On 2019-10-21 7:19 μ.μ., Ryan Sleevi via Public wrote:
On Mon, Oct 21, 2019 at 11:54 AM Dimitris Zacharopoulos via Public
<[email protected] <mailto:[email protected]>> wrote:
Dear CA/B Forum Members,
Recent posts [1], [2] were brought to my attention with a
statement from a representative of a Certificate Consumer Member
who believes that the role of the Forum is the following:
"The Forum provides a venue to ensure Browsers do not place
conflicting requirements on CAs that voluntarily participate
within the browsers root programs, by facilitating discussion and
feedback. This allows interoperability among the Web PKI space,
which refers to the set of CAs within browsers, and thus allows
easier interoperability within browsers. Prior to the Forum, it
was much easier to see this reflected in the private arrangements
between CAs and browsers. If different browsers had different
requirements, CAs would have to act as the intermediary to
identify and communicate those conflicts. Similarly, browsers had
to spend significant effort working to communicate with all of the
CAs in their programs, often repeatedly answering similar
questions. By arranging a common mailing list, and periodic
meetings, those barriers to communication can be reduced.
That is the sole and only purpose of the Forum. Any other
suggestion is ahistorical and not reflected in the past or present
activities."
<SNIP>
It is fortunate that we are given the opportunity to take a step
back and re-check why we are all here. I can only quote from the
Bylaws (emphasis mine):
"1.1 Purpose of the Forum
The Certification Authority Browser Forum (CA/Browser Forum) is a
voluntary gathering of leading Certificate Issuers and vendors of
Internet browser software and other applications that use
certificates (Certificate Consumers).
Members of the CA/Browser Forum have worked closely together in
defining the guidelines and means of *implementation for best
practices **as a way of providing a heightened security for
Internet transactions and creating a more intuitive method of
displaying secure sites to Internet users*."
Dimitris,
I don't believe there is the conflict you suggest between the
statement and the bylaws.
I see a conflict because the statement considers a different purpose
than what is described in section 1.1 of the Bylaws. I was also
surprised ("shocked" might better describe it) to read that any other
purposes are "ahistorical", and see this statement being directed to a
new Interested Party who just recently joined the Server Certificate
Working Group.
I think we're in agreement the the CA/Browser Forum is voluntary.
I think we're in agreement that the CA/Browser Forum does not, nor has
it ever, defined Root Program Policy.
I think we're in agreement that the CA/Browser Forum does not, nor has
it ever, "enforced" any action upon CAs.
I agree with all three. I have also been pointing out these three
elements in every presentation related to the Forum :-) However, the
fact that the Forum:
* is voluntary
* does not define "Root Program Policy" and
* does not "enforce" nor "supervise" the CAs,
are not related to the purpose of the Forum. You can say the same thing
about IETF or other STOs. The CA/B Forum is a consensus driven STO that
produces guidelines. How these guidelines are used is a different topic.
We know for a fact that they are used as input for two International
Standards, ETSI and WebTrust. Who knows how many other government or
private sector areas are using the CA/B Forum's work product to define
their policies.
I think this is much clearer if you continue quoting from the Bylaws.
Indeed, the two sentences that immediately follow, emphasis mine,
highlight this:
1.2 Status of the Forum and the Forum Activities
The Forum has no corporate or association status, but is *simply a
group of
Certificate Issuers and Certificate Consumers that communicates or
meets from time
to time to discuss matters of common interest relevant to the Forum’s
purpose. The
Forum has no regulatory or industry powers over its members or others.*
Yes, already acknowledged that.
I read this purpose as an "unofficial" agreement between
Certificate Issuers and Certificate Consumers to improve security
for internet transactions AND to create a more intuitive method of
displaying secure sites to internet users.
No. It's a statement about what the Forum has done in the past. If you
continue reading, you will find out what the Forum does. It merely
discusses.
Well, these discussions result in ballot motions, ballot motions are
voted and Guidelines are created or updated ("maintained"). And from
there, we know how these Guidelines are used.
I'm afraid this cannot be achieved if Certificate Consumer Members
continuously bring their "guns" (i.e. Root Program Requirements)
in CA/B Forum discussions. I would expect these "guns" to be
displayed and used in the independent Root Program venues and not
the CA/B Forum.
While I can understand if you're unhappy to discuss Root Program
Requirements, I think it belies a fundamental misunderstanding of the
Forum and the Baseline Requirements.
Recall: PKI was designed to allow different communities - i.e.
different browsers - to define different policies, profiles, and
practices for the CAs that participate in their different PKIs. The
Microsoft PKI is distinct from the Google PKI is distinct from the
Mozilla PKI, each of which has those vendors as the Root of Trust,
signing a Trust List for use within their products, based on their
product security requirements.
Conceptually, each of these PKIs define their own profiles and
practices (the Root Program Requirements) and define their own means
of assessing (e.g. Mozilla distrusting certain auditors, Microsoft
allowing certain auditors). The Forum exists to allow for
interoperability between these distinct PKIs. The Baseline
Requirements serve as a means of expressing a common set of
requirements, in order to reduce the need of obtaining a distinct
Microsoft audit or a distinct Mozilla audit, which are entirely
plausible scenarios.
Thus, it's inherent that the /only/ value of useful discussion to be
had is with respect to Root Program Requirements. It's also the
opportunity for CAs to provide input and insight into these
requirements, to understand what practical impact might be had, and
whether that's desirable or undesirable - by the Root Program.
Put simply, if folks don't want to discuss Root Program Requirements,
then there's no point in continuing the Forum itself. If the Forum is
not the venue to discuss that, then we can simply use the existing
methods that Root Programs use to gather feedback and input from their
participants - CA communications directly to program participants, and
collaborative discussion within SDOs relevant to browser activities
(e.g. WHATWG/W3C). There's no need to the Forum to continue to exist,
because it would literally not be solving any problem or providing any
benefit.
That seems extreme, and certainly presents it as "us v them", which is
an unfortunate viewpoint. However, it's inherent that the choice in
administering the set of trusted CAs is going to be a product security
decision, defined by product-specific capabilities and
product-specific priorities, and that's not something that can or
should generalize. PKI was precisely designed not to have this "one
size fits all" mentality, but to support the notion of many small
islands, sometimes with overlap and interoperability. We do not chuff
at the fact that the Nuclear Power Grid uses a different PKI than,
say, a departmental e-mail server, nor should we - it's simply a tool
and technology to solve a problem. To the extent browsers care about
interoperability, it's useful to have a place to discuss different,
potentially conflicting, requirements. To the extent CAs can provide
useful and valuable feedback about the implications of potential
changes, it's useful to discuss. But that's it.
I will let others state their opinion and comment about this. I, for
one, disagree.
Although the CA/B Forum takes input from its Members (Issuers and
Consumers), it has a consensus-driven process. This means that if a CA
or a Browser proposes an unreasonable or insecure change to the Forum's
Guidelines, it will need 2/3 of CAs and majority of Browsers to enter
the Guidelines.
If a new Certificate Consumer with completely ridiculous "My Program
Requirements" joins the Forum, the Forum is not forced by anyone to
adopt changes that would jeopardize the quality of the Guidelines.
I understand where you're coming from and respect the fact that you are
trying to make Root Programs align, but the way you frame it, doesn't
align with the Forum's purpose nor its processes. For better or worse,
each recommendation will have to go through the ballot process and get
consensus to be voted. No Certificate Consumer can enforce changes to
the Guidelines, at least with the current Bylaws.
I would personally feel very disappointed (as the CA/B Forum
Chair) if we were to re-purpose of the Forum to match the
statement at the beginning of this email.
It's stated in the Bylaws, and precisely why the Forum has voluntary
participation. It's useful to have a central, public mailing list to
discuss this and get useful, actionable, data-driven feedback to
inform Root Programs.
I can't see the relevance of the Forum's voluntary participation with
the feedback towards Root Programs. The Forum is open to Interested
Parties that can join and Contribute with ideas and improvements that
the Root Programs or CAs didn't even consider. Of course it is voluntary
just like most standards organizations.
Dimitris.
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
