[cabfpub] CT discussion at CABF

Rick Andrews Rick_Andrews at symantec.com
Fri Feb 21 02:22:50 UTC 2014


Here are the suggestions I think I heard about how to reduce the uneasiness that some of us have. I hope others will chime too:

-          Don’t rush into this, because we’re likely to make mistakes if we have to rush. Not just the CAs; there are a lot of moving parts here. I heard someone say “you can’t make fundamental changes to a complex trust system very quickly”.

-          Investigate the potential impact of EU privacy laws up front, because there seemed to be strong concern from the Europeans in the room that the privacy laws may be a problem.

-          Reach out to third-party software vendors. Many CAs use third-party software to generate and sign certificates and OCSP responses, and there is no clear understanding of whether those vendors know about CT and can make the changes available in time for CAs to upgrade.

-          Investigate the potential impact of other EU laws which may require such software to be certified before being put into operation. People seemed worried that because of this, there was no way they could comply in time.

-          Improve communication. I heard that some of the CAs weren’t even aware of where to learn the details of things like precertificates. I don’t think the CT team has been withholding information, far from it, but some of the discussions have taken place on CABF lists, some on “therightkey” and now some will be on the trans list. And some information is at certificatetransparency.org. Perhaps it’s too scattered.


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Thursday, February 20, 2014 11:34 AM
To: Rick Andrews
Cc: Dean Coclin; public at cabforum.org
Subject: Re: [cabfpub] CT discussion at CABF

On Thu, Feb 20, 2014 at 10:53 AM, Rick Andrews <Rick_Andrews at symantec.com<mailto:Rick_Andrews at symantec.com>> wrote:
Ben L,

Ryan wrapped up by saying that until now, you’ve heard only vague uneasiness from some CAs (my interpretation of what Ryan said; I can’t remember his exact words). Did you hear more specifics during this meeting, or would you like us to gather comments and present them to you?


I think CAs have been quite clear they're uneasy, but have been vague in what can be done to reduce that unease. That is, there are both technical issues and timing issues. We'd certainly like to address any technical issues we can, and we'd like to understand the timing issues to see what can or should be done. This was certainly why we actively solicited feedback several months ago by contacting every CA in their program to gather such information.

We welcome all constructive feedback. Unquestionably, the canonically best way to ensure that feedback is recognized and considered is by ensuring to send it to us (where "us" is myself and Ben Laurie, as you have with this email). That said, we're also happy to discuss and better understand the concerns within public forums such as the IETF - http://tools.ietf.org/wg/trans/ - or in visible forums such as the CA/B Forum.

I have no doubt that the most spirited, robust, and meaningful discussions of the technical problems can be dealt with within the IETF Working Group. For the timing problems, that's ultimately something based on the Google Chrome policy, so we're happy to discuss those directly or publicly, at your discretion - since ultimately, no one can help you with your timing issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140220/493f0dbf/attachment-0003.html>

More information about the Public mailing list