Re: [cabfpub] The purpose of the CA/B Forum
On Tue, Oct 22, 2019 at 2:17 PM Robin Alden wrote: > Ryan, > > Referring back to Dimitris’s reference [1], i.e. your response to Stephan > Wolf, I think he (Stephan Wolf) probably overstated the forum’s purpose > somewhat, but your response goes too far in the opposite direction to be > considered accurate > > > > Stephan Wolf said: > > > > My understanding of the formation of the Forum was always about > adopting > > > > “best practices” by strong consensus of the CA and browser community, > > > > acting cooperatively and by consensus. > > > > Ryan Sleevi said: > > > "The Forum provides a venue to ensure Browsers do not place conflicting > requirements on CAs that voluntarily participate within the browsers root > programs, by facilitating discussion and feedback. > > > > > > That is the sole and only purpose of the Forum. Any other suggestion is > ahistorical and not reflected in the past or present activities." > > I think Stephan’s statement could have said ‘developing’ instead of > ‘adopting’, ‘better practices’ instead of ‘best practices’, and he would > have been pretty close to the mark. > > > > I had to look up ‘ahistoric’ in a dictionary, since it is not a word in my > vocabulary, and one of the two definitions Merriam-Webster says it is > “historically inaccurate or ignorant”. > > > > I accept that it could be the view of a representative from a browser that > the only point of the forum is as “a venue to ensure Browsers do not > place conflicting requirements on CAs”. > > However, if the other members of the forum are of the opinion that there > is value in the activity of developing, not just receiving, even minimum > requirements that may be used to raise the bar in the Web PKI, and > especially if there are other parties within or without the forum that > consider those minimum requirements as being worthy of adoption or > formalization within their use of PKI, for the web or elsewhere, then that > gives the forum purpose beyond the resolution of conflicting requirements > and therefore your view of the forum is not accurate from the wider > perspective. > I think we're in quite a bit more agreement than disagreement. That is, the value of the Baseline Requirements is the same as any SDO work product - it's only useful if it's adopted and used. The existence of standards for standards sake is not useful, nor are standards themselves imbued with some special power that make them worthwhile independently (i.e. with no implementations). This is why, for example, SDOs like the IETF say "Rough consensus and running code" - equal in measure. Or, for that matter, the WHATWG take a more direct approach - many of the documents (e.g. the URL standard, the Fetch standard, CSS, or even HTML) are "Living Standards", in that they reflect "What implementations do", not necessarily "What they ought to do" (this was a somewhat significant divergence from the prescriptive model of the W3C). So now let's circle back: 1) Why is the CA/B Forum relevant? - The CA/B Forum is relevant because it develops documents like the Baseline Requirements 2) Why are the Baseline Requirements relevant? - The Baseline Requirements are relevant because they are useful to inform audit criteria like WebTrust for CAs or ETSI EN 319 411-2 3) Why are audit criteria like those relevant? - Those audit criteria are relevant because they're used by Browser Root Programs 4) Why do Browser/Root Programs use those Audit Criteria? - They use them because it's a convenient short-hand for a common base set of requirements that can be independently assessed and that are nominally aligned with the critical aspects of their Browser/Root Program Requirements 5) Why do Browser/Root Programs define requirements? - Because the use of certificates, particularly from third-party CAs, is inherently a product security decision, and tied closely with the reputation, needs, and desires of that Browser/Root Program and their product(s). The 'value' of the Baseline Requirements, as they stand today, flows down from their use and adoption by Browser/Root Programs. And Browser/Root Programs adopt them not because there is an intrinsic or inherent value to them, but because they are useful if, and only if, they're aligned with the Browser/Root Programs inherent requirements. If the Baseline Requirements are not aligned with industry needs (read: Browser/Root Programs), then Browser/Root Programs won't and shouldn't continue to use them, nor audit criteria that are based on them. And if Browser/Root Programs don't use these requirements, then there's limited value in them, and in the Forum itself as the developer of them. Browser/Root Programs don't use the Baseline Requirements inherently - they use their Root Program Requirements, and accept the BRs only to the extent they are aligned with those Root Program requirements. For example, Browsers could fully decide that the WebTrust and the ETSI approach to auditing don't actually meet the
Re: [cabfpub] The purpose of the CA/B Forum
Ryan, Referring back to Dimitris’s reference [1], i.e. your response to Stephan Wolf, I think he (Stephan Wolf) probably overstated the forum’s purpose somewhat, but your response goes too far in the opposite direction to be considered accurate Stephan Wolf said: > > My understanding of the formation of the Forum was always about adopting > > “best practices” by strong consensus of the CA and browser community, > > acting cooperatively and by consensus. Ryan Sleevi said: > "The Forum provides a venue to ensure Browsers do not place conflicting > requirements on CAs that voluntarily participate within the browsers root > programs, by facilitating discussion and feedback. > > That is the sole and only purpose of the Forum. Any other suggestion is > ahistorical and not reflected in the past or present activities." I think Stephan’s statement could have said ‘developing’ instead of ‘adopting’, ‘better practices’ instead of ‘best practices’, and he would have been pretty close to the mark. I had to look up ‘ahistoric’ in a dictionary, since it is not a word in my vocabulary, and one of the two definitions Merriam-Webster says it is “historically inaccurate or ignorant”. I accept that it could be the view of a representative from a browser that the only point of the forum is as “a venue to ensure Browsers do not place conflicting requirements on CAs”. However, if the other members of the forum are of the opinion that there is value in the activity of developing, not just receiving, even minimum requirements that may be used to raise the bar in the Web PKI, and especially if there are other parties within or without the forum that consider those minimum requirements as being worthy of adoption or formalization within their use of PKI, for the web or elsewhere, then that gives the forum purpose beyond the resolution of conflicting requirements and therefore your view of the forum is not accurate from the wider perspective. Regards Robin Alden Sectigo Limited From: Public On Behalf Of Ryan Sleevi via Public Sent: 21 October 2019 19:02 To: Dimitris Zacharopoulos (HARICA) Cc: CA/Browser Forum Public Discussion List Subject: Re: [cabfpub] The purpose of the CA/B Forum CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. On Mon, Oct 21, 2019 at 1:48 PM Dimitris Zacharopoulos (HARICA) mailto:dzach...@harica.gr> > wrote: I see a conflict because the statement considers a different purpose than what is described in section 1.1 of the Bylaws. I was also surprised ("shocked" might better describe it) to read that any other purposes are "ahistorical", and see this statement being directed to a new Interested Party who just recently joined the Server Certificate Working Group. Again, I want to emphasize, you're conflating an informative statement of fact - what the Forum has done in the past - with a statement of purpose, what the Forum does or will do. I can understand that this confusion exists, but it's not a conflict. It's further ahistorical is that while the Forum may have done X in the past, it no longer does those things in the section you cited! You'll recall that the Processing of EV SSL Certificates was not adopted as a continued Forum work item, precisely because it was seen as inappropriate for the Forum. I agree with all three. I have also been pointing out these three elements in every presentation related to the Forum :-) However, the fact that the Forum: * is voluntary * does not define "Root Program Policy" and * does not "enforce" nor "supervise" the CAs, are not related to the purpose of the Forum. You can say the same thing about IETF or other STOs. The CA/B Forum is a consensus driven STO that produces guidelines. How these guidelines are used is a different topic. We know for a fact that they are used as input for two International Standards, ETSI and WebTrust. Who knows how many other government or private sector areas are using the CA/B Forum's work product to define their policies. Did you mean Standards Defining Organization (SDO)? It's unclear what you mean by STO. You're correct that we could certainly look to make the CA/Browser Forum as ineffective as, say, the CA Security Council, and just as captured. However, it would simply mean that the CA/Browser Forum requirements no longer reflect or align with Root Program requirements, Root Programs would abandon the WebTrust and ETSI documents (as has been discussed in the past and is a /very real/ possibility), and develop their own auditing standards, to directly oversee. This is important to understand that the only value - and legitimacy - that the Forum has is not in producing the Guidel
Re: [cabfpub] The purpose of the CA/B Forum
On 2019-10-21 7:19 μ.μ., Ryan Sleevi via Public wrote: On Mon, Oct 21, 2019 at 11:54 AM Dimitris Zacharopoulos via Public mailto:public@cabforum.org>> wrote: Dear CA/B Forum Members, Recent posts [1], [2] were brought to my attention with a statement from a representative of a Certificate Consumer Member who believes that the role of the Forum is the following: "The Forum provides a venue to ensure Browsers do not place conflicting requirements on CAs that voluntarily participate within the browsers root programs, by facilitating discussion and feedback. This allows interoperability among the Web PKI space, which refers to the set of CAs within browsers, and thus allows easier interoperability within browsers. Prior to the Forum, it was much easier to see this reflected in the private arrangements between CAs and browsers. If different browsers had different requirements, CAs would have to act as the intermediary to identify and communicate those conflicts. Similarly, browsers had to spend significant effort working to communicate with all of the CAs in their programs, often repeatedly answering similar questions. By arranging a common mailing list, and periodic meetings, those barriers to communication can be reduced. That is the sole and only purpose of the Forum. Any other suggestion is ahistorical and not reflected in the past or present activities." It is fortunate that we are given the opportunity to take a step back and re-check why we are all here. I can only quote from the Bylaws (emphasis mine): "1.1 Purpose of the Forum The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of leading Certificate Issuers and vendors of Internet browser software and other applications that use certificates (Certificate Consumers). Members of the CA/Browser Forum have worked closely together in defining the guidelines and means of *implementation for best practices **as a way of providing a heightened security for Internet transactions and creating a more intuitive method of displaying secure sites to Internet users*." Dimitris, I don't believe there is the conflict you suggest between the statement and the bylaws. I see a conflict because the statement considers a different purpose than what is described in section 1.1 of the Bylaws. I was also surprised ("shocked" might better describe it) to read that any other purposes are "ahistorical", and see this statement being directed to a new Interested Party who just recently joined the Server Certificate Working Group. I think we're in agreement the the CA/Browser Forum is voluntary. I think we're in agreement that the CA/Browser Forum does not, nor has it ever, defined Root Program Policy. I think we're in agreement that the CA/Browser Forum does not, nor has it ever, "enforced" any action upon CAs. I agree with all three. I have also been pointing out these three elements in every presentation related to the Forum :-) However, the fact that the Forum: * is voluntary * does not define "Root Program Policy" and * does not "enforce" nor "supervise" the CAs, are not related to the purpose of the Forum. You can say the same thing about IETF or other STOs. The CA/B Forum is a consensus driven STO that produces guidelines. How these guidelines are used is a different topic. We know for a fact that they are used as input for two International Standards, ETSI and WebTrust. Who knows how many other government or private sector areas are using the CA/B Forum's work product to define their policies. I think this is much clearer if you continue quoting from the Bylaws. Indeed, the two sentences that immediately follow, emphasis mine, highlight this: 1.2 Status of the Forum and the Forum Activities The Forum has no corporate or association status, but is *simply a group of Certificate Issuers and Certificate Consumers that communicates or meets from time to time to discuss matters of common interest relevant to the Forum’s purpose. The Forum has no regulatory or industry powers over its members or others.* Yes, already acknowledged that. I read this purpose as an "unofficial" agreement between Certificate Issuers and Certificate Consumers to improve security for internet transactions AND to create a more intuitive method of displaying secure sites to internet users. No. It's a statement about what the Forum has done in the past. If you continue reading, you will find out what the Forum does. It merely discusses. Well, these discussions result in ballot motions, ballot motions are voted and Guidelines are created or updated ("maintained"). And from there, we know how these Guidelines are used. I'm afraid this cannot be achieved if Certificate Consumer Members continuously bring their "guns" (i.e. Root Program
Re: [cabfpub] The purpose of the CA/B Forum
On Mon, Oct 21, 2019 at 1:48 PM Dimitris Zacharopoulos (HARICA) < dzach...@harica.gr> wrote: > I see a conflict because the statement considers a different purpose than > what is described in section 1.1 of the Bylaws. I was also surprised > ("shocked" might better describe it) to read that any other purposes are > "ahistorical", and see this statement being directed to a new Interested > Party who just recently joined the Server Certificate Working Group. > Again, I want to emphasize, you're conflating an informative statement of fact - what the Forum has done in the past - with a statement of purpose, what the Forum does or will do. I can understand that this confusion exists, but it's not a conflict. It's further ahistorical is that while the Forum may have done X in the past, it no longer does those things in the section you cited! You'll recall that the Processing of EV SSL Certificates was not adopted as a continued Forum work item, precisely because it was seen as inappropriate for the Forum. > I agree with all three. I have also been pointing out these three elements > in every presentation related to the Forum :-) However, the fact that the > Forum: > >- is voluntary >- does not define "Root Program Policy" and >- does not "enforce" nor "supervise" the CAs, > > are not related to the purpose of the Forum. You can say the same thing > about IETF or other STOs. The CA/B Forum is a consensus driven STO that > produces guidelines. How these guidelines are used is a different topic. We > know for a fact that they are used as input for two International > Standards, ETSI and WebTrust. Who knows how many other government or > private sector areas are using the CA/B Forum's work product to define > their policies. > Did you mean Standards Defining Organization (SDO)? It's unclear what you mean by STO. You're correct that we could certainly look to make the CA/Browser Forum as ineffective as, say, the CA Security Council, and just as captured. However, it would simply mean that the CA/Browser Forum requirements no longer reflect or align with Root Program requirements, Root Programs would abandon the WebTrust and ETSI documents (as has been discussed in the past and is a /very real/ possibility), and develop their own auditing standards, to directly oversee. This is important to understand that the only value - and legitimacy - that the Forum has is not in producing the Guidelines, but in providing a venue for discussion. The Guidelines utility is certainly in providing input to audit criteria that can be developed, but it's important to recognize that the only utility in the development in that audit criteria is when they're accepted - i.e. by browsers. Many other organizations /reject/ the CA/B Forum's work precisely because it's not aligned with their security or disclosure requirements. For good reason - the BRs are incomplete! > I will let others state their opinion and comment about this. I, for one, > disagree. > > Although the CA/B Forum takes input from its Members (Issuers and > Consumers), it has a consensus-driven process. This means that if a CA or a > Browser proposes an unreasonable or insecure change to the Forum's > Guidelines, it will need 2/3 of CAs and majority of Browsers to enter the > Guidelines. > > If a new Certificate Consumer with completely ridiculous "My Program > Requirements" joins the Forum, the Forum is not forced by anyone to adopt > changes that would jeopardize the quality of the Guidelines. > > I understand where you're coming from and respect the fact that you are > trying to make Root Programs align, but the way you frame it, doesn't align > with the Forum's purpose nor its processes. For better or worse, each > recommendation will have to go through the ballot process and get consensus > to be voted. No Certificate Consumer can enforce changes to the Guidelines, > at least with the current Bylaws. > I think we're in more agreement than you realize. It's certainly true that the Forum adoption to the Baseline Requirements is a consensus-driven process. However, to the extent those documents diverge from real use, they simply cease to be valuable as input - for the audit criteria or for the Root Program. And I think that's an essential point that your message both fails to capture and arguably denies - it suggests the Forum has value outside of the Root Programs that consume its inputs. If it no longer has value, Root Programs won't consume it. If Ballots are rejected, Root Programs can and should go above it. The BRs, as they stand, have no value outside of Root Programs' requiring them (or more aptly, accepting the audits derived from them). ___ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public
Re: [cabfpub] The purpose of the CA/B Forum
On Mon, Oct 21, 2019 at 11:54 AM Dimitris Zacharopoulos via Public < public@cabforum.org> wrote: > > Dear CA/B Forum Members, > > Recent posts [1], [2] were brought to my attention with a statement from a > representative of a Certificate Consumer Member who believes that the role > of the Forum is the following: > > "The Forum provides a venue to ensure Browsers do not place conflicting > requirements on CAs that voluntarily participate within the browsers root > programs, by facilitating discussion and feedback. This allows > interoperability among the Web PKI space, which refers to the set of CAs > within browsers, and thus allows easier interoperability within browsers. > Prior to the Forum, it was much easier to see this reflected in the private > arrangements between CAs and browsers. If different browsers had different > requirements, CAs would have to act as the intermediary to identify and > communicate those conflicts. Similarly, browsers had to spend significant > effort working to communicate with all of the CAs in their programs, often > repeatedly answering similar questions. By arranging a common mailing list, > and periodic meetings, those barriers to communication can be reduced. > > > That is the sole and only purpose of the Forum. Any other suggestion is > ahistorical and not reflected in the past or present activities." > > It is fortunate that we are given the opportunity to take a step back and > re-check why we are all here. I can only quote from the Bylaws (emphasis > mine): > > "1.1 Purpose of the Forum > > The Certification Authority Browser Forum (CA/Browser Forum) is a > voluntary gathering of leading Certificate Issuers and vendors of Internet > browser software and other applications that use certificates (Certificate > Consumers). > > Members of the CA/Browser Forum have worked closely together in defining > the guidelines and means of *implementation for best practices **as a way > of providing a heightened security for Internet transactions and creating a > more intuitive method of displaying secure sites to Internet users*." > Dimitris, I don't believe there is the conflict you suggest between the statement and the bylaws. I think we're in agreement the the CA/Browser Forum is voluntary. I think we're in agreement that the CA/Browser Forum does not, nor has it ever, defined Root Program Policy. I think we're in agreement that the CA/Browser Forum does not, nor has it ever, "enforced" any action upon CAs. I think this is much clearer if you continue quoting from the Bylaws. Indeed, the two sentences that immediately follow, emphasis mine, highlight this: 1.2 Status of the Forum and the Forum Activities The Forum has no corporate or association status, but is *simply a group ofCertificate Issuers and Certificate Consumers that communicates or meets from timeto time to discuss matters of common interest relevant to the Forum’s purpose. TheForum has no regulatory or industry powers over its members or others.* I read this purpose as an "unofficial" agreement between Certificate > Issuers and Certificate Consumers to improve security for internet > transactions AND to create a more intuitive method of displaying secure > sites to internet users. > No. It's a statement about what the Forum has done in the past. If you continue reading, you will find out what the Forum does. It merely discusses. > I'm afraid this cannot be achieved if Certificate Consumer Members > continuously bring their "guns" (i.e. Root Program Requirements) in CA/B > Forum discussions. I would expect these "guns" to be displayed and used in > the independent Root Program venues and not the CA/B Forum. > While I can understand if you're unhappy to discuss Root Program Requirements, I think it belies a fundamental misunderstanding of the Forum and the Baseline Requirements. Recall: PKI was designed to allow different communities - i.e. different browsers - to define different policies, profiles, and practices for the CAs that participate in their different PKIs. The Microsoft PKI is distinct from the Google PKI is distinct from the Mozilla PKI, each of which has those vendors as the Root of Trust, signing a Trust List for use within their products, based on their product security requirements. Conceptually, each of these PKIs define their own profiles and practices (the Root Program Requirements) and define their own means of assessing (e.g. Mozilla distrusting certain auditors, Microsoft allowing certain auditors). The Forum exists to allow for interoperability between these distinct PKIs. The Baseline Requirements serve as a means of expressing a common set of requirements, in order to reduce the need of obtaining a distinct Microsoft audit or a distinct Mozilla audit, which are entirely plausible scenarios. Thus, it's inherent that the /only/ value of useful discussion to be had is with respect to Root Program Requirements. It's also the opportunity for CAs to provide input and insight
[cabfpub] The purpose of the CA/B Forum
Dear CA/B Forum Members, Recent posts [1], [2] were brought to my attention with a statement from a representative of a Certificate Consumer Member who believes that the role of the Forum is the following: "The Forum provides a venue to ensure Browsers do not place conflicting requirements on CAs that voluntarily participate within the browsers root programs, by facilitating discussion and feedback. This allows interoperability among the Web PKI space, which refers to the set of CAs within browsers, and thus allows easier interoperability within browsers. Prior to the Forum, it was much easier to see this reflected in the private arrangements between CAs and browsers. If different browsers had different requirements, CAs would have to act as the intermediary to identify and communicate those conflicts. Similarly, browsers had to spend significant effort working to communicate with all of the CAs in their programs, often repeatedly answering similar questions. By arranging a common mailing list, and periodic meetings, those barriers to communication can be reduced. That is the sole and only purpose of the Forum. Any other suggestion is ahistorical and not reflected in the past or present activities." We should not interpret silence as consent for such statements that can create misunderstandings. I put a lot of thought before posting this message because I represent a CA but I was also voted as Chair to ensure the Bylaws are followed. I personally don’t agree with that view of the purpose of the Forum (or the statement that any other suggestion is ahistorical), and I think other members disagree as well. As Chair of the Forum, I feel obligated to share some thoughts and my perspective about the purpose of the Forum. When I first learned about the CA/B Forum and started receiving the public list emails, I was thrilled with the level of engagement, participation and contributions of industry leaders in the publicly-trusted certificate sector. Industry leaders, that made SSL/TLS and Code Signing Certificates known and usable around the Globe in order to secure communications and code execution, were voluntarily contributing with their valuable technical and operational experience. When critical incidents occurred that affected a large part of the webPKI, industry leaders freely shared their internal security policies/practices, so that others could publicly evaluate and use them. When it was decided for Domain Validation methods to be disclosed, Certificate Issuers disclosed their methods and the less secure methods were identified and removed. Some of the Forum's popular projects, such as the EV Guidelines and the Network Security Requirements, were driven by Certificate Issuers and were not directly linked to Certificate Consumer's Root program policies; they are now required by Root programs. This industry continues to improve Guidelines and overall security by continuously raising the security bar. It is natural for Certificate Consumers to lead and push for stricter rules but Certificate Issuers also participate in these discussions and contribute with ideas. These contributions are not made "to make Browsers happy" but to improve the overall security of the ecosystem. Mistakes happened, CAs were distrusted but that has nothing to do with the CA/B Forum. We are not here at the Forum to judge how CAs complied or not to the Guidelines or how strict or not the Browser decisions were. In my understanding these are out of CA/B Forum scope discussions. To my eyes, every contribution to the Forum is done in good faith, reviewed by some of the world's most talented and competent people I know and they are accepted into the work product of the Forum, which is our Guidelines. It is also very clear that our Guidelines need continuous improvements and it is very possible that some requirements are mis-interpretated. We are here to remove ambiguities and make these requirements as clear as possible. I have no doubt that the CA/B Forum serves the "undocumented" purpose of aligning requirements between Certificate Consumer Policies, although it is not stated in the Forum's Bylaws. Perhaps this is how things started with the Forum. I don't know, I wasn't there :) But I believe things have evolved. I strongly believe that the CA/B Forum is an earnest effort by the publicly-trusted certificate industry to *self-regulate* in the absence of other National or International regulatory Authorities. These efforts to self-regulate exceed the purpose for Root Programs to align. After all, if that was the sole and only purpose, it might as well have been the "Browser Forum" where Browsers meet, set the common rules and then dictate CAs to follow these rules. I believe the Forum is more than that. It is fortunate that we are given the opportunity to take a step back and re-check why we are all here. I can only quote from the Bylaws (emphasis mine):