[cabfpub] eIDAS meeting presentations

Dean Coclin Dean_Coclin at symantec.com
Fri Apr 1 22:19:26 UTC 2016

I think what the presenter had in mind were “hooks” into the trust store such that an alternate trust source (i.e. eIDAS Trust List) could be selected by a user. I believe Ryan said this type of “hook” exposes the browser to potential malicious intent.  One question I had (and I really don’t know how this works) is that I know Microsoft provides the capabilities for Enterprises to add or push roots out to users in their groups. Perhaps Dr. Poesch had that in mind when he was brainstorming his hook idea.




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Friday, April 01, 2016 2:29 PM
To: Gervase Markham <gerv at mozilla.org>
Cc: CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] eIDAS meeting presentations




On Fri, Apr 1, 2016 at 2:17 PM, Gervase Markham <gerv at mozilla.org <mailto:gerv at mozilla.org> > wrote:

On 30/03/16 01:03, Adriano Santoni wrote:
> Especially, I would like to understand whether browsers are
> willing/planning to integrate the EU trust lists....

We remain to be convinced of the value of doing so. We see direct
control of our own trust list as an important factor in our ability to
drive positive change in the CA industry and the security of the web.


And how do you feel about exposing programattic access to modify or affect certificate validation, certificate UI, or certificate trust lists, as proposed during the meeting (and as captured in the Summary and in the slides by Reinhard Posch)


I will echo on list what I had previously stated during the meeting, as it was not captured in the summary, which is on the balance, we see a far greater incidence of malware abusing such APIs compared to legitimate uses, and have no intent or desire to support such programatic access. We've seen malware campaigns extensively abuse command-line flags intended for debugging and diagnostics, and we've seen malware and malvertising campaigns significantly abuse both sanctioned and unsanctioned APIs, such that the use of such APIs is a strong indicator of Potentially Unwanted Software, and will be blocked through means such as Google SafeBrowsing and the Chrome Cleanup Tool. We believe other vendors have seen similar results.


Further, we remain deeply concerned about proposals that it would be beneficial to have other countries and legal entities provide or require similar Trust Lists, as also captured on Dr. Posch's slides, for many of the same reasons that Gerv spoke of.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160401/2f963158/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160401/2f963158/attachment-0001.p7s>

More information about the Public mailing list