<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">There are very few things that are as intrinsically political than the names of states. So complaining about the naming of states being political is to miss the point entirely.</div><div class=""><br class=""></div><div class="">From a technical point of view, there are two concerns when considering an identifier.</div><div class=""><br class=""></div><div class="">1) Is the identifier unambiguous? Could the identifier correspond to more than one distinct entity?</div><div class="">2) Is the identifier resolvable? Can a party attempting to resolve the identifier determine what it means?</div><div class=""><br class=""></div><div class="">For the purposes of the WebPKI, we are also interested in two particular aspects of identity:</div><div class=""><br class=""></div><div class="">1) To establish accountability through legal consequences should a subject make a material misrepresentation in a transaction.</div><div class="">2) To enable binding of a physical world identity to an online identity. </div><div class=""><br class=""></div><div class="">When I first started doing PKI, I thought that the use of the X.500 names in addition to the DNS names was a mistake. Since then, I have come to understand that it is actually very important. Because there are offline identities that pre-existed the cyber world and there are reputations bound to them that people wish to make use of online.</div><div class=""><br class=""></div><div class="">If we wish to engage the services of nation state law enforcement and nation state courts, then we have to be willing to meet whatever criteria the nation states apply to provide them.</div><div class=""><br class=""></div><div class="">The topic of ‘identity’ is something that I really try to avoid. The objective of the WebPKI is not to establish identity, it is designed to establish an expectation of consequences and to enable the use of an offline reputation. Both of which are bound to an identity. </div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">When the WebPKI was first developed, the only objective was to establish consequences and provide access to offline reputation. Today we use it for much more. In particular we use it for entities whose only existence is online. For these organizations, offline reputation is irrelevant and consequences may not be relevant. Hence the need for EV and DV as distinct quanta of trust.</div><div class=""><br class=""></div><div class="">The proposals to move the Web to encrypted by default and beyond that to mandate encryption create a third category of WebPKI use. Or maybe they should be outside the WebPKI entirely.</div><div class=""><br class=""></div><div class="">The big fight in the early development of the WebPKI was whether it would be ‘open’ or ‘closed’. In particular, would anybody be able to get a certificate to engage in Internet commerce from a range of competing providers on flat rate terms or would the infrastructure be closed like a game console platform with the platform provider taking a cut of every sale. One of the reasons we have the model we do is because of a man called Michael Baum who showed how an open PKI was in fact practical at a time when most people thought it wasn’t.</div><div class=""><br class=""></div><div class="">If we are going to go to mandate use of encryption, the access issue is raised again unless we create a third category of certificate that is below DV and provides no degree of assurance whatsoever and does not result in an an affirmative security signal in the browser. (And why would you need a signal if everything is always encrypted).</div><div class=""><br class=""></div><div class="">In retrospect, I think I probably made a mistake in not recognizing that DV and EV were in fact meeting two different but legitimate needs earlier. I think we might be making the same mistake again with DV and whatever it is that meets the ubiquitous encryption need.</div><div class=""><br class=""></div><div class=""><br class=""></div><br class=""><div><blockquote type="cite" class=""><div class="">On Mar 21, 2017, at 3:04 AM, Dimitris Zacharopoulos via Public <<a href="mailto:public@cabforum.org" class="">public@cabforum.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" class="">
<div bgcolor="#FFFFFF" text="#000000" class="">
<br class="">
<br class="">
<div class="moz-cite-prefix">On 21/3/2017 5:44 πμ, Ryan Sleevi
wrote:<br class="">
</div>
<blockquote cite="mid:CACvaWvYZAx2+Dv7Lnr+MKgw58mTaVWDsT6cNh2w36W1bZ6KrfA@mail.gmail.com" type="cite" class="">
<div dir="ltr" class="">Dimitris,
<div class=""><br class=""></div>
<div class="">Thanks for providing concrete reasons to support such a
change. Replies inline.<br class="">
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Mon, Mar 20, 2017 at 4:03 AM,
Dimitris Zacharopoulos <span dir="ltr" class=""><<a moz-do-not-send="true" href="mailto:jimmy@it.auth.gr" target="_blank" class="">jimmy@it.auth.gr</a>></span> wrote:
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000" class=""> Let me try to
provide some reasons in favor of allowing these two
exceptions.<br class="">
<ol class="">
<li class="">For reasons unrelated to the CA/B Forum
(political or whatever non-technical reasons), two
EU Countries have been using different two-letter
Country Identifiers in addition to the ones listed
in ISO3166-1. These exceptions have been
well-defined in legal EU documents, like the <a moz-do-not-send="true" href="http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015D1505" target="_blank" class="">1505/2015</a> implementing
decision. Since these exceptions are used
Internationally, are well-defined and globally
recognized, it makes sense to allow them to be
used in the webPKI as well.</li>
</ol>
</div>
</blockquote>
<div class="">So I object to this reasoning because it's unclear
what the justification is for this change. As mentioned,
there are clearly international political issues at play
here, and while I think Phillip's examples are actively
unhelpful to making productive discussion, the fact that
he feels they're relevant and on-topic to this
discussion - or the remarks Geoff have made - actively
highlight this.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br class="">
I guess we disagree on the fact that you need justification for a
political decision made by the European Union, while I take it for
granted. The fact that "off-topic" (at least some people would
characterize them as such) comments were made, with political tone,
isn't something that should be used to dismiss the rest of the
"on-topic" and valuable feedback and shouldn't be a reason, alone,
to dismiss a subject being discussed (or any issue for that matter).
Off-topic comments have been posted in the past and will certainly
be posted in the future :)<br class="">
<br class="">
<blockquote cite="mid:CACvaWvYZAx2+Dv7Lnr+MKgw58mTaVWDsT6cNh2w36W1bZ6KrfA@mail.gmail.com" type="cite" class="">
<div dir="ltr" class="">
<div class="">
<div class="gmail_extra">
<div class="gmail_quote">
<div class=""><br class="">
</div>
<div class="">As mentioned elsewhere, these documents don't apply
from a 9.16.3 or from a perspective of law. Further, I
think you can agree that even if we accept such
documents, their scope is to apply to a jurisdictional
boundary, except you're proposing that these be adopted
at an international level (as all certificates are
inherently worldwide). So, in effect, you're proposing
that the first country to pass a law gets to bypass any
form of international agreement or consensus, and
instead declare 'squatters' rights.</div>
<div class=""><br class="">
</div>
<div class="">I don't believe you intended to put it like that, but
I want to highlight that is effectively what this
justification is, so that you can understand why it's
undesirable.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br class="">
Indeed I never intended to put it like that but I think 9.16.3
allows for exactly what you just described as undesirable (for
better or worse). To the minimum, it is unclear what the boundaries
are. That is, if a country passes a law that conflicts with the BRs
and the CA has to abide with it, it must abide with it. To better
understand this and possibly make it clear for others let me give a
theoretical example. If there was a Greek law that said "you need to
be able to issue publicly trusted SSL Certificates with C=EL for
such and such cases", 9.16.3 would allow a CA (not necessarily a CA
operated in Greece) to issue and inform the CA/B Forum's public list
about this conflict.<br class="">
<br class="">
Do you agree with this interpretation? I think this is a key issue
that the forum should try to explain and clarify as soon as
possible. I also welcome other members that wish to offer their
perspective on this.<br class="">
<br class="">
<br class="">
<blockquote cite="mid:CACvaWvYZAx2+Dv7Lnr+MKgw58mTaVWDsT6cNh2w36W1bZ6KrfA@mail.gmail.com" type="cite" class="">
<div dir="ltr" class="">
<div class="">
<div class="gmail_extra">
<div class="gmail_quote">
<div class=""> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000" class="">
<ol class="">
<li class="">Introducing these well-defined exceptions pose
no security threat because these identifiers are
already known for so long. AFAIU, by adding these
two exceptions, no significant problems have been
identified so far in the discussion. Please note
that I am not suggesting "replacing C=GR with C=EL
and C=GB with C=UK" but allowing all of them to be
acceptable.</li>
</ol>
</div>
</blockquote>
<div class="">But now you've introduced an ambiguity and overload
whose "source of truth" can no longer be discerned.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br class="">
I am not sure I understand this comment or where you see ambiguity.
There would be a well-defined exception for two countries to be
represented with two different identifiers each. This makes it
clear, at least to me, that when I see a certificate with either
C=GR or C=EL, the Subject's Country is Greece :)<br class="">
<br class="">
<blockquote cite="mid:CACvaWvYZAx2+Dv7Lnr+MKgw58mTaVWDsT6cNh2w36W1bZ6KrfA@mail.gmail.com" type="cite" class="">
<div dir="ltr" class="">
<div class="">
<div class="gmail_extra">
<div class="gmail_quote">
<div class=""><br class="">
</div>
<div class="">For example, the conflicting examples Rob and Phillip
have given - only the former of which I'm inclined to
trust in this case - do create ambiguities. If the
purpose of the Baseline Requirements is to agree upon
unambiguous representations to the extent possible, by
including full jurisdictional information (as the
discussion with Li-Chun related to the X.500 DIT has
shown), then introducing this change introduces
unnecessary ambiguity, and through it, undermines the
goal of including identity information in certificates.</div>
<div class=""><br class="">
</div>
<div class="">Put differently, this poses a thread to the value and
usefulness of the identity information. Since a number
of CAs have asserted identity information is security
relevant (hence why they revoke certificates whose
identity information is incorrect or misleading), we
must naturally conclude that this either _does_
represent a security threat, or that identity
information in certificates is not security relevant,
and we should update our documents accordingly.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br class="">
Being unable to see an ambiguity, I fail to see a security threat
here. The source of information is still ISO3166-1 but we are
discussing the "UK" and "EL" extra identifiers for two specific
jurisdictions. If "EL" was listed as exceptionally reserved just as
the "UK" label is, would you agree with Gerv that this would make
things clearer and easier to allow for these exceptions?<br class="">
<br class="">
<blockquote cite="mid:CACvaWvYZAx2+Dv7Lnr+MKgw58mTaVWDsT6cNh2w36W1bZ6KrfA@mail.gmail.com" type="cite" class="">
<div dir="ltr" class="">
<div class="">
<div class="gmail_extra">
<div class="gmail_quote">
<div class=""><br class="">
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000" class="">
<ol class="">
<li class="">There may be legal reasons for some official
government agencies to be represented by using
C=EL or C=UK in the subject field. Should the
Forum prevent that? Should the Forum question
these reasons?</li>
</ol>
</div>
</blockquote>
<div class="">Yes. Because the Forum should strive to stay
apolitical to the extent possible, and we achieve that
by standing on the shoulder of the giants who have gone
before us, seeking out international consensus through
an assemblage of experts, and when we find reason to
deviate, to do so in a manner that is a consistent
application of principles rather than of en-vogue
politics.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br class="">
IMHO, by questioning these reason, you evidently become political. I
understand the fact that it is merely impossible to avoid some
political discussions, sooner or later, when it comes to building
policy documents. In order to achieve the goal to "stay apolitical
to the extent possible", IMO the forum should try to resolve policy
conflicts with minimal or no impact to the ecosystem based on
standards and specific processes like the one we are following now
(allowed thanks to the last paragraph of 9.16.3). I fully understand
the argument of building on top of International standards,
agreements, treaties and such ("giants" as you elegantly described).
My somewhat similar thought was that the European Union's decisions
look like they are coming from a "giant" as well :)<br class="">
<br class="">
<blockquote cite="mid:CACvaWvYZAx2+Dv7Lnr+MKgw58mTaVWDsT6cNh2w36W1bZ6KrfA@mail.gmail.com" type="cite" class="">
<div dir="ltr" class="">
<div class="">
<div class="gmail_extra">
<div class="gmail_quote">
<div class=""><br class="">
</div>
<div class="">In this case, as has been mentioned, the appropriate
discussion point would minimally be within the realm of
ISO, as Gerv has highlighted.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br class="">
This makes perfect sense and I plan on contacting our ISO
representatives to see if there is more than meets the eye.<br class="">
<br class="">
Overall, I think this was (is) a useful conversation, at least to
"test" the limits and boundaries of 9.16.3 so that members have a
better understanding.<br class="">
<br class="">
<br class="">
Dimitris.<br class="">
</div>
_______________________________________________<br class="">Public mailing list<br class=""><a href="mailto:Public@cabforum.org" class="">Public@cabforum.org</a><br class="">https://cabforum.org/mailman/listinfo/public<br class=""></div></blockquote></div><br class=""></body></html>