<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<div class="moz-forward-container">Forwarding on behalf of Phil.<br>
<br>
<br>
<br>
-------- Forwarded Message --------
<table class="moz-email-headers-table" cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Subject:
</th>
<td>Re: [cabfpub] [EXTERNAL] The purpose of the CA/B Forum</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Date: </th>
<td>Mon, 21 Oct 2019 14:21:43 -0400</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">From: </th>
<td>Phillip Hallam-Baker <a class="moz-txt-link-rfc2396E" href="mailto:phill@hallambaker.com"><phill@hallambaker.com></a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">To: </th>
<td>Kirk Hall via Public <a class="moz-txt-link-rfc2396E" href="mailto:public@cabforum.org"><public@cabforum.org></a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">CC: </th>
<td>Dimitris Zacharopoulos (HARICA)
<a class="moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a>, Dimitris Zacharopoulos
<a class="moz-txt-link-rfc2396E" href="mailto:jimmy@it.auth.gr"><jimmy@it.auth.gr></a></td>
</tr>
</tbody>
</table>
<br>
<br>
<div dir="ltr">
<div class="gmail_default" style="font-size:small">[I am not
able to send to the list, this may be forwarded should you
choose]</div>
<div class="gmail_default" style="font-size:small"><br>
</div>
<div class="gmail_default" style="font-size:small">As one of the
two people who called the meeting that led to the creation of
CABForum, I can confirm that Dimitris is correct.</div>
<div class="gmail_default" style="font-size:small"><br>
</div>
<div class="gmail_default" style="font-size:small">There is
however another much more important reason for representatives
whose companies operate root key programs to avoid making
threats: The operation of CABForum is subject to US and EU
anti-trust law. This was of course a major concern for
Microsoft at the time CABForum was being formed. </div>
<div class="gmail_default" style="font-size:small"><br>
</div>
<div class="gmail_default" style="font-size:small">I recently
had to point out to one root key program operator that they
should run a proposed internal ballot on through their
internal lawyers as they would face an obvious anti-Trust
challenge if they allowed it to go ahead.</div>
<div class="gmail_default" style="font-size:small"><br>
</div>
<div class="gmail_default" style="font-size:small">It would
probably be wise for all parties operating root programs to
note that there are storms brewing in Washington as well as
Brussels. And not just in one party.</div>
<div class="gmail_default" style="font-size:small"><br>
</div>
<div class="gmail_default" style="font-size:small"><br>
</div>
<div class="gmail_default" style="font-size:small"><br>
</div>
<div class="gmail_default" style="font-size:small"><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Oct 21, 2019 at 1:09
PM Kirk Hall via Public <<a
href="mailto:public@cabforum.org" moz-do-not-send="true">public@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_-4073935011548914607WordSection1">
<p class="MsoNormal">+1 Dimitris. As the immediate past
Chair of the Forum and someone involved in creating the
Forum in 2005, your analysis below is correct.
</p>
<p class="MsoNormal"> </p>
<div>
<div
style="border-right:none;border-bottom:none;border-left:none;border-top:1pt
solid rgb(225,225,225);padding:3pt 0in 0in">
<p class="MsoNormal"><b>From:</b> Public <<a
href="mailto:public-bounces@cabforum.org"
target="_blank" moz-do-not-send="true">public-bounces@cabforum.org</a>>
<b>On Behalf Of
</b>Dimitris Zacharopoulos via Public<br>
<b>Sent:</b> Monday, October 21, 2019 8:54 AM<br>
<b>To:</b> <a href="mailto:public@cabforum.org"
target="_blank" moz-do-not-send="true">public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL][cabfpub] The purpose of
the CA/B Forum</p>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><strong><span
style="font-family:Calibri,sans-serif;color:red">WARNING:</span></strong>
This email originated outside of Entrust Datacard.<br>
<strong><span
style="font-family:Calibri,sans-serif;color:red">DO
NOT CLICK</span></strong> links or attachments
unless you trust the sender and know the content is
safe.</p>
<div class="MsoNormal" style="text-align:center"
align="center">
<hr width="100%" size="3" align="center">
</div>
<p class="MsoNormal" style="margin-bottom:12pt"><br>
Dear CA/B Forum Members,<br>
<br>
Recent posts [1], [2] were brought to my attention with
a statement from a representative of a Certificate
Consumer Member who believes that the role of the Forum
is the following:<br>
<br>
"The Forum provides a venue to ensure Browsers do not
place conflicting requirements on CAs that voluntarily
participate within the browsers root programs, by
facilitating discussion and feedback. This allows
interoperability among the Web PKI space, which refers
to the set of CAs within browsers, and thus allows
easier interoperability within browsers. Prior to the
Forum, it was much easier to see this reflected in the
private arrangements between CAs and browsers. If
different browsers had different requirements, CAs would
have to act as the intermediary to identify and
communicate those conflicts. Similarly, browsers had to
spend significant effort working to communicate with all
of the CAs in their programs, often repeatedly answering
similar questions. By arranging a common mailing list,
and periodic meetings, those barriers to communication
can be reduced.<br>
<br>
<br>
That is the sole and only purpose of the Forum. Any
other suggestion is ahistorical and not reflected in the
past or present activities."<br>
<br>
<br>
We should not interpret silence as consent for such
statements that can create misunderstandings. I put a
lot of thought before posting this message because I
represent a CA but I was also voted as Chair to ensure
the Bylaws are followed. I personally don’t agree with
that view of the purpose of the Forum (or the statement
that any other suggestion is ahistorical), and I think
other members disagree as well. As Chair of the Forum, I
feel obligated to share some thoughts and my perspective
about the purpose of the Forum.<br>
<br>
When I first learned about the CA/B Forum and started
receiving the public list emails, I was thrilled with
the level of engagement, participation and contributions
of industry leaders in the publicly-trusted certificate
sector. Industry leaders, that made SSL/TLS and Code
Signing Certificates known and usable around the Globe
in order to secure communications and code execution,
were voluntarily contributing with their valuable
technical and operational experience. When critical
incidents occurred that affected a large part of the
webPKI, industry leaders freely shared their internal
security policies/practices, so that others could
publicly evaluate and use them. When it was decided for
Domain Validation methods to be disclosed, Certificate
Issuers disclosed their methods and the less secure
methods were identified and removed. Some of the Forum's
popular projects, such as the EV Guidelines and the
Network Security Requirements, were driven by
Certificate Issuers and were not directly linked to
Certificate Consumer's Root program policies; they are
now required by Root programs. This industry continues
to improve Guidelines and overall security by
continuously raising the security bar. It is natural for
Certificate Consumers to lead and push for stricter
rules but Certificate Issuers also participate in these
discussions and contribute with ideas. These
contributions are not made "to make Browsers happy" but
to improve the overall security of the ecosystem.
<br>
<br>
Mistakes happened, CAs were distrusted but that has
nothing to do with the CA/B Forum. We are not here at
the Forum to judge how CAs complied or not to the
Guidelines or how strict or not the Browser decisions
were. In my understanding these are out of CA/B Forum
scope discussions. To my eyes, every contribution to the
Forum is done in good faith, reviewed by some of the
world's most talented and competent people I know and
they are accepted into the work product of the Forum,
which is our Guidelines. It is also very clear that our
Guidelines need continuous improvements and it is very
possible that some requirements are mis-interpretated.
We are here to remove ambiguities and make these
requirements as clear as possible.<br>
<br>
I have no doubt that the CA/B Forum serves the
"undocumented" purpose of aligning requirements between
Certificate Consumer Policies, although it is not stated
in the Forum's Bylaws. Perhaps this is how things
started with the Forum. I don't know, I wasn't there :)
But I believe things have evolved. I strongly believe
that the CA/B Forum is an earnest effort by the
publicly-trusted certificate industry to
<b>self-regulate</b> in the absence of other National or
International regulatory Authorities. These efforts to
self-regulate exceed the purpose for Root Programs to
align. After all, if that was the sole and only purpose,
it might as well have been the "Browser Forum" where
Browsers meet, set the common rules and then dictate CAs
to follow these rules. I believe the Forum is more than
that.<br>
<br>
It is fortunate that we are given the opportunity to
take a step back and re-check why we are all here. I can
only quote from the Bylaws (emphasis mine):<br>
<br>
"1.1 Purpose of the Forum<br>
<br>
The Certification Authority Browser Forum (CA/Browser
Forum) is a voluntary gathering of leading Certificate
Issuers and vendors of Internet browser software and
other applications that use certificates (Certificate
Consumers).<br>
<br>
Members of the CA/Browser Forum have worked closely
together in defining the guidelines and means of
<b>implementation for best practices as a way of
providing a heightened security for Internet
transactions and creating a more intuitive method of
displaying secure sites to Internet users</b>."<br>
<br>
I read this purpose as an "unofficial" agreement between
Certificate Issuers and Certificate Consumers to improve
security for internet transactions AND to create a more
intuitive method of displaying secure sites to internet
users. I have only been involved in the Forum for the
last couple of years and although I see a lot of effort
to improve security policies/practicies (as demonstrated
in all the updates of the BRs, EVGs, NetSec guidelines),
there are no documented efforts for the purpose of
creating a more intuitive method of displaying secure
sites to Internet users.<br>
<br>
Setting this aside, I believe we either need to agree
that the purpose of the Forum, as described in the
Bylaws, is incorrect and update the Bylaws, or to take a
step back and consider all that the Forum has
accomplished over the last years with the Contributions
of its Members, Associate Members, Interested Parties,
even non-Members, and work collaboratively, in good
faith to make further progress.<br>
<br>
Looking back at my notes during a presentation at the
F2F 46 meeting in Cupertino, I mentioned:<br>
<br>
"Forum members should exercise their participation in a
neutral way as much as possible. We are here to create
and improve guidelines and we need to be able to do that
with more participation and consensus. Some members feel
“exposed” during Forum discussions. All members must
have a more “neutral” behavior in the CA/B Forum
discussions around guidelines. We welcome more
contributions from Certificate Issuers in order to
understand real cases and improve overall security". I
do not recall hearing any objections to this statement,
but that was perhaps because members were very polite
:-)<br>
<br>
I'm afraid this cannot be achieved if Certificate
Consumer Members continuously bring their "guns" (i.e.
Root Program Requirements) in CA/B Forum discussions. I
would expect these "guns" to be displayed and used in
the independent Root Program venues and not the CA/B
Forum.<br>
<br>
I would personally feel very disappointed (as the CA/B
Forum Chair) if we were to re-purpose of the Forum to
match the statement at the beginning of this email. In
any case, I would like to give the opportunity for
members to publicly express their opinion about the
purpose of the Forum and especially the Server
Certificate Working Group. I also understand and respect
if some Members are reluctant to publicly state their
opinion.<br>
<br>
<br>
Dimitris.<br>
CA/B Forum and Server Certificate Working Group Chair<br>
<br>
[1] <a
href="https://cabforum.org/pipermail/validation/2019-September/001326.html"
target="_blank" moz-do-not-send="true">
https://cabforum.org/pipermail/validation/2019-September/001326.html</a><br>
[2] <a
href="https://cabforum.org/pipermail/servercert-wg/2019-October/001171.html"
target="_blank" moz-do-not-send="true">
https://cabforum.org/pipermail/servercert-wg/2019-October/001171.html</a></p>
</div>
</div>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org" target="_blank"
moz-do-not-send="true">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://cabforum.org/mailman/listinfo/public</a><br>
</blockquote>
</div>
</div>
</body>
</html>