Re: [cabfpub] The purpose of the CA/B Forum
On Tue, Oct 22, 2019 at 2:17 PM Robin Alden wrote: > Ryan, > > Referring back to Dimitris’s reference [1], i.e. your response to Stephan > Wolf, I think he (Stephan Wolf) probably overstated the forum’s purpose > somewhat, but your response goes too far in the opposite direction to be > considered accurate > > > > Stephan Wolf said: > > > > My understanding of the formation of the Forum was always about > adopting > > > > “best practices” by strong consensus of the CA and browser community, > > > > acting cooperatively and by consensus. > > > > Ryan Sleevi said: > > > "The Forum provides a venue to ensure Browsers do not place conflicting > requirements on CAs that voluntarily participate within the browsers root > programs, by facilitating discussion and feedback. > > > > > > That is the sole and only purpose of the Forum. Any other suggestion is > ahistorical and not reflected in the past or present activities." > > I think Stephan’s statement could have said ‘developing’ instead of > ‘adopting’, ‘better practices’ instead of ‘best practices’, and he would > have been pretty close to the mark. > > > > I had to look up ‘ahistoric’ in a dictionary, since it is not a word in my > vocabulary, and one of the two definitions Merriam-Webster says it is > “historically inaccurate or ignorant”. > > > > I accept that it could be the view of a representative from a browser that > the only point of the forum is as “a venue to ensure Browsers do not > place conflicting requirements on CAs”. > > However, if the other members of the forum are of the opinion that there > is value in the activity of developing, not just receiving, even minimum > requirements that may be used to raise the bar in the Web PKI, and > especially if there are other parties within or without the forum that > consider those minimum requirements as being worthy of adoption or > formalization within their use of PKI, for the web or elsewhere, then that > gives the forum purpose beyond the resolution of conflicting requirements > and therefore your view of the forum is not accurate from the wider > perspective. > I think we're in quite a bit more agreement than disagreement. That is, the value of the Baseline Requirements is the same as any SDO work product - it's only useful if it's adopted and used. The existence of standards for standards sake is not useful, nor are standards themselves imbued with some special power that make them worthwhile independently (i.e. with no implementations). This is why, for example, SDOs like the IETF say "Rough consensus and running code" - equal in measure. Or, for that matter, the WHATWG take a more direct approach - many of the documents (e.g. the URL standard, the Fetch standard, CSS, or even HTML) are "Living Standards", in that they reflect "What implementations do", not necessarily "What they ought to do" (this was a somewhat significant divergence from the prescriptive model of the W3C). So now let's circle back: 1) Why is the CA/B Forum relevant? - The CA/B Forum is relevant because it develops documents like the Baseline Requirements 2) Why are the Baseline Requirements relevant? - The Baseline Requirements are relevant because they are useful to inform audit criteria like WebTrust for CAs or ETSI EN 319 411-2 3) Why are audit criteria like those relevant? - Those audit criteria are relevant because they're used by Browser Root Programs 4) Why do Browser/Root Programs use those Audit Criteria? - They use them because it's a convenient short-hand for a common base set of requirements that can be independently assessed and that are nominally aligned with the critical aspects of their Browser/Root Program Requirements 5) Why do Browser/Root Programs define requirements? - Because the use of certificates, particularly from third-party CAs, is inherently a product security decision, and tied closely with the reputation, needs, and desires of that Browser/Root Program and their product(s). The 'value' of the Baseline Requirements, as they stand today, flows down from their use and adoption by Browser/Root Programs. And Browser/Root Programs adopt them not because there is an intrinsic or inherent value to them, but because they are useful if, and only if, they're aligned with the Browser/Root Programs inherent requirements. If the Baseline Requirements are not aligned with industry needs (read: Browser/Root Programs), then Browser/Root Programs won't and shouldn't continue to use them, nor audit criteria that are based on them. And if Browser/Root Programs don't use these requirements, then there's limited value in them, and in the Forum itself as the developer of them. Browser/Root Programs don't use the Baseline Requirements inherently - they use their Root Program Requirements, and accept the BRs only to the extent they are aligned with those Root Program requirements. For example, Browsers could fully decide that the WebTrust and the ETSI approach to auditing don't actually meet the
Re: [cabfpub] The purpose of the CA/B Forum
Ryan,
Referring back to Dimitris’s reference [1], i.e. your response to Stephan Wolf,
I think he (Stephan Wolf) probably overstated the forum’s purpose somewhat, but
your response goes too far in the opposite direction to be considered accurate
Stephan Wolf said:
> > My understanding of the formation of the Forum was always about adopting
> > “best practices” by strong consensus of the CA and browser community,
> > acting cooperatively and by consensus.
Ryan Sleevi said:
> "The Forum provides a venue to ensure Browsers do not place conflicting
> requirements on CAs that voluntarily participate within the browsers root
> programs, by facilitating discussion and feedback.
>
> That is the sole and only purpose of the Forum. Any other suggestion is
> ahistorical and not reflected in the past or present activities."
I think Stephan’s statement could have said ‘developing’ instead of ‘adopting’,
‘better practices’ instead of ‘best practices’, and he would have been pretty
close to the mark.
I had to look up ‘ahistoric’ in a dictionary, since it is not a word in my
vocabulary, and one of the two definitions Merriam-Webster says it is
“historically inaccurate or ignorant”.
I accept that it could be the view of a representative from a browser that the
only point of the forum is as “a venue to ensure Browsers do not place
conflicting requirements on CAs”.
However, if the other members of the forum are of the opinion that there is
value in the activity of developing, not just receiving, even minimum
requirements that may be used to raise the bar in the Web PKI, and especially
if there are other parties within or without the forum that consider those
minimum requirements as being worthy of adoption or formalization within their
use of PKI, for the web or elsewhere, then that gives the forum purpose beyond
the resolution of conflicting requirements and therefore your view of the forum
is not accurate from the wider perspective.
Regards
Robin Alden
Sectigo Limited
From: Public On Behalf Of Ryan Sleevi via Public
Sent: 21 October 2019 19:02
To: Dimitris Zacharopoulos (HARICA)
Cc: CA/Browser Forum Public Discussion List
Subject: Re: [cabfpub] The purpose of the CA/B Forum
CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender and know the content
is safe.
On Mon, Oct 21, 2019 at 1:48 PM Dimitris Zacharopoulos (HARICA)
mailto:dzach...@harica.gr> > wrote:
I see a conflict because the statement considers a different purpose than what
is described in section 1.1 of the Bylaws. I was also surprised ("shocked"
might better describe it) to read that any other purposes are "ahistorical",
and see this statement being directed to a new Interested Party who just
recently joined the Server Certificate Working Group.
Again, I want to emphasize, you're conflating an informative statement of fact
- what the Forum has done in the past - with a statement of purpose, what the
Forum does or will do. I can understand that this confusion exists, but it's
not a conflict. It's further ahistorical is that while the Forum may have done
X in the past, it no longer does those things in the section you cited! You'll
recall that the Processing of EV SSL Certificates was not adopted as a
continued Forum work item, precisely because it was seen as inappropriate for
the Forum.
I agree with all three. I have also been pointing out these three elements in
every presentation related to the Forum :-) However, the fact that the Forum:
* is voluntary
* does not define "Root Program Policy" and
* does not "enforce" nor "supervise" the CAs,
are not related to the purpose of the Forum. You can say the same thing about
IETF or other STOs. The CA/B Forum is a consensus driven STO that produces
guidelines. How these guidelines are used is a different topic. We know for a
fact that they are used as input for two International Standards, ETSI and
WebTrust. Who knows how many other government or private sector areas are using
the CA/B Forum's work product to define their policies.
Did you mean Standards Defining Organization (SDO)? It's unclear what you mean
by STO.
You're correct that we could certainly look to make the CA/Browser Forum as
ineffective as, say, the CA Security Council, and just as captured. However, it
would simply mean that the CA/Browser Forum requirements no longer reflect or
align with Root Program requirements, Root Programs would abandon the WebTrust
and ETSI documents (as has been discussed in the past and is a /very real/
possibility), and develop their own auditing standards, to directly oversee.
This is important to understand that the only value - and legitimacy - that the
Forum has is not in producing the Guidelines, but in providing a venue for
discussion. The Guidelines utility is certainly in providing input to
