Le samedi 15 octobre 2016 01:33:05 UTC+2, Peter Gutmann a écrit :
> Peter Bowen <pzbo...@gmail.com> writes:
> >The CA/Browser Forum is not a regulatory body. They publish guidelines but
> >do not set requirements nor regulate compliance.
> It's a bit hard to describe its actual functioning, in theory they just
> advise, but then so does ISO, IEEE, and others. They're not regulatory bodies
> either, but when ISO or IEEE says X you do it.
Not that hard in fact.
ISO/IEEE/ETSI/CABF write guidelines and recommendations, which you're free to
follow or not.
A regulatory body says: you must follow recommendation X and Y or Z from
ISO/IEEE/... to be part of my club.
Here, browser vendors are regulatory bodies, and take a suitable combination of
ETSI+WebTrust+CABF recos that CAs are required to follow.
> >What action would you expect the Forum to be taking?
> I would have expected some sort of coordinating action to provide a unified
> response to the issue and corresponding unified, consistent behaviour among
> the browsers, rather than the current lottery as to what a particular browser
> (other than Apple and Mozilla's ones) will do when it encounters a WoSign
And that's not CABF's duty and responsibility. What the CABF can impose to CABF
members is to follow the bylaws, the internal governance rules. By following
them, all members write the guidelines and decide on what changes to adopt, and
browsers then impose CAs to follow these guidelines.
What appears from the CABF meeting minutes is that the WoSign+StartCom+Qihoo
combination is looked after, precisely regarding the bylaws.
> Then there's the bigger question that if the CAB can't do anything about a CA
> going rogue (fraudulently issuing certs to evade restrictions), does that mean
> the web PKI is just a free-for-all? Who's running the show if it's not the
dev-security-policy mailing list