<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 21/3/2017 5:44 πμ, Ryan Sleevi
wrote:<br>
</div>
<blockquote
cite="mid:CACvaWvYZAx2+Dv7Lnr+MKgw58mTaVWDsT6cNh2w36W1bZ6KrfA@mail.gmail.com"
type="cite">
<div dir="ltr">Dimitris,
<div><br>
</div>
<div>Thanks for providing concrete reasons to support such a
change. Replies inline.<br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Mar 20, 2017 at 4:03 AM,
Dimitris Zacharopoulos <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:jimmy@it.auth.gr"
target="_blank">jimmy@it.auth.gr</a>></span> wrote:
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Let me try to
provide some reasons in favor of allowing these two
exceptions.<br>
<ol>
<li>For reasons unrelated to the CA/B Forum
(political or whatever non-technical reasons), two
EU Countries have been using different two-letter
Country Identifiers in addition to the ones listed
in ISO3166-1. These exceptions have been
well-defined in legal EU documents, like the <a
moz-do-not-send="true"
href="http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015D1505"
target="_blank">1505/2015</a> implementing
decision. Since these exceptions are used
Internationally, are well-defined and globally
recognized, it makes sense to allow them to be
used in the webPKI as well.</li>
</ol>
</div>
</blockquote>
<div>So I object to this reasoning because it's unclear
what the justification is for this change. As mentioned,
there are clearly international political issues at play
here, and while I think Phillip's examples are actively
unhelpful to making productive discussion, the fact that
he feels they're relevant and on-topic to this
discussion - or the remarks Geoff have made - actively
highlight this.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
I guess we disagree on the fact that you need justification for a
political decision made by the European Union, while I take it for
granted. The fact that "off-topic" (at least some people would
characterize them as such) comments were made, with political tone,
isn't something that should be used to dismiss the rest of the
"on-topic" and valuable feedback and shouldn't be a reason, alone,
to dismiss a subject being discussed (or any issue for that matter).
Off-topic comments have been posted in the past and will certainly
be posted in the future :)<br>
<br>
<blockquote
cite="mid:CACvaWvYZAx2+Dv7Lnr+MKgw58mTaVWDsT6cNh2w36W1bZ6KrfA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>As mentioned elsewhere, these documents don't apply
from a 9.16.3 or from a perspective of law. Further, I
think you can agree that even if we accept such
documents, their scope is to apply to a jurisdictional
boundary, except you're proposing that these be adopted
at an international level (as all certificates are
inherently worldwide). So, in effect, you're proposing
that the first country to pass a law gets to bypass any
form of international agreement or consensus, and
instead declare 'squatters' rights.</div>
<div><br>
</div>
<div>I don't believe you intended to put it like that, but
I want to highlight that is effectively what this
justification is, so that you can understand why it's
undesirable.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Indeed I never intended to put it like that but I think 9.16.3
allows for exactly what you just described as undesirable (for
better or worse). To the minimum, it is unclear what the boundaries
are. That is, if a country passes a law that conflicts with the BRs
and the CA has to abide with it, it must abide with it. To better
understand this and possibly make it clear for others let me give a
theoretical example. If there was a Greek law that said "you need to
be able to issue publicly trusted SSL Certificates with C=EL for
such and such cases", 9.16.3 would allow a CA (not necessarily a CA
operated in Greece) to issue and inform the CA/B Forum's public list
about this conflict.<br>
<br>
Do you agree with this interpretation? I think this is a key issue
that the forum should try to explain and clarify as soon as
possible. I also welcome other members that wish to offer their
perspective on this.<br>
<br>
<br>
<blockquote
cite="mid:CACvaWvYZAx2+Dv7Lnr+MKgw58mTaVWDsT6cNh2w36W1bZ6KrfA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<ol>
<li>Introducing these well-defined exceptions pose
no security threat because these identifiers are
already known for so long. AFAIU, by adding these
two exceptions, no significant problems have been
identified so far in the discussion. Please note
that I am not suggesting "replacing C=GR with C=EL
and C=GB with C=UK" but allowing all of them to be
acceptable.</li>
</ol>
</div>
</blockquote>
<div>But now you've introduced an ambiguity and overload
whose "source of truth" can no longer be discerned.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
I am not sure I understand this comment or where you see ambiguity.
There would be a well-defined exception for two countries to be
represented with two different identifiers each. This makes it
clear, at least to me, that when I see a certificate with either
C=GR or C=EL, the Subject's Country is Greece :)<br>
<br>
<blockquote
cite="mid:CACvaWvYZAx2+Dv7Lnr+MKgw58mTaVWDsT6cNh2w36W1bZ6KrfA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>For example, the conflicting examples Rob and Phillip
have given - only the former of which I'm inclined to
trust in this case - do create ambiguities. If the
purpose of the Baseline Requirements is to agree upon
unambiguous representations to the extent possible, by
including full jurisdictional information (as the
discussion with Li-Chun related to the X.500 DIT has
shown), then introducing this change introduces
unnecessary ambiguity, and through it, undermines the
goal of including identity information in certificates.</div>
<div><br>
</div>
<div>Put differently, this poses a thread to the value and
usefulness of the identity information. Since a number
of CAs have asserted identity information is security
relevant (hence why they revoke certificates whose
identity information is incorrect or misleading), we
must naturally conclude that this either _does_
represent a security threat, or that identity
information in certificates is not security relevant,
and we should update our documents accordingly.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Being unable to see an ambiguity, I fail to see a security threat
here. The source of information is still ISO3166-1 but we are
discussing the "UK" and "EL" extra identifiers for two specific
jurisdictions. If "EL" was listed as exceptionally reserved just as
the "UK" label is, would you agree with Gerv that this would make
things clearer and easier to allow for these exceptions?<br>
<br>
<blockquote
cite="mid:CACvaWvYZAx2+Dv7Lnr+MKgw58mTaVWDsT6cNh2w36W1bZ6KrfA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<ol>
<li>There may be legal reasons for some official
government agencies to be represented by using
C=EL or C=UK in the subject field. Should the
Forum prevent that? Should the Forum question
these reasons?</li>
</ol>
</div>
</blockquote>
<div>Yes. Because the Forum should strive to stay
apolitical to the extent possible, and we achieve that
by standing on the shoulder of the giants who have gone
before us, seeking out international consensus through
an assemblage of experts, and when we find reason to
deviate, to do so in a manner that is a consistent
application of principles rather than of en-vogue
politics.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
IMHO, by questioning these reason, you evidently become political. I
understand the fact that it is merely impossible to avoid some
political discussions, sooner or later, when it comes to building
policy documents. In order to achieve the goal to "stay apolitical
to the extent possible", IMO the forum should try to resolve policy
conflicts with minimal or no impact to the ecosystem based on
standards and specific processes like the one we are following now
(allowed thanks to the last paragraph of 9.16.3). I fully understand
the argument of building on top of International standards,
agreements, treaties and such ("giants" as you elegantly described).
My somewhat similar thought was that the European Union's decisions
look like they are coming from a "giant" as well :)<br>
<br>
<blockquote
cite="mid:CACvaWvYZAx2+Dv7Lnr+MKgw58mTaVWDsT6cNh2w36W1bZ6KrfA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>In this case, as has been mentioned, the appropriate
discussion point would minimally be within the realm of
ISO, as Gerv has highlighted.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
This makes perfect sense and I plan on contacting our ISO
representatives to see if there is more than meets the eye.<br>
<br>
Overall, I think this was (is) a useful conversation, at least to
"test" the limits and boundaries of 9.16.3 so that members have a
better understanding.<br>
<br>
<br>
Dimitris.<br>
</body>
</html>