On Tue, Oct 22, 2019 at 2:17 PM Robin Alden wrote:
> Ryan,
>
> Referring back to Dimitris’s reference [1], i.e. your response to Stephan
> Wolf, I think he (Stephan Wolf) probably overstated the forum’s purpose
> somewhat, but your response goes too far in the opposite direction to be
> considered accurate
>
>
>
> Stephan Wolf said:
>
> > > My understanding of the formation of the Forum was always about
> adopting
>
> > > “best practices” by strong consensus of the CA and browser community,
>
> > > acting cooperatively and by consensus.
>
>
>
> Ryan Sleevi said:
>
> > "The Forum provides a venue to ensure Browsers do not place conflicting
> requirements on CAs that voluntarily participate within the browsers root
> programs, by facilitating discussion and feedback.
>
> >
>
> > That is the sole and only purpose of the Forum. Any other suggestion is
> ahistorical and not reflected in the past or present activities."
>
> I think Stephan’s statement could have said ‘developing’ instead of
> ‘adopting’, ‘better practices’ instead of ‘best practices’, and he would
> have been pretty close to the mark.
>
>
>
> I had to look up ‘ahistoric’ in a dictionary, since it is not a word in my
> vocabulary, and one of the two definitions Merriam-Webster says it is
> “historically inaccurate or ignorant”.
>
>
>
> I accept that it could be the view of a representative from a browser that
> the only point of the forum is as “a venue to ensure Browsers do not
> place conflicting requirements on CAs”.
>
> However, if the other members of the forum are of the opinion that there
> is value in the activity of developing, not just receiving, even minimum
> requirements that may be used to raise the bar in the Web PKI, and
> especially if there are other parties within or without the forum that
> consider those minimum requirements as being worthy of adoption or
> formalization within their use of PKI, for the web or elsewhere, then that
> gives the forum purpose beyond the resolution of conflicting requirements
> and therefore your view of the forum is not accurate from the wider
> perspective.
>
I think we're in quite a bit more agreement than disagreement.
That is, the value of the Baseline Requirements is the same as any SDO work
product - it's only useful if it's adopted and used. The existence of
standards for standards sake is not useful, nor are standards themselves
imbued with some special power that make them worthwhile independently
(i.e. with no implementations).
This is why, for example, SDOs like the IETF say "Rough consensus and
running code" - equal in measure. Or, for that matter, the WHATWG take a
more direct approach - many of the documents (e.g. the URL standard, the
Fetch standard, CSS, or even HTML) are "Living Standards", in that they
reflect "What implementations do", not necessarily "What they ought to do"
(this was a somewhat significant divergence from the prescriptive model of
the W3C).
So now let's circle back:
1) Why is the CA/B Forum relevant?
- The CA/B Forum is relevant because it develops documents like the
Baseline Requirements
2) Why are the Baseline Requirements relevant?
- The Baseline Requirements are relevant because they are useful to
inform audit criteria like WebTrust for CAs or ETSI EN 319 411-2
3) Why are audit criteria like those relevant?
- Those audit criteria are relevant because they're used by Browser Root
Programs
4) Why do Browser/Root Programs use those Audit Criteria?
- They use them because it's a convenient short-hand for a common base
set of requirements that can be independently assessed and that are
nominally aligned with the critical aspects of their Browser/Root Program
Requirements
5) Why do Browser/Root Programs define requirements?
- Because the use of certificates, particularly from third-party CAs, is
inherently a product security decision, and tied closely with the
reputation, needs, and desires of that Browser/Root Program and their
product(s).
The 'value' of the Baseline Requirements, as they stand today, flows down
from their use and adoption by Browser/Root Programs. And Browser/Root
Programs adopt them not because there is an intrinsic or inherent value to
them, but because they are useful if, and only if, they're aligned with the
Browser/Root Programs inherent requirements. If the Baseline Requirements
are not aligned with industry needs (read: Browser/Root Programs), then
Browser/Root Programs won't and shouldn't continue to use them, nor audit
criteria that are based on them. And if Browser/Root Programs don't use
these requirements, then there's limited value in them, and in the Forum
itself as the developer of them.
Browser/Root Programs don't use the Baseline Requirements inherently - they
use their Root Program Requirements, and accept the BRs only to the extent
they are aligned with those Root Program requirements.
For example, Browsers could fully decide that the WebTrust and the ETSI
approach to auditing don't actually meet the