[cabfpub] Ballot 161 - Notification of incorrect issuance

Wayne Thayer wthayer at godaddy.com
Mon Feb 1 17:25:24 UTC 2016 

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-
> bounces at cabforum.org] On Behalf Of Sigbjørn Vik
> Sent: Sunday, January 31, 2016 7:41 AM
> To: public at cabforum.org
> Subject: Re: [cabfpub] Ballot 161 - Notification of incorrect issuance
> 
> Hi Jeremy,
> 
> I might agree that the state of reporting will not be perfect, even after this
> ballot. However, I believe it will improve things significantly, and it will do so
> right away. I think a small improvement today is still good, even though a
> larger one might appear some time in the future.

The ambiguity introduced by adding this reporting requirement to the BRs is a major problem for CAs because anything less than perfection in the eyes of our auditors becomes a qualification on the audit.

> 
> A CA should have at most a few cases of misissuance. There is then no need
> to create a formal reporting mechanism. If it happens, write it up (which
> should be done internally already), and put it out there. Whether as a blog
> post, a .pdf or an Excel sheet doesn't matter. There is very little extra work
> going into this from a CA.
> 
> If a CA does have a lot of misissuances, this will be significant work.
> But the CA should then work on their procedures instead, to get down to at
> most a few cases. This is work that ought to happen in any case.
> 
> Thus in neither case do I see this ballot as introducing any significant
> additional work on a CA.
> 
> As for CT, Opera is also in favour of this. But currently CT is only supported by
> one browser, and only for EV certificates. It will likely take years at best
> before everybody can agree on a single policy for all certificates, and this
> policy then needs to be implemented into all new browsers. Until all
> browsers in use have the new implementation, CT reporting does not
> protect all users - misissued certificates without CT will still be considered
> valid by older browsers. Considering that Windows XP was launched in 2001
> and is still in significant use, you may add another 15 years before CT
> reporting can be relied on by itself.
> This ballot would thus serve a significant purpose in the next 20 years.

No, all browsers don't need CT support for it to be a comprehensive reporting mechanism. Detecting unlogged certificates is effective when just one major browser requires CT. And I don't think it needs to take 'years' to agree on a policy for logging all certificates. We'd also support a ballot that accelerates the adoption of CT for all certificates.

> 
> We do not see this ballot and CT as mutually exclusive, we see both as
> independently advantageous for securing end users.
> 
> 
> On 30.01.2016 22:41, Jeremy Rowley wrote:
> > We have some reservations about this ballot, although they are not
> identical to Doug's. Instead, we see this ballot as fairly duplicative of the
> efforts already invested in Certificate Transparency.  Creating another
> reporting mechanism, when we've just recently had everyone implement
> CT, seems like a waste of resources that would be better spent on moving
> towards mandatory logging of all certificates. We'd much rather see a ballot
> that accelerates CT adoption over these more ambiguous reporting
> requirements.  If every cert is logged, the monitors can easily parse the
> information for relevant BR/EV compliance.

More information about the Public mailing list