[cabfpub] Proposal of a SHA-1 exception procedure

Ryan Sleevi sleevi at google.com
Mon Jun 13 12:54:24 UTC 2016

On Sun, Jun 12, 2016 at 3:20 PM, Dean Coclin <Dean_Coclin at symantec.com>

> Andrew,
> Thank you for taking the time to formalize what was discussed in Bilbao.
> Regrettably, I was unable to attend the call last Thursday where I
> understand this was discussed in more depth. However, I believe the
> following are the action items:
> 1. Andrew to re-look at the questions to see if (a) are they all
> necessary, (b) can some be phrased differently and (c) would any additional
> questions be helpful?

Hi Dean, as discussed on the call, I think this is simply some fundamental
disagreement with Microsoft about what represents the minimum steps
necessary for the public interest. We (Google) feel there is necessary
information that should inform this discussion in order to help mitigate
current risks and prevent future changes to the BRs from running into this
same situation. Microsoft is OK allowing either CAs to provide this
information or for it to be omitted.

This is no different than how various root stores diverge on policy, even
though they agree to a common baseline.

Notably, as this is not being proposed as a CA/B Forum Ballot to adopt - as
made abundantly clear in Bilbao and restated on our call - the goal is not
to whittle it down to the bare minimum that everyone can agree on, but
rather, to hopefully ensure there is minimal disagreement on the basics.

As at least one member made it clear they won't be able to participate in
discussions on this topic if those discussions happen in the public
(refraining from naming who until the minutes are published), it does not
appear that the action item you propose is a useful or valuable task. As
such, this represents at least what Google/Chrome feels is relevant to
consider SHA-1 exceptions.

> 2. There was extensive discussion about the necessity of all the
> questions. Rather than rehash that here (I guess we’ll see that in the
> minutes), I assume Andrew will address that in 1a above.

As above, I do not believe this is necessary.

> 3. There was an unanswered question from Peter regarding audit findings
> which needs clarification from the browsers. Basically, the issuance of a
> SHA-1 certificate that went through this procedure would result in a
> qualified audit but it was my understanding from Bilbao that the CA should
> record the answers to the questions and cryptanalysis for review by their
> auditor. Browsers would then not consider any punitive action if the record
> was complete (as shown in the audit report). However, this is not
> documented in the procedure and I believe Peter (correctly) pointed out
> that CAs should expect something in writing here, otherwise there is no
> distinction between following and not following the procedure.

I'm concerned there may be have some misunderstanding about the process;
the suggestion was that this information would be public, but the auditor
would review evidence that the proposed procedure was followed. Perhaps
more importantly, it's unclear what you expect to see 'in writing' here. It
sounds like you're asking for something from the specific root programs you
care about, but perhaps you can elaborate on what you want to see, or how
that meaningfully differs from when CAs have, in the past, approached root
programs about exceptions to the BRs. For example, I know Google did not
provide anything in writing for WorldPay as an exception before Symantec
went and issued those certificates, so I'm not sure what you'd like to see
provided from us this time around.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160613/d8662398/attachment-0003.html>

More information about the Public mailing list