On Fri, Oct 14, 2016 at 4:32 PM, Peter Gutmann
<pgut...@cs.auckland.ac.nz> wrote:
> Peter Bowen <pzbo...@gmail.com> writes:
>>The CA/Browser Forum is not a regulatory body.  They publish guidelines but
>>do not set requirements nor regulate compliance.
> It's a bit hard to describe its actual functioning, in theory they just
> advise, but then so does ISO, IEEE, and others.  They're not regulatory bodies
> either, but when ISO or IEEE says X you do it.
>>What action would you expect the Forum to be taking?
> I would have expected some sort of coordinating action to provide a unified
> response to the issue and corresponding unified, consistent behaviour among
> the browsers, rather than the current lottery as to what a particular browser
> (other than Apple and Mozilla's ones) will do when it encounters a WoSign
> cert.
> Then there's the bigger question that if the CAB can't do anything about a CA
> going rogue (fraudulently issuing certs to evade restrictions), does that mean
> the web PKI is just a free-for-all?  Who's running the show if it's not the
> CAB?

As I wrote to someone else recently, there is no single or common "Web
PKI".  There are numerous PKIs operated by dozens of different
organizations and a number of privately managed trust anchor lists
(Adobe, Apple, Blackberry, Google, Microsoft, Mozilla, Opera, Oracle,
and many others). The contents of each trust anchor list vary and each
list maintainer has their own policies on what CAs they will include
under what circumstances.

The CA/Browser Forum doesn't even legally exist (it isn't an entity)
and you will note the bylaws (https://cabforum.org/bylaws/) have an
anti-trust statement that lays out a number of things not discussed or
coordinated.  Which CAs to accept is not coordinated between trust
anchor list maintainers - they each make their own decisions.

If some neutral organization wanted to publish a trust anchor list
that others could use, great.  Maybe browsers would choose to leave it
up to that org to choose which CAs are trusted.  But that isn't how it
works today.

dev-security-policy mailing list

Reply via email to