<div dir="ltr">Kirk,<div><br></div><div>Do you believe that the Forum should abide by those same policies for its own interpretations, such as of the Bylaws? I'm still unclear whether the issues of 180-182 will revisit us, and I'm not sure we ever reached a common ground with that.</div><div><br></div><div>As to your opinion of the legal risks, I think we should be careful when speculating on such matters, but I also want to point out the several problems with the scenario you posed, as I'm sure Jeff, Don, Arno, Clemens, and others can attest to:</div><div><br></div><div>For the sake of discussion, and the familiarity for both yourself and some of the other CAs who I believe have expressed an opinion similar to yours, I'll use WebTrust for the remainder of the discussion here:</div><div><br></div><div>An audit assessment is not assessed on the basis of the Baseline Requirements. Instead, the auditor uses the WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security. This is a specific term of art, and refers to a specific set of Principles, validated using Criteria, for which the WebTrust Task Force and CPA Canada have developed a set of illustrative controls. These Principles and Criteria are derived from the work of the CA/Browser Forum, but it is independent of the Forum's activities, for better or for worse.</div><div><br></div><div>Any opinion that the Forum offers - either as individual members or as a Body as a whole (for which, to Gerv's point, our Bylaws specifically provide guidance how to do, in Section 6.2 of our Bylaws) - is solely in capacity and relationship to the Baseline Requirements. It is neither advice to an auditor nor guidance to the auditor with respect to their auditable criteria or to their customer relationship.</div><div><br></div><div>To perhaps make it easier to understand why this is both important and not, as you pose, a risk, consider the act of an auditor who examines Certificate Transparency logs in the process of doing what auditors do - which is developing an opinion about the sufficiency of the controls practiced by a given CA relative to the principles and criteria for which the scope of the engagement is evaluating. Such an examination forms a secondary datasource to the auditor to form their opinion. It does not provide primary guidance, but helps highlight things for which the auditor may wish to examine in the development of that opinion.</div><div><br></div><div>Similarly, any response to questions regarding the Baseline Requirements represents guidance as to the interpretation of the Baseline Requirements - not to the relevant audit criteria. It is acting as a secondary data source that allows the auditor to independently assess the nature of industry best practice in the formation of their opinion, but it does not tell them whether what a CA is doing is "right" or "wrong".</div><div><br></div><div>On a recent call, it was highlighted the challenges about providing a vision for the future while maintaining consistent with our antitrust policy regarding "Customer, business, or marketing plans" - and it was rightfully pointed out that the discussion is not one of future business plans, but in the act of standards development and future directions for said standards development.</div><div><br></div><div>Either the Forum is representing itself as a Standards Defining Organization - for which, as has been pointed out, the act of providing errata, guidance, and interpretation is a key aspect of this (whether you look at W3C, WHATWG, IETF, OASIS, TCG, ETSI, or I'm sure countless other organizations) - or it is positing itself as a trade group of some form. This would be an interesting interpretation, but precisely why the nature of this discussion is important and extremely relevant to the community, and why I have suggested we spend time discussing this in the Face to Face.</div><div><br></div><div>As to your suggestion of CPA Canada sending the questions, you can ask Don and Jeff (and members of the WebTrust TF), as this is precisely something I have suggested in order to ensure the confidentiality of the client relationship between the auditor during the process of an engagement, and so I'm supportive of this as a principle, but not a rule. That is, I think the notion that we should reject questions from auditors if NOT 'laundered' through CPA Canada would be to be shirking our responsibilities and undermining our goals.</div><div><br></div><div>I should hope it would be uncontroversial, for example, if the Forum was approached with a question - whether an auditor, a CA, or some other interested and curious participant - about whether the Baseline Requirements requires CAs to encode their certificates using DER.</div><div><br></div><div>I pose this hypothetical because you will find no such mention of DER in the Baseline Requirements. Instead, you will find the extent of this requirement captured within Section 7.1.2.4 of the Baseline Requirements, which simply incorporates RFC 5280. RFC 5280's extent of incorporating DER simply states that "For signature calculation, the data that is to be signed is encoded using the ASN.1 distinguished encoding rules (DER) [X.690]."</div><div><br></div><div>Note, however, that it does not say the certificate itself shall be encoded. This subtlety has actually tripped people up with RFC 5280 - as it was the full intent and understanding of the PKIX WG that this was sufficient to mean "Yes, you need to encode the darn certs using DER, you'd be bonkers not to" - and you can find discussion, should you so desire, precisely to this point within the IETF - but I do hope you can understand at least how this question flows from it.</div><div><br></div><div>To suggest that the Forum does not have an active role in communicating, both in our shared (industry) understanding and, in particular, the expectations of the community (especially that of root stores), is to do a disservice to the work we do here. If we truly believe that this is something we cannot opine on, then it would be far more useful and productive for Browsers to consider working directly with the relative audit schemes, and to cease participating in the Forum, as the Forum no longer provides any useful function.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 3, 2017 at 12:39 PM, Kirk Hall via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I agree, Gerv.<br>
<br>
One possibly more significant objection to unstructured opining on questions from auditors currently conducting an audit -- that puts Forum members right in the middle of the audit relationship between the auditor and his or her CA client. A Forum member who opines on interpretation of a broad provision runs the risk of causing audit failure for that CA -- something I think is not a good idea, and could arguably give rise to potential legal liability in extreme cases.<br>
<br>
In my view, auditors with a question of interpretation should first consult with other WebTrust auditors in their own company, and then should pose their questions to CPA Canada's WebTrust Board for formal response. If the CPA Canada WebTrust Board thinks it necessary, they (and only they) could then ask the Forum for advice -- which we should only give after a very formal discussion among ourselves and a formal agreed position.<br>
<div class="HOEnZb"><div class="h5"><br>
-----Original Message-----<br>
From: Public [mailto:<a href="mailto:public-bounces@cabforum.org">public-bounces@<wbr>cabforum.org</a>] On Behalf Of Gervase Markham via Public<br>
Sent: Friday, March 3, 2017 9:30 AM<br>
To: CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>
Cc: Gervase Markham <<a href="mailto:gerv@mozilla.org">gerv@mozilla.org</a>><br>
Subject: Re: [cabfpub] Does the CA/Browser Forum provide guidance on the Baseline Requirements?<br>
<br>
On 25/02/17 02:54, Ryan Sleevi via Public wrote:<br>
> I am deeply concerned and dismayed by such an answer, and expressed<br>
> this to these members. I believe that this is a core role of the<br>
> CA/Browser<br>
> Forum: To ensure the Requirements are clear and unambiguous whenever<br>
> possible, to provide guidance as to the intent and interpretation when<br>
> necessary, and to strive to resolve any ambiguity in the documents<br>
> themselves whenever possible.<br>
<br>
I think we should resolve ambiguities within the documents; whether we should provide guidance in the meantime is a separate question. The way the Forum expresses its view is via ballots which change documents; we don't really have a way of expressing a consensus opinion without doing that.<br>
<br>
Gerv<br>
</div></div><div class="HOEnZb"><div class="h5">______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
</div></div></blockquote></div><br></div>