[cabfpub] Ballot 161 - Notification of incorrect issuance

Rick Andrews Rick_Andrews at symantec.com
Thu Feb 4 01:07:42 UTC 2016


Symantec strongly supports the objective of driving enhanced transparency and creating a model that can be rolled out across all CAs. However, we cannot support this ballot for a couple of reasons – as we and other CAs have brought up through the comment period, the proposal is not the most effective way to achieve the transparency objective, and it introduces real privacy and security risks. 

The most effective way to achieve transparency in certificate issuance would be to have all CAs fully implement support for Certificate Transparency logging. Requiring all certificates to be posted in CT logs will allow customers, auditors, browsers, and any other interested parties to search for, evaluate, and determine whether any certificates were not authorized or are otherwise problematic. We recommend that the Baseline Requirements be amended to require full CT adoption by all CAs, and that all TLS certificates be posted in CT logs.

Full CT implementation achieves the goal of transparency without creating the issues that this ballot does. As we have previously commented, the ballot does not appropriately take into account privacy issues related to names in certificates. Today, it is common practice for customers to use certificates from roots trusted by browsers for private and/or non-browser use cases. Some customers do not want information related to these private certificates to be publicly disclosed and they may not be aware that this ballot could lead to such disclosure. Further, the ballot does not include a process or timeframe to allow these customers to replace their existing private certificates where needed. Adoption of CT can address these concerns. In particular, the revised CT spec (6962-bis), when finalized, would allow for name redaction capability to directly address this privacy concern. Symantec does not believe the ballot adequately accounts for these privacy considerations.

We think the ballot also fails to consider important security concerns related to rapid publication of the underlying causes of mis-issued certificates. The ballot could be interpreted to require a CA to publicize a mis-issued certificate and its root cause potentially before it has time to remediate a technical issue that led to the mis-issuance, perhaps allowing others to exploit a technical flaw. To draw a comparison to browsers, security researchers are able to disclose browser-related flaws privately to browsers so that the affected browser can have adequate time to remedy the issue before it is made public. That “responsible disclosure” process protects all involved. This ballot fails to address such fundamental practices, and could introduce harm where its intention is the exact opposite. 

In summary, Symantec can’t support this ballot. Symantec instead recommends adoption of a new ballot that would require all publicly trusted CAs to log all their issued certificates in accordance with the Google EV/CT Plan. This requirement should provide CAs a reasonable amount of time to complete implementation, and to address privacy concerns, Symantec further recommends that all certificates be logged in 6962-bis-compliant CT log servers.

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Bruce Morton
Sent: Monday, February 01, 2016 10:46 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com>; Doug Beattie <doug.beattie at globalsign.com>; Sigbjørn Vik <sigbjorn at opera.com>; public at cabforum.org
Subject: Re: [cabfpub] Ballot 161 - Notification of incorrect issuance

Entrust also has reservations with this ballot. We are in agreement with the position put forth from Doug and Jeremy. We would prefer that monitoring of compliance be performed by the annual compliance audit and by third-party monitoring of CT.

Bruce.

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Saturday, January 30, 2016 4:41 PM
To: Doug Beattie <doug.beattie at globalsign.com>; Sigbjørn Vik <sigbjorn at opera.com>; public at cabforum.org
Subject: Re: [cabfpub] Ballot 161 - Notification of incorrect issuance

We have some reservations about this ballot, although they are not identical to Doug's. Instead, we see this ballot as fairly duplicative of the efforts already invested in Certificate Transparency.  Creating another reporting mechanism, when we've just recently had everyone implement CT, seems like a waste of resources that would be better spent on moving towards mandatory logging of all certificates. We'd much rather see a ballot that accelerates CT adoption over these more ambiguous reporting requirements.  If every cert is logged, the monitors can easily parse the information for relevant BR/EV compliance.  

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Friday, January 29, 2016 11:54 AM
To: Sigbjørn Vik; public at cabforum.org
Subject: Re: [cabfpub] Ballot 161 - Notification of incorrect issuance

GlobalSign has some serious reservations about this ballot.  I've sent this comment previously, but I'll send it again now that we are in the formal comment period.  

I feel strongly that the CABF, as a standards forum, should be focused on improving security and defining strong standards, but that compliance is a completely different responsibility.  We have WebTrust for CA auditors and root programs which do this today. We don’t want the BRs to encompass the WT for CAs audit requirements.   If the Root store operators and/or WT want to define compliance monitoring standards/initiatives that's fine, but I'm against CABF levying compliance reporting requirements.

Doug Beattie

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Sigbjørn Vik
Sent: Friday, January 29, 2016 3:32 AM
To: public at cabforum.org
Subject: [cabfpub] Ballot 161 - Notification of incorrect issuance

Ballot 161 - Notification of incorrect issuance

Based on extensive discussions in the forum, Sigbjørn Vik from Opera proposes the following ballot, endorsed by Ryan Sleevi from Google and Gervase Markham from Mozilla.

-- MOTION BEGINS --

The following text is added as a sub-section to section 2.2 of the Baseline Requirements:

2.2.1 Notification of incorrect issuance

In the event that a CA issues a certificate in violation of these requirements, the CA SHALL publicly disclose a report within one week of becoming aware of the violation. A link to the report SHALL simultaneously be sent to incidents at cabforum.org.

Effective 01-Jul-16, the CA SHALL in its Certificate Policy and/or Certification Practice Statement announce where such reports will be found. The location SHALL be as accessible as the CP/CPS.

The report SHALL publicize details about what the error was, what caused the error, time of issuance and discovery, and public certificates for all issuer certificates in the trust chain.

The report SHALL publicize the full public certificate, with the following exception: For certificates issued prior to 01-Mar-16 the report MAY truncate Subject Distinguished Name fields and subjectAltName extension values to the registerable domain name.

The report SHALL be made available to the CAs Qualified Auditor for the next Audit Report.

-- MOTION ENDS --

The review period for this ballot shall commence at 2300 UTC on 29 January 2016, and will close at 2300 UTC on 5 February 2016. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2300 UTC on 12 February 2016. Votes must be cast by posting an on-list reply to this thread.

A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here:
https://cabforum.org/members/

In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Quorum is currently nine (9) members– at least nine members must participate in the ballot, either by voting in favor, voting against, or abstaining.

--
Sigbjørn Vik
Opera Software
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5749 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160203/0e403e5c/attachment-0001.p7s>


More information about the Public mailing list