[cabfpub] Creating an open CA regime for telephone number "possession"

[Ryan Sleevi]

On Fri, Dec 8, 2017 at 1:58 PM, Tony Rutkowski via Public <
public at cabforum.org> wrote:

> This is a stark contrast to the CA/B Forum
> and its members - who arguably should
> constitute this Governing Authority.  Indeed,
> from a policy perspective, one might ask why
> there is only one Governing Authority being
> created as a monopoly, and why they are not
> using evCERTs and supporting specifications.
>

A very important correction to make here: the CA/Browser Forum is not and
has never been a Governing Authority. In fact, in the SSL/TLS space, there
intentionally and fundamentally is not such a single organization, because
no single organization can reflect the varied security and certificate
needs of individual products. The rejection by industry and government of
the X.500 global directory is itself a reflection of this.

Instead, each Browser members stores as the Governing Authority for their
own products, which manifests as their own trust stores. The CA/Browser
Forum serves to facilitate easy communication between these distinct
providers, and, where possible, align on common requirements of the set of
participants, in order to ease compliance for CAs that wish to be trusted
among all such members products. The CA/Browser Forum does not take any
action, nor does it define any policy in and of itself - it is merely the
reflection of aligned product requirements from various browser members.

The Forum as well as its individual members
> might wish to intervene here.  At issue are not
> only an available potentially global marketplace
> for telephone number related CAs, but also the
> performance and resilience of anti-spoofing
> capabilities, and the ability for IP telephone
> service vendors to effectively exchange their
> customer telephone and messaging traffic.
>

While it is certainly valueable to raise this, it's worth noting that the
existence of a PKI and CA are not in and of itself the remit of the
CA/Browser Forum. Various PKIs exist, both within private industry and the
public space, and which have no relation to the set of certificates issued
by members of the Forum, the set of certificates trusted by members of the
Forum, or the needs of the industries in which the CA/Browser Forum
presently focuses (namely, SSL/TLS within common Web browser products). The
needs of other products and services should be best evaluated by those
participants.

For example, it should be noted that the Industry has largely moved to
reject third-party CA mediated code-signing solutions due to the inherent
risk and complexity afforded relative to the benefit. Vendors such as
Google, Apple, and Blackberry - to name just a few - have all utilized PKIs
other than 'commercial CA' solutions, recognizing that outsourcing their
product security is not aligned with user interests or infrastructure
security. In this regard, whether or not STIR opts for a centralized PKI or
a distributed PKI is a situation best evaluated by the STIR participants in
accordance with their needs, which, despite both utilizing certificates,
does not inherently mean there is overlap with the set of the CA/Browser
forum needs. Indeed, a choice such as a Governing Authority provides much
greater resilience for and mitigation against the set of concerns you
raised, at least as applied within that particular place.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20171208/64f4c82d/attachment.html>