<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Thu, Jul 12, 2018 at 7:42 AM Paul Hoffman via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Greetings. I am interested in finding out which member CAs use each of the methods listed in Section 3.2.2.4 of the BRs. I looked around the CABF web site and could not find any such list, but could have missed it. If the CABF doesn't keep such a list, does anyone know of an external researcher who has created such a list in the past few years?<br>
<br>
Note that I'm not asking for each CA to say on this mailing list "we use 3.2.2.4.1 and 3.2.2.4.6"; that would not be a good use of bandwidth here. I just hope that someone has already collected that data.<br>
<br>
A related request would be for the CAs that allow multiple methods to report somewhere what percentage of their certificates from the last year were from each method. I really don't expect that to exist as a whole, but maybe CAs are reporting this on their own sites.<br>
<br>
If no one is collecting this information, maybe the CABF could start?<br></blockquote><div><br></div><div>Hi Paul,</div><div><br></div><div>As you can know, providing information in a transparent and verifiable way tends to be a challenge, and in general, is unsuccessful within the CA/Browser Forum itself. However, it's also important to consider that the CA/Browser Forum does not serve as a clearinghouse for CA information - the set of publicly trusted CAs are a 1:1 representation of the Forum, and the Forum is simply a non-incorporated discussion clearing house for CAs that wish to streamline their communications with root programs. As such, your questions are better directed to root programs directly, in practice.</div><div><br></div><div>To your first question - what methods are used - the CA/Browser Forum membership does not collect nor publish that information. Efforts to determine what CAs are using which methods are often ad-hoc, as CAs seem reticent to discuss in the Forum the methods they use to validate the certificates they issue. There is some information publicly available, in response to Mozilla's CA communications [1], in particular, the January 2018 survey. Additionally, the BR Self-Assessment [2] also seeks to better document, on an annual basis, what methods CAs are reportedly using.</div><div><br></div><div>As to your second question, the volume of issuance, a number of CAs have been quite opposed to providing those details. While the BRs require that CAs record the method of validation used, as of CA/Browser Forum Ballot 169 [3], although given the ability of CAs to reuse previously validated information, it's unclear whether CAs are attempting to misinterpret those requirements by claiming information reuse, as the discussion around Ballots 185 and 193 revealed some were prone to do.</div><div><br></div><div>That said, there are efforts to revisit the proposals from Ballot 193's discussion to aid in the transparency and assurance of Relying Parties, and to better assess ecosystem risk and impact to more effectively respond to security incidents (as captured in [1]'s January communication), by requiring certificates to disclose the method that was used to validate the domain information within the certificate. This will allow for more effective improvements to the security of the ecosystem, by ensuring subscriber needs are met and balanced with those of Relying Parties.</div><div><br></div><div>[1] <a href="https://wiki.mozilla.org/CA/Communications">https://wiki.mozilla.org/CA/Communications</a><br></div><div>[2] <a href="https://wiki.mozilla.org/CA/BR_Self-Assessment">https://wiki.mozilla.org/CA/BR_Self-Assessment</a></div><div>[3] <a href="https://cabforum.org/2016/08/05/ballot-169-revised-validation-requirements/">https://cabforum.org/2016/08/05/ballot-169-revised-validation-requirements/</a></div></div></div>