[cabfpub] Issuers in BR/EV/EVCS Guideline Scope

Ryan Sleevi sleevi at google.com
Mon Apr 18 18:29:51 UTC 2016

On Mon, Apr 18, 2016 at 11:23 AM, Peter Bowen <pzb at amzn.com> wrote:

> > On Apr 18, 2016, at 11:16 AM, kirk_hall at trendmicro.com wrote:
> > I don’t understand your comment about stalling – in fact, I don’t even
> understand why we need this ballot now.
> >
> > Peter, is there some pressing need for us to consider your ballot at
> this time?  To be blunt, it’s pretty abstract, and I’m not sure I
> understand it all (or where it came from).  Why do we need this general
> statement?
> I was not proposing any ballot at this time.  I’m trying to get a sense
> whether there is any general agreement of scope rather than negotiate with
> each trust store.  We know that Mozilla is working to update their
> policies, Microsoft is continually refining theirs, and I suspect several
> other major trust stores are also working on new/revised policies, so it is
> my preference to get alignment from all ahead of those changes.
> The alternative is to have each trust store maintainer define their own
> independent policy then attempt to comply with the disparate policies and
> cajole the maintainers to modify their policies to make concurrent
> compliance practical.
> Thanks,
> Peter


To add to this: There is an immediate and real security risk from CAs that,
for example, are signing alternative types of certificates from
intermediates capable of TLS issuance. That is, for example, issuing S/MIME
and TLS certificates from the same intermediate.

Microsoft's newly released program requirements expressly forbid this for
existing CAs, beginning Jan 1, 2017. Mozilla's requirements, as Peter
mentioned, are similarly in process of being updated. This is a real
security risk that puts users at risk, Kirk - thus it is extremely
important for the Forum to set appropriate guidance and clarity regarding
the intended scope of the document.

Explicitly, this is not related to the Forum scope, and I remain surprised
to here you suggest it is. It is about the scope of the document, and the
audits, and the security requirements. We've already seen one security
incident where a major CA was issuing "test certificates," which they
believed were outside the scope of the Baseline Requirements, and in doing
so, led to misissued certificates for critical websites.

I should hope this need is recognized by all members interested in ensuring
that the CA ecosystem does not suffer yet another substantial setback due
to an entirely avoidable, entirely predictable security problem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160418/d6fac6a1/attachment-0003.html>

More information about the Public mailing list