[cabfpub] Concerns regarding Mozilla Root Program/Baseline Requirements

Sigbjørn Vik sigbjorn at opera.com
Fri Aug 2 10:55:58 UTC 2013

I think the BRs are clear on what they require, and the EV definitions
clearly spell out that renewals and reissuances create newly issued
certificates. All new certificates require valid validity periods. While
I can understand that people may want to discuss if the rules are
optimal, I dislike CAs claiming ignorance of the rules, or exception to
the rules since they have done things differently in the past. If
someone wants to claim the rules are unclear, do so before assuming a
particular interpretation, not afterwards.

Opera is happy to work with the group to define optimal rules, but we
dislike CAs engaging in creative reinterpretation of the rules. If we
can't trust that CAs follow the rules decided upon, then the rules are
close to worthless.

In addition to reasons mentioned previously about why constrained
validity periods is a good idea, there is also the point about the web
moving forwards. For us to be able to upgrade requirements, ditch
insecure practices, and promise a secure experience in the future, we
need to limit the time limit of certificates today. This is basic
insurance for the web in the future. Any exceptions we carve out today,
take away from this insurance, and might end up costing us a lot. This
is not a zero-sum game, and decisions we make today might have serious
consequences some years down the road.

This discussion has also highlighted some other issues:
* It seems some CAs are happy to issue backdated certificates. We should
probably spell out that signing, issuance and first validity dates
should all be as close as possible, with a maximum discrepancy allowance.
* To be able to verify this, we should also require that any CT
registrations happen within that time limit. I will contact the CT team
and ask them to consider this.
* It seems audits don't catch CAs issuing certificates contrary to the
BR. What can we do to ensure that audits catch such issues?
* Does the CABForum need an explicit objective?

On 01-Aug-13 15:08, Rich Smith wrote:
> Taking Ryan's definition and subsequent logic would effectively nullify all
> pre-BR agreements made with thousands of CA customers who bought
> certificates for terms greater than the now allowed 60 months max (and soon
> to be 39 month max).  My lay opinion is that such action would open the CAs
> to lawsuits for breach of those agreements.

For CAs not to follow the BRs would presumably open them to lawsuits
from those who rely on the CAs for trust. For browsers not to follow due
diligence and best practices would presumably open them to lawsuits from
their customers. So if you care about potential lawsuits, the score is
2-1 for not issuing such certificates. However, I think potential
lawsuits are irrelevant. The goal of this group should be to secure the
web, not to ensure the short-term profits for individual members. (See
the last point above, about an objective.)

On 01-Aug-13 17:00, Steve Roylance wrote:
> [...] in 2015 when the
> industry flips to a 39 month max I believe from my engineering team we
> would have had a similar issue to others, again due to the existing
> contract precedence understanding that others have mentioned.

That would be strange. Since the BRs were adopted in November 2011, all
CAs have known (and been audited on) the fact that after 1 April 2015
the maximum validity period is 39 months. For CAs today to sell
certificates valid more than 39 months past that date, and promise to
reissue them at any point would be shooting themselves in the foot.

Sigbjørn Vik
Opera Software

More information about the Public mailing list