[cabfpub] eIDAS meeting presentations

Ryan Sleevi sleevi at google.com
Fri Apr 1 21:28:32 UTC 2016

On Fri, Apr 1, 2016 at 2:17 PM, Gervase Markham <gerv at mozilla.org> wrote:

> On 30/03/16 01:03, Adriano Santoni wrote:
> > Especially, I would like to understand whether browsers are
> > willing/planning to integrate the EU trust lists....
> We remain to be convinced of the value of doing so. We see direct
> control of our own trust list as an important factor in our ability to
> drive positive change in the CA industry and the security of the web.

And how do you feel about exposing programattic access to modify or affect
certificate validation, certificate UI, or certificate trust lists, as
proposed during the meeting (and as captured in the Summary and in the
slides by Reinhard Posch)

I will echo on list what I had previously stated during the meeting, as it
was not captured in the summary, which is on the balance, we see a far
greater incidence of malware abusing such APIs compared to legitimate uses,
and have no intent or desire to support such programatic access. We've seen
malware campaigns extensively abuse command-line flags intended for
debugging and diagnostics, and we've seen malware and malvertising
campaigns significantly abuse both sanctioned and unsanctioned APIs, such
that the use of such APIs is a strong indicator of Potentially Unwanted
Software, and will be blocked through means such as Google SafeBrowsing and
the Chrome Cleanup Tool. We believe other vendors have seen similar results.

Further, we remain deeply concerned about proposals that it would be
beneficial to have other countries and legal entities provide or require
similar Trust Lists, as also captured on Dr. Posch's slides, for many of
the same reasons that Gerv spoke of.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160401/f22e4e3c/attachment-0003.html>

More information about the Public mailing list