[cabfpub] Ballot 194 – Effective Date of Ballot 193 Provisions

Ryan Sleevi sleevi at google.com
Mon Apr 10 14:59:46 UTC 2017

Prior to finalizing our vote, which is strongly inclined to vote against
this as actively harmful to security, I want to make sure there's no other
additional data that CAs wish to share.

To date, the only information that's been shared is that it makes renewing
a certificate - or changing its default values - "as burdensome" as getting
a new certificate. It's been suggested that CAs need time to tell their
customers about this, but no information has been given about what the
customer could or would do differently with that information. It's unclear
if CAs are suggesting they can verify information absent a certificate
request (which I would argue is not consistent with the Baseline
Requirements), but otherwise, it would mean customers would use this
'advance notice' to make an application. Since this only provides value if
the 'fake' application (nor production blocking) happens before the 'real'
application, delaying the date would provide no benefit to those users if
the 'real' application happens first, which is the shared case so far.

This is a unique opportunity for CAs to actually clarify the business
operations and expectations to browsers, so that we can be appropriately
sensitive to the impact of changing requirements. However, no such details
have actually been shared yet, and so that makes it difficult to understand
the value here.

Privately, I've heard that some CAs have customers who 'expect' to be able
to issue certificates for the lifetime of a single validation (3 years).
That's an unreasonable expectation, not guaranteed by the Baseline
Requirements, and more importantly, still impacted by this Ballot, so an
unreasonable objection on CAs parts.

As this most definitely weakens security - by allowing parties to obtain
certificates well beyond the domain registration or beyond the reasonable
time of care a CA must take to ensure information is correct, and because
the current "solution" to that problem is contractually require the
subscribers (who may be malicious) to notify the CA if things change or
they lose the right to the domain name, this seems actively harmful to
support. Again, if there are perspectives that can explain why this is good
or necessary, they would be most welcome, as the goal is to find a balance
between improving security and avoiding unrealistic expectations (on
browsers part) about CAs' abilities.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170410/ed85d76d/attachment-0003.html>

More information about the Public mailing list