<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 2019-10-21 7:19 μ.μ., Ryan Sleevi
via Public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CACvaWvZ8iWsUHTjgtjUwedfaALDy-CSPTwSbrgRqEaaB5dVsEA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Oct 21, 2019 at
11:54 AM Dimitris Zacharopoulos via Public <<a
href="mailto:public@cabforum.org" moz-do-not-send="true">public@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div> <br>
Dear CA/B Forum Members,<br>
<br>
Recent posts [1], [2] were brought to my attention with a
statement from a representative of a Certificate Consumer
Member who believes that the role of the Forum is the
following:<br>
<br>
"The Forum provides a venue to ensure Browsers do not
place conflicting requirements on CAs that voluntarily
participate within the browsers root programs, by
facilitating discussion and feedback. This allows
interoperability among the Web PKI space, which refers to
the set of CAs within browsers, and thus allows easier
interoperability within browsers. Prior to the Forum, it
was much easier to see this reflected in the private
arrangements between CAs and browsers. If different
browsers had different requirements, CAs would have to act
as the intermediary to identify and communicate those
conflicts. Similarly, browsers had to spend significant
effort working to communicate with all of the CAs in their
programs, often repeatedly answering similar questions. By
arranging a common mailing list, and periodic meetings,
those barriers to communication can be reduced.<br>
<br>
<br>
That is the sole and only purpose of the Forum. Any other
suggestion is ahistorical and not reflected in the past or
present activities."<br>
<SNIP><br>
It is fortunate that we are given the opportunity to take
a step back and re-check why we are all here. I can only
quote from the Bylaws (emphasis mine):<br>
<br>
"1.1 Purpose of the Forum<br>
<br>
The Certification Authority Browser Forum (CA/Browser
Forum) is a voluntary gathering of leading Certificate
Issuers and vendors of Internet browser software and other
applications that use certificates (Certificate
Consumers).<br>
<br>
Members of the CA/Browser Forum have worked closely
together in defining the guidelines and means of <b>implementation
for best practices </b><b>as a way of providing a
heightened security for Internet transactions and
creating a more intuitive method of displaying secure
sites to Internet users</b>."<br>
</div>
</blockquote>
<div><br>
</div>
<div>Dimitris,</div>
<div><br>
</div>
<div>I don't believe there is the conflict you suggest between
the statement and the bylaws.</div>
</div>
</div>
</blockquote>
<br>
I see a conflict because the statement considers a different purpose
than what is described in section 1.1 of the Bylaws. I was also
surprised ("shocked" might better describe it) to read that any
other purposes are "ahistorical", and see this statement being
directed to a new Interested Party who just recently joined the
Server Certificate Working Group.<br>
<br>
<blockquote type="cite"
cite="mid:CACvaWvZ8iWsUHTjgtjUwedfaALDy-CSPTwSbrgRqEaaB5dVsEA@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<div><br>
</div>
<div>I think we're in agreement the the CA/Browser Forum is
voluntary.</div>
<div>I think we're in agreement that the CA/Browser Forum does
not, nor has it ever, defined Root Program Policy.</div>
<div>I think we're in agreement that the CA/Browser Forum does
not, nor has it ever, "enforced" any action upon CAs.</div>
</div>
</div>
</blockquote>
<br>
I agree with all three. I have also been pointing out these three
elements in every presentation related to the Forum :-) However, the
fact that the Forum:<br>
<ul>
<li>is voluntary</li>
<li>does not define "Root Program Policy" and <br>
</li>
<li>does not "enforce" nor "supervise" the CAs, <br>
</li>
</ul>
are not related to the purpose of the Forum. You can say the same
thing about IETF or other STOs. The CA/B Forum is a consensus driven
STO that produces guidelines. How these guidelines are used is a
different topic. We know for a fact that they are used as input for
two International Standards, ETSI and WebTrust. Who knows how many
other government or private sector areas are using the CA/B Forum's
work product to define their policies.<br>
<br>
<blockquote type="cite"
cite="mid:CACvaWvZ8iWsUHTjgtjUwedfaALDy-CSPTwSbrgRqEaaB5dVsEA@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<div><br>
</div>
<div>I think this is much clearer if you continue quoting from
the Bylaws. Indeed, the two sentences that immediately
follow, emphasis mine, highlight this:</div>
<div><br>
</div>
<div>1.2 Status of the Forum and the Forum Activities</div>
<div>The Forum has no corporate or association status, but is
<b>simply a group of<br>
Certificate Issuers and Certificate Consumers that
communicates or meets from time<br>
to time to discuss matters of common interest relevant to
the Forum’s purpose. The<br>
Forum has no regulatory or industry powers over its
members or others.</b><br>
</div>
</div>
</div>
</blockquote>
<br>
Yes, already acknowledged that.<br>
<br>
<blockquote type="cite"
cite="mid:CACvaWvZ8iWsUHTjgtjUwedfaALDy-CSPTwSbrgRqEaaB5dVsEA@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div> I read this purpose as an "unofficial" agreement
between Certificate Issuers and Certificate Consumers to
improve security for internet transactions AND to create a
more intuitive method of displaying secure sites to
internet users.</div>
</blockquote>
<div><br>
</div>
<div>No. It's a statement about what the Forum has done in the
past. If you continue reading, you will find out what the
Forum does. It merely discusses.</div>
</div>
</div>
</blockquote>
<br>
Well, these discussions result in ballot motions, ballot motions are
voted and Guidelines are created or updated ("maintained"). And from
there, we know how these Guidelines are used.<br>
<br>
<blockquote type="cite"
cite="mid:CACvaWvZ8iWsUHTjgtjUwedfaALDy-CSPTwSbrgRqEaaB5dVsEA@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>I'm afraid this cannot be achieved if Certificate
Consumer Members continuously bring their "guns" (i.e.
Root Program Requirements) in CA/B Forum discussions. I
would expect these "guns" to be displayed and used in the
independent Root Program venues and not the CA/B Forum.<br>
</div>
</blockquote>
<div><br>
</div>
<div>While I can understand if you're unhappy to discuss Root
Program Requirements, I think it belies a fundamental
misunderstanding of the Forum and the Baseline Requirements.</div>
<div><br>
</div>
<div>Recall: PKI was designed to allow different communities -
i.e. different browsers - to define different policies,
profiles, and practices for the CAs that participate in
their different PKIs. The Microsoft PKI is distinct from the
Google PKI is distinct from the Mozilla PKI, each of which
has those vendors as the Root of Trust, signing a Trust List
for use within their products, based on their product
security requirements.</div>
<div><br>
</div>
<div>Conceptually, each of these PKIs define their own
profiles and practices (the Root Program Requirements) and
define their own means of assessing (e.g. Mozilla
distrusting certain auditors, Microsoft allowing certain
auditors). The Forum exists to allow for interoperability
between these distinct PKIs. The Baseline Requirements serve
as a means of expressing a common set of requirements, in
order to reduce the need of obtaining a distinct Microsoft
audit or a distinct Mozilla audit, which are entirely
plausible scenarios.</div>
<div><br>
</div>
<div>Thus, it's inherent that the /only/ value of useful
discussion to be had is with respect to Root Program
Requirements. It's also the opportunity for CAs to provide
input and insight into these requirements, to understand
what practical impact might be had, and whether that's
desirable or undesirable - by the Root Program.</div>
<div><br>
</div>
<div>Put simply, if folks don't want to discuss Root Program
Requirements, then there's no point in continuing the Forum
itself. If the Forum is not the venue to discuss that, then
we can simply use the existing methods that Root Programs
use to gather feedback and input from their participants -
CA communications directly to program participants, and
collaborative discussion within SDOs relevant to browser
activities (e.g. WHATWG/W3C). There's no need to the Forum
to continue to exist, because it would literally not be
solving any problem or providing any benefit.</div>
<div><br>
</div>
<div>That seems extreme, and certainly presents it as "us v
them", which is an unfortunate viewpoint. However, it's
inherent that the choice in administering the set of trusted
CAs is going to be a product security decision, defined by
product-specific capabilities and product-specific
priorities, and that's not something that can or should
generalize. PKI was precisely designed not to have this "one
size fits all" mentality, but to support the notion of many
small islands, sometimes with overlap and interoperability.
We do not chuff at the fact that the Nuclear Power Grid uses
a different PKI than, say, a departmental e-mail server, nor
should we - it's simply a tool and technology to solve a
problem. To the extent browsers care about interoperability,
it's useful to have a place to discuss different,
potentially conflicting, requirements. To the extent CAs can
provide useful and valuable feedback about the implications
of potential changes, it's useful to discuss. But that's it.</div>
</div>
</div>
</blockquote>
<br>
I will let others state their opinion and comment about this. I, for
one, disagree. <br>
<br>
Although the CA/B Forum takes input from its Members (Issuers and
Consumers), it has a consensus-driven process. This means that if a
CA or a Browser proposes an unreasonable or insecure change to the
Forum's Guidelines, it will need 2/3 of CAs and majority of Browsers
to enter the Guidelines.<br>
<br>
If a new Certificate Consumer with completely ridiculous "My Program
Requirements" joins the Forum, the Forum is not forced by anyone to
adopt changes that would jeopardize the quality of the Guidelines.<br>
<br>
I understand where you're coming from and respect the fact that you
are trying to make Root Programs align, but the way you frame it,
doesn't align with the Forum's purpose nor its processes. For better
or worse, each recommendation will have to go through the ballot
process and get consensus to be voted. No Certificate Consumer can
enforce changes to the Guidelines, at least with the current Bylaws.<br>
<br>
<blockquote type="cite"
cite="mid:CACvaWvZ8iWsUHTjgtjUwedfaALDy-CSPTwSbrgRqEaaB5dVsEA@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div> I would personally feel very disappointed (as the CA/B
Forum Chair) if we were to re-purpose of the Forum to
match the statement at the beginning of this email.</div>
</blockquote>
<div><br>
</div>
<div>It's stated in the Bylaws, and precisely why the Forum
has voluntary participation. It's useful to have a central,
public mailing list to discuss this and get useful,
actionable, data-driven feedback to inform Root Programs.</div>
</div>
</div>
</blockquote>
<br>
I can't see the relevance of the Forum's voluntary participation
with the feedback towards Root Programs. The Forum is open to
Interested Parties that can join and Contribute with ideas and
improvements that the Root Programs or CAs didn't even consider. Of
course it is voluntary just like most standards organizations.<br>
<br>
Dimitris.<br>
<br>
<br>
<blockquote type="cite"
cite="mid:CACvaWvZ8iWsUHTjgtjUwedfaALDy-CSPTwSbrgRqEaaB5dVsEA@mail.gmail.com"><br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>