been a fire hose, the, this whole show so far. It’s amazing. I love it. But okay. So let’s, let’s, I want to talk about this in the context of Santa. Cause I think it lets us ask some absurd questions that help clarify some of the interesting points here. So if you are an entity, let’s say like, you know, North Pole incorporated, you’re not in the European union. You have a.
Daniel (25:40) Okay. Right.
Josh Bressers (25:43) ridiculous number of products. We’re talking about like literally millions of different products, most likely here, right? So all of this documentation, all of this, everything you’ve just talked about, I need to do this for every single product I have, yes?
Daniel (25:56) You could do it that way, or you could follow the model also, I think, proven by Ericsson. If they’re northern enough, where I think there’s some cross-hawk between North Pole and Ericsson headquarters. ⁓ They’ve proven that the module H approach to verifying the quality of the products of the assembly line.
is a valid way of manufacturing dozens, hundreds, thousands, in Santa’s case, millions of individualized products because the QMS, it doesn’t absolve one of undertaking an assessment. There still has to be an assessment. You probably have to do this on an annual basis to make sure that Santa’s assembly lines are still functioning.
But that is how you would.
assign a class of products, the
⁓ the conformity that they’re supposed to have for Europe. I does Santa have to do this for India? Not yet. For the little boys and girls in Vermont? Not yet. But Santa is going to say, wait a second.
I have to put the silly FCC logo and the CE logo on the battery charger that I give out with my kids’ toys. So, I mean, I’m not going to just have different assembly lines, one for Europe, no, everything. Look, actually it makes sense. More security, more good, more good, more happy, more happy, more kids to get Christmas presents.
Josh Bressers (27:37) Yep, yep.
Right, right. that’s, that’s interesting. So, so you can, if you have lots of products, there are things you can do to alleviate that. That’s good because the thing I had in my brain is a company that has, let’s say like more than 10 products. This would be an absolute nightmare if you had to do it completely separately, completely.
Daniel (28:15) Well,
I got to be clear here. Like if one product is ⁓ a robot that listens to your voice and responds with an answer and another toy is an electric bicycle that tells you how far you’ve ridden. Those are not the same class of product. Those are very different requirements. Right. So in that context, if you have a VPN and a browser and a router,
Josh Bressers (28:35) ⁓ okay. Okay, okay.
Daniel (28:45) you’re going to have to have three different product certifications because they’re very clearly different verticals. I’m talking about, we’ve made bicycles and each bicycle has a battery charger and all of the bicycles are slightly different, you know, different sizes, different colors, different shapes, and ⁓ maybe different ways of charging different screens. But that’s a class of products. It’s very clearly all similar enough to fall under a quality management system.
Josh Bressers (29:13) Sure, sure. Okay, so now there’s also the angle of Santa isn’t charging money for the products. Does that get him off the hook in this context?
Daniel (29:24) Ooh, see, this is a really interesting question because placing on the market
Josh Bressers (29:33) Ah-ha!
Daniel (29:34) So, I mean,
so here’s the thing. I happen to know from some of my lifelong investing ⁓ work that Santa also has stocks in Santa merchandise, right? So by promoting the act of charitable giving, Santa is actually recouping
on the markets of his valuation. And that means every time you see a Christmas tree with a star on it, Santa’s share value goes up. Every time a child’s eyes, Josh, every time a child’s eyes start to whine because they got the Star Wars Lego kit of Tatooine back in the 80s, his shares went up. And I think that that’s an important question to be asking yourself.
Are there reasons other than this product for you to make money? Does this product actually generate you standing? And it’s one of those critical points where some consultants might say it one way, others are going to say it another way. And I just say, look, if it’s possible for you, if you run a euro dollar company, ⁓
Do the conformity assessment, right? If you’re small, actually, if you’re a micro enterprise or an open source project, I open source is a totally other situation entirely, but even as micro enterprise, ⁓ you don’t face the same level of fines that large enterprises face. I’m not going to name any of them. They know who they are. They’re listening right now. They know what’s coming after them.
Josh Bressers (31:14) Yeah, yeah.
Daniel (31:33) millions of euros and percents of global turnover. So it’s ⁓ for some of the FAANG persuasion. Yeah, maybe that’s just a drop, but it’s still going to be a sizable drop. I think what you have to ask yourself is, is this company, first of all, is it a company, right, placing a product on the market for free or for sale? And is it
enjoying a profit because of that activity.
Josh Bressers (32:06) I gotcha. Okay. Okay. Interesting. Man, that that’s wild. Now here’s my angle on all of this. And I would love your opinion. I think Santa is one of the greatest criminals in all history. This is an entity that commits countless acts of illegal border crossings, right? Distributes goodness knows what.
Daniel (32:33) Yeah.
Josh Bressers (32:36) maybe illegally to people, it, you know, I’m sure there’s firearms and, and illicit substances. And, and so in this case, I could see Santa just saying like, screw you Europe. I’m not following your stupid laws. I’m going to do whatever I want. And there’s nothing you can do about it because let’s face it. If Europe was to outlaw Santa, that would be the biggest PR disaster in the history of PR disasters.
There’s no question, that’s just my opinion.
Daniel (33:04) So where’s the question? I
I don’t disagree with you. think if we stick with the whole notion of thievery and illicit illegal activity in our context of products with digital elements, there’s one often misunderstood, misinterpreted, for my opinion, little citation in the MIT open source license.
that says you got to tell people whose copyright this is and that you’re using this library.
Josh Bressers (33:41) right.
Daniel (33:44) Arguably, not making that declaration as a product manufacturer voids your open source agreement.
Right? Because you just broke copyright law. You literally did. If we agree that that citation is pivotal, because if I recall, it is the only requirement of the MIT, is that you got to say where you got to.
Josh Bressers (34:01) Yes.
So the MIT license, you’re thinking that it’s the four clause BSD license that says you have to specify that this particular piece of software is included in your other thing. The MIT license only says you have to include the copyright statement with the software somewhere, not that you have to advertise. But, but you are correct if. Right, right. So four clause BSD is the one where you have to say like, this is, you know, my software and it includes.
Daniel (34:26) Right. You know, that’s true. But I mean, somewhere it means it has to be findable, right?
Josh Bressers (34:40) whatever, right? Some library. Yeah. And I can’t, I can’t wait for all of the open source licensed nerds to email me and tell me how I screwed that up. But, but yes, I get what you’re saying.
Daniel (34:41) Copyright Microsoft 2015.
Hey, look,
I’m going out on limb and I’m actually claiming that MIT requires the copyright declaration, or you’re voiding the agreement you have with the maintainers, the authors, the copyright holders of that code project. OK, so if we go out on a limb and say, you don’t have the authority to use this software because you stole it, by not declaring copyright,
That means that all of the defenses that would belong to open source components of your product are no longer active. That means you, for example, in the product liability directive, it is said that open source components, projects are not subject to litiginous events.
Josh Bressers (35:30) Uh-huh.
Daniel (35:44) There is a way to read the product liability directive. And I know that some countries I’m looking squarely, squarely over at our friends in Helsinki. There are some that think that, ⁓ you know, open source means other things than it does. But for the majority of Europe, the product liability directive is going to absolve you if you use open source in your product. If the deficiency is in that open source piece.
there is a likelihood that damages will be reduced. Now, the PLD is a no fault liability. It is a type of law that says you put a product in the market, somebody got hurt, it’s your fault. Now, these are going to be court cases, there will be court cases. And I just look forward to that event where
Josh Bressers (36:19) ⁓ sure.
Daniel (36:41) The manufacturer is like, yeah, but you know, this was left pad from Sinva Soros, right? And then Sinva’s like, wait, wait a second, I have a party to your litigation, show me where you used my, where you declared my copyright. And if you can’t, then he is definitely not party. And furthermore, you’re probably gonna get a counter suit for stealing, I mean, probably. Sinva’s not suing anybody, maybe somebody else might, maybe.
The Linux Foundation says, hey, we’re collecting all of open source. We’re going to put an attestation on there for you. Maybe the open source communities, the big boys, the open source software stewards, maybe they say, hey, look, that’s not right. We have the pockets to fund litigation against you for stealing open source.
It’s a fantasy, but it’s Christmas. And I think that that’s a present I’d like to see. If that comes to play out someday, because somebody listening to this podcast couldn’t convince legal to put the copyrights of the open source projects in the SBOM and make that SBOM public, well, yeah.
Josh Bressers (37:58) Okay, I’m gonna find some lawyers to talk to about this one, because that’s really interesting. That is a wild idea. Okay, all right, Daniel, let’s end this one on. I know you said you wanted to give a quick update on the browser work you’ve been doing at ETSI, and I’ll let you plug your book at the very end and we’ll tell people where to get it, because I’m excited to read it. So fill us in on browser work. This sounds exciting.
Daniel (38:18) Sure. Okay.
Well, ⁓ I found out that GitLab has a limit on
lines. I didn’t know that but I had a markdown. I was writing this all in markdown and like it cut off at around page 280 or something like that.
Josh Bressers (38:34) wow.
Okay, so for
the people listening, Daniel just held up a binder he has that is, an enormous number of pages. It is a lot.
Daniel (38:51) I mean, in
the US, in the US, would definitely call that a solid inch, for sure.
Josh Bressers (38:54) It is
very large, yeah, which would be 2.54 centimeters for you, we’ll say, civilized folks.
Daniel (38:57) 2.5 for it. Thank you. ⁓
So I’m working on the collation and collection of the vertical standard of the browser for
the European Union standardization request placed by European Commission. That standardization request was accepted by two groups, ⁓ CENELEC and ETSI. And as a special rapporteur, my job consists in ⁓ wrangling the industry stakeholders who are members of ETSI, I’m working at ETSI, and contracted through CrabNebula to do this work together with Fukami and Mali.
dream team. Love it. And what we do is we have a very specific format that the standard has to maintain. And that is we have an introduction where we describe the scope of what is a browser, what is browsing, right? Then we, it really took us a day to figure out what browsing is. Because
Josh Bressers (40:14) This feels like the
mathematical proof for one plus one equals two is like 360 pages long. Like I totally get it.
Daniel (40:19) Yeah,
something like that. ⁓ After you have the scope, then you have like the formalia of definitions and normative and informative references. ⁓ And then you kind of go deeper into the definitions of important terms, like ⁓
You the internet. That’s an inside joke. There is no definition of internet that’s globally accepted. ⁓ It’s true. The closest I’ve found is that episode from, ⁓ what’s that hacker TV show where they’re all in the basement. ⁓
Josh Bressers (40:48) guys.
TV show in the basement. ⁓ the IT crowd.
Daniel (41:03) Crowd hacking family, IT
crowd, yeah. The IT crowd, where they have the internet in a box with a little red light on it. It’s about as close as we got. So we just say, okay, let’s just define it and move on. And you have these discussions, right? Anyway, the clause four is all about the informative section of what is the architecture of a browser? What are the security profiles? What does it have that… ⁓
defines the use cases. What are some of the use cases, right? And we use use cases to explain things like, you’ve built a derivative browser. I’m not saying Edge is derivative. It’s not like that. I’m not trying to be mean. This is still Christmas after all. But it’s a derivative of the open source Chromium project. Now, ⁓ putting together a use case for this type of situation,
Josh Bressers (41:49) Well, no, is like that. That’s a reasonable description.
Yeah. Yeah.
Daniel (42:02) covers a lot of the browsing that happens out there because you’ve got WebKit, you’ve got Gecko, you’ve got Chromium or Blink, whatever. You’ve got these engines. Don’t forget about Servo, Daniel and Servo. You’ve got these open source ⁓ engines and then you build something on top of it. Even Chrome.
Josh Bressers (42:19) Hey man, we can dream.
Daniel (42:30) is a proprietary project built on top of the open source project. It includes things that they’re going to have to then, like using the subtractive magical process, remove out everything that Chromium did and just use the requirements for what you added on top, Updates and passwords and Widevine or whatever it’s called, you know, these things that you as a manufacturer put on top of the
Anyway, we had a… ⁓
a long discussion about all this stuff until I said, look, we can talk forever about what the optimal architecture of a browser is or isn’t. And someone’s going to come along and say, hey, you’re wrong. And so we moved that into clause five. And clause five describes the requirements. This is the requirements clause. This is a normative clause. Consider it a chapter. It’s a decently sized eighth of an inch.
or 3.5 millimeters, I guess. And what it does is it addresses the range of… ⁓
capabilities that browsers have. And this is where people tend to go astray when they’re reading by standard or our standard. I mean, it’s not like I wrote most of it, but I kind of did. Our standard, we’re writing it together. Like I’m very thankful for the contributions that we get. But what they get wrong is that we have chosen for a capabilities approach, which means you don’t have to go through and answer all 600 requirements if you’re only doing an embedded browser.
Then you follow the embedded and the system, right? So we have like system level requirements, and then we have.
of use case requirements that are based on the capabilities, right? So, I mean, if I just pick one at random, I’ll do it the proper way. I’ll find a requirement, and then we’ll pretend it’s Christmas, and then we’ll go through the capability assessment. Where are we? Here we go.
How about…
No, we’re not gonna do logging because that’s so boring. Protocol handling, how about that? ⁓
So the protocol handler is a security mechanism.
It has a number of different capabilities within it. But the first one is, I just stopped on custom protocol management. The manufacturer shall securely handle various communication protocols beyond standard HTTP, HTTPS. And the capability is having the support for custom schemes, WebSocket, WebRTC, and emerging web standards. Those are as examples. Now, with this capability comes
conditions of application. So the zero condition, the null condition as it were, is HTTP HTTPS only. And then we have standard web protocols with strict validation, custom protocols with registration system, unrestricted protocol handler registration. That’s a fun one. So that’s protocol three. Let me go find protocol three. Pro 3 requirements.
On restricted protocol registration, I’ll just pick one.
Pro 3 Rec 11, browser shall scan custom handlers for known security vulnerabilities. Juicy. Right? So that roughs out to Pro Rec 33. Let me go find which page Pro Rec 33 is on.
Josh Bressers (46:25) I like that one.
Okay, before
we fall down this rabbit hole of never ending references to one another, I mean, this is a crazy amount of work you’ve put together here, you and the group, like that’s very cool. Now let me ask this. Okay. Wrap it up.
Daniel (46:45) 210, come on. Okay.
I’m sorry, I’ll be fast, 210. ⁓ The assessment Pro-REC 33.
Here we go. It’s custom handler vulnerability, scanling. ⁓ We have a reference to this. We have a given, a conformant browser. We have a task to verify that the browser scans. We have six steps of verification. We have pass criteria, fail criteria, and evidence. ⁓ like everything you could imagine as part of a browser goes in there. But wait a second, Daniel, this is something that Chromium solves. I’m not solving this as Edge, right?
So basically, those manufacturers that choose to build fully proprietary browsers have a lot of work to do. Because open source is not going to, Chromium team, they could, they may, but that’s a normative may, not a shall. That means the Chromium team could go through this book and say, yes,
We are confident that it meets the expectations of all of these criteria. Here’s the evidence. They don’t have to. They don’t have to. And that’s why this browser standard for me is a very interesting interplay of, well, wait a second. Is Safari open source? It isn’t. Does the Safari team from Apple want to go through the process of showing their changes from, or do they just say,
That’s too much work guys. Let’s open source Safari and hey, that would be another great stocking stuff to open source Safari for all of us.
Josh Bressers (48:37) Okay, so let me ask this, this is incredibly complicated what you just described, this whole situation in universe. Is this how all of the other expert groups are looking or is the browser expert group unique in that regard?
Daniel (48:52) Look, another one that I know intimately is the boot manager, right? So, boot managers come in so many wide ranges of rays of flavors as to operating systems. ⁓ I think that the very complex systems that we’ve kind of grown up with over the past, let’s call it 25 years of the 21st century, they tend to have this kind of open source proprietary
Josh Bressers (48:56) Right, right, yeah, that’s you.
Daniel (49:22) mashup and full products like ⁓ VPNs, right? Or.
Josh Bressers (49:23) Yeah. yeah.
Daniel (49:36) or password managers, they seem to be like, when something is so downstream that it’s kind of obvious what you’re building, ⁓ it feels like it’s easier to get a clear picture of what’s going on, right? Do know what I mean? Like there’s fewer requirements because it’s quite obvious. so from my perspective, the lower the complexity,
Josh Bressers (49:50) ⁓ I see.
Daniel (50:03) the higher the chance that you’re going to have to go through these hurdles of certification, the more complex a product gets, the higher the chance that a lot of the stuff that you’re expected to ⁓ resolve is already covered by your open source component distributors.
Josh Bressers (50:07) That seems fair.
Sure. Okay. ⁓ man, this is way crazier than I expected it to be. man. Geez Louise, I’ve learned, we’ve been talking for 50 minutes now and I feel like I have learned more in the last 50 minutes than I learned in the last like three years of reading stuff about this.
Daniel (50:40) Speaking of reading the stuff, I do have a present for one of your listeners. This is my first book in the series. I’m coming out with a new one next spring. But the first book, Manufacturing European Software, I will personally sign and FedEx this book with some fancy stickers and stuff to one guest that you choose. ⁓ Obviously, you know, I’m in Europe. Yeah, well, somehow.
Josh Bressers (50:49) Awesome.
I choose what I’m not you can’t put that on me
Daniel (51:07) You have to choose it somehow. don’t want to know it. I don’t want to know whose address it is because of the GDPR and stuff. ⁓ But how am I going to send it? But how am going to send it?
Josh Bressers (51:13) What so you’re putting that on me?
Daniel (51:18) I mean, you’re Santa’s helper. So you gotta pick.
Josh Bressers (51:19) What?
my goodness. All right. Look, okay. Here’s what I’m going to do. If you’re interested in Daniel’s book, there are two ways I’ll let you get ahold of me. No, there’s one. I’m only going to do one. So it’ll be easier on my life. There is a, if you go to open source security.io. Yeah, that’s a, that’s the website. And you think about it. There’s a contact me. It’s Josh at open source security.io is my email address. Send me an email. I’ll put it all in a spreadsheet. I’m going to pick a random number.
And then I’ll reply to you and connect you with Daniel and let the two of you sort out how on earth you’re going to get a book from Malta to wherever it is you live. So do that. And we’ll go from there, but my goodness. that’s funny. Daniel has a Mac, obviously, cause he just gave a thumbs up and now there’s fireworks behind him, which will be in the YouTube video. But obviously the, the audio only folks will miss out on that. And also I will put a link in the show notes to a ton of the stuff we’ve talked about. There’s a link to Daniel’s book he sent me. So if you’re interested in
and acquiring it, we’ll say with money, you can do that. But holy crap, man, I, I was expecting a very silly show that would go off the rails. And I feel like we went off the rails in a different way, which is it was an incredibly for informative and amazing discussion data. So I want to thank you so much. Holy cow. Like I’ve got so much to think about and there’s so much I probably need to go start working on now. ⁓
Daniel (52:42) Well, good luck with that. Thank you. Thanks for having me. Happy to come back in a few months and give you some new fresh insights.
Josh Bressers (52:49) That’s
right. And thanks to the magic of podcasts. Merry Christmas, Daniel. Yep. Merry Christmas, everyone.
Daniel (52:54) Merry Christmas to you too, Josh.