<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hello everyone,<br>
<br>
I believe this issue does not have many options. The meeting notes
from <a
href="https://cabforum.org/2015/10/07/2015-10-07-face-to-face-meeting-minutes-meeting-36-istanbul/#Guest-Speaker-Session-Andreas-from-eIDAs">F2F
36</a> captures the essence of it all. I think it is fair to say
that browsers will not rely on any "external" trust-list and IMO,
they are very right to do so. But I don't think that was ever
officially requested or was the intension of the EU TSL (I could
be wrong, wasn't at the eIDAS meeting).<br>
<br>
As I stated in F2F 36, a feasible solution would be to continue to
rely only on the browsers Trust-list to establish the TLS
client-server communication and ADDITIONALLY, if the server
certificate chains to a Root or Intermediate Certificate that is
also in the EU TSL, make a discrete UI change to indicate this
additional information. This UI change could easily happen through
a plugin, AFTER the TLS handshake is complete with the current
browser code.<br>
<br>
Now, if the EU officials want to "simulate" the EV policy for the
QWACs, then this additional UI change would occur only if the
server certificate gets an EV status.<br>
<br>
Delivering the list with integrity so that it is not susceptible
to MiTM attacks, is another issue but perhaps easier to resolve.<br>
<br>
<br>
Dimitris Zacharopoulos.<br>
<br>
<br>
On 2/4/2016 1:30 πμ, Ryan Sleevi wrote:<br>
</div>
<blockquote
cite="mid:CACvaWvaZM-ZqdypMZ5=qaQb8DduYY4S8q-ktdPY5pdu6Hsz-WQ@mail.gmail.com"
type="cite">
<div dir="ltr">The specific request was for an extension API to
allow extensions to determine if a certificate is trusted or
not, rather than the browser, and to allow extensions to change
the UI state to whatever the extension requests.
<div><br>
</div>
<div>Understandably, this would be a disaster security wise.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Apr 1, 2016 at 3:27 PM, Peter
Bowen <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:pzb@amzn.com" target="_blank">pzb@amzn.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
<div>From the slides it looks like the presenter was more
requesting that browsers use SCVP or support
Authorization Validation Lists. This would mean the
browser “outsources” validation of certificates to
another entity which returns the validation result. The
result could possibly include an image to show the user
in addition to a boolean valid/not valid.</div>
<br>
<div>
<blockquote type="cite">
<div>
<div class="h5">
<div>On Apr 1, 2016, at 3:19 PM, Dean_Coclin <<a
class="moz-txt-link-abbreviated"
href="mailto:Dean_Coclin@symantec.com"><a class="moz-txt-link-abbreviated" href="mailto:Dean_Coclin@symantec.com">Dean_Coclin@symantec.com</a></a>>
wrote:</div>
<br>
</div>
</div>
<div>
<div>
<div class="h5">
<div
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<div style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times
New Roman',serif"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">I
think what the presenter had in mind were
“hooks” into the trust store such that an
alternate trust source (i.e. eIDAS Trust
List) could be selected by a user. I
believe Ryan said this type of “hook”
exposes the browser to potential malicious
intent. One question I had (and I really
don’t know how this works) is that I know
Microsoft provides the capabilities for
Enterprises to add or push roots out to
users in their groups. Perhaps Dr. Poesch
had that in mind when he was brainstorming
his hook idea.</span></div>
<div style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times
New Roman',serif"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span></div>
<div style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times
New Roman',serif"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Dean</span></div>
<div style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times
New Roman',serif"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span></div>
<div style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times
New Roman',serif"><b><span
style="font-size:11pt;font-family:Calibri,sans-serif">From:</span></b><span
style="font-size:11pt;font-family:Calibri,sans-serif"><span> </span><a
class="moz-txt-link-abbreviated"
href="mailto:public-bounces@cabforum.org"><a class="moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a></a><span> </span>[<a
class="moz-txt-link-freetext"
href="mailto:public-bounces@cabforum.org"><a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a></a>]<span> </span><b>On
Behalf Of<span> </span></b>Ryan Sleevi<br>
<b>Sent:</b><span> </span>Friday, April
01, 2016 2:29 PM<br>
<b>To:</b><span> </span>Gervase Markham
<<a moz-do-not-send="true"
href="mailto:gerv@mozilla.org"
style="color:purple;text-decoration:underline"
target="_blank">gerv@mozilla.org</a>><br>
<b>Cc:</b><span> </span>CABFPub <<a
class="moz-txt-link-abbreviated"
href="mailto:public@cabforum.org"><a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a></a>><br>
<b>Subject:</b><span> </span>Re: [cabfpub]
eIDAS meeting presentations</span></div>
<div style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times
New Roman',serif"> </div>
<div>
<div style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times
New Roman',serif"> </div>
<div>
<div style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times
New Roman',serif"> </div>
<div>
<div style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times
New Roman',serif">On Fri, Apr 1, 2016
at 2:17 PM, Gervase Markham <<a
class="moz-txt-link-abbreviated"
href="mailto:gerv@mozilla.org"><a class="moz-txt-link-abbreviated" href="mailto:gerv@mozilla.org">gerv@mozilla.org</a></a>>
wrote:</div>
<blockquote style="border-style:none
none none
solid;border-left-color:rgb(204,204,204);border-left-width:1pt;padding:0in
0in 0in
6pt;margin-left:4.8pt;margin-right:0in">
<div style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times
New Roman',serif">On 30/03/16 01:03,
Adriano Santoni wrote:<br>
> Especially, I would like to
understand whether browsers are<br>
> willing/planning to integrate
the EU trust lists....<br>
<br>
We remain to be convinced of the
value of doing so. We see direct<br>
control of our own trust list as an
important factor in our ability to<br>
drive positive change in the CA
industry and the security of the
web.</div>
</blockquote>
<div>
<div style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times
New Roman',serif"> </div>
</div>
<div>
<div style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times
New Roman',serif">And how do you
feel about exposing programattic
access to modify or affect
certificate validation, certificate
UI, or certificate trust lists, as
proposed during the meeting (and as
captured in the Summary and in the
slides by Reinhard Posch)</div>
</div>
<div>
<div style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times
New Roman',serif"> </div>
</div>
<div>
<div style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times
New Roman',serif">I will echo on
list what I had previously stated
during the meeting, as it was not
captured in the summary, which is on
the balance, we see a far greater
incidence of malware abusing such
APIs compared to legitimate uses,
and have no intent or desire to
support such programatic access.
We've seen malware campaigns
extensively abuse command-line flags
intended for debugging and
diagnostics, and we've seen malware
and malvertising campaigns
significantly abuse both sanctioned
and unsanctioned APIs, such that the
use of such APIs is a strong
indicator of Potentially Unwanted
Software, and will be blocked
through means such as Google
SafeBrowsing and the Chrome Cleanup
Tool. We believe other vendors have
seen similar results.</div>
</div>
<div>
<div style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times
New Roman',serif"> </div>
</div>
<div>
<div style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times
New Roman',serif">Further, we remain
deeply concerned about proposals
that it would be beneficial to have
other countries and legal entities
provide or require similar Trust
Lists, as also captured on Dr.
Posch's slides, for many of the same
reasons that Gerv spoke of.</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<span class=""><span
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">_______________________________________________</span><br
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<span
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">Public
mailing list</span><br
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<a moz-do-not-send="true"
href="mailto:Public@cabforum.org"
style="color:purple;text-decoration:underline;font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
target="_blank">Public@cabforum.org</a><br
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<a moz-do-not-send="true"
href="https://cabforum.org/mailman/listinfo/public"
style="color:purple;text-decoration:underline;font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
target="_blank">https://cabforum.org/mailman/listinfo/public</a></span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>