[cabfpub] C=GR, C=UK exceptions in BRs

Dimitris Zacharopoulos jimmy at it.auth.gr
Tue Mar 21 00:04:46 MST 2017 


On 21/3/2017 5:44 πμ, Ryan Sleevi wrote:
> Dimitris,
>
> Thanks for providing concrete reasons to support such a change. 
> Replies inline.
>
> On Mon, Mar 20, 2017 at 4:03 AM, Dimitris Zacharopoulos 
> <jimmy at it.auth.gr <mailto:jimmy at it.auth.gr>> wrote:
>
>     Let me try to provide some reasons in favor of allowing these two
>     exceptions.
>
>      1. For reasons unrelated to the CA/B Forum (political or whatever
>         non-technical reasons), two EU Countries have been using
>         different two-letter Country Identifiers in addition to the
>         ones listed in ISO3166-1. These exceptions have been
>         well-defined in legal EU documents, like the 1505/2015
>         <http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015D1505>
>         implementing decision. Since these exceptions are used
>         Internationally, are well-defined and globally recognized, it
>         makes sense to allow them to be used in the webPKI as well.
>
> So I object to this reasoning because it's unclear what the 
> justification is for this change. As mentioned, there are clearly 
> international political issues at play here, and while I think 
> Phillip's examples are actively unhelpful to making productive 
> discussion, the fact that he feels they're relevant and on-topic to 
> this discussion - or the remarks Geoff have made - actively highlight 
> this.

I guess we disagree on the fact that you need justification for a 
political decision made by the European Union, while I take it for 
granted. The fact that "off-topic" (at least some people would 
characterize them as such) comments were made, with political tone, 
isn't something that should be used to dismiss the rest of the 
"on-topic" and valuable feedback and shouldn't be a reason, alone, to 
dismiss a subject being discussed (or any issue for that matter). 
Off-topic comments have been posted in the past and will certainly be 
posted in the future :)

>
> As mentioned elsewhere, these documents don't apply from a 9.16.3 or 
> from a perspective of law. Further, I think you can agree that even if 
> we accept such documents, their scope is to apply to a jurisdictional 
> boundary, except you're proposing that these be adopted at an 
> international level (as all certificates are inherently worldwide). 
> So, in effect, you're proposing that the first country to pass a law 
> gets to bypass any form of international agreement or consensus, and 
> instead declare 'squatters' rights.
>
> I don't believe you intended to put it like that, but I want to 
> highlight that is effectively what this justification is, so that you 
> can understand why it's undesirable.

Indeed I never intended to put it like that but I think 9.16.3 allows 
for exactly what you just described as undesirable (for better or 
worse). To the minimum, it is unclear what the boundaries are. That is, 
if a country passes a law that conflicts with the BRs and the CA has to 
abide with it, it must abide with it. To better understand this and 
possibly make it clear for others let me give a theoretical example. If 
there was a Greek law that said "you need to be able to issue publicly 
trusted SSL Certificates with C=EL for such and such cases", 9.16.3 
would allow a CA (not necessarily a CA operated in Greece) to issue and 
inform the CA/B Forum's public list about this conflict.

Do you agree with this interpretation? I think this is a key issue that 
the forum should try to explain and clarify as soon as possible. I also 
welcome other members that wish to offer their perspective on this.


>      1. Introducing these well-defined exceptions pose no security
>         threat because these identifiers are already known for so
>         long. AFAIU, by adding these two exceptions, no significant
>         problems have been identified so far in the discussion. Please
>         note that I am not suggesting "replacing C=GR with C=EL and
>         C=GB with C=UK" but allowing all of them to be acceptable.
>
> But now you've introduced an ambiguity and overload whose "source of 
> truth" can no longer be discerned.

I am not sure I understand this comment or where you see ambiguity. 
There would be a well-defined exception for two countries to be 
represented with two different identifiers each. This makes it clear, at 
least to me, that when I see a certificate with either C=GR or C=EL, the 
Subject's Country is Greece :)

>
> For example, the conflicting examples Rob and Phillip have given - 
> only the former of which I'm inclined to trust in this case - do 
> create ambiguities. If the purpose of the Baseline Requirements is to 
> agree upon unambiguous representations to the extent possible, by 
> including full jurisdictional information (as the discussion with 
> Li-Chun related to the X.500 DIT has shown), then introducing this 
> change introduces unnecessary ambiguity, and through it, undermines 
> the goal of including identity information in certificates.
>
> Put differently, this poses a thread to the value and usefulness of 
> the identity information. Since a number of CAs have asserted identity 
> information is security relevant (hence why they revoke certificates 
> whose identity information is incorrect or misleading), we must 
> naturally conclude that this either _does_ represent a security 
> threat, or that identity information in certificates is not security 
> relevant, and we should update our documents accordingly.

Being unable to see an ambiguity, I fail to see a security threat here. 
The source of information is still ISO3166-1 but we are discussing the 
"UK" and "EL" extra identifiers for two specific jurisdictions. If "EL" 
was listed as exceptionally reserved just as the "UK" label is, would 
you agree with Gerv that this would make things clearer and easier to 
allow for these exceptions?

>
>      1. There may be legal reasons for some official government
>         agencies to be represented by using C=EL or C=UK in the
>         subject field. Should the Forum prevent that? Should the Forum
>         question these reasons?
>
> Yes. Because the Forum should strive to stay apolitical to the extent 
> possible, and we achieve that by standing on the shoulder of the 
> giants who have gone before us, seeking out international consensus 
> through an assemblage of experts, and when we find reason to deviate, 
> to do so in a manner that is a consistent application of principles 
> rather than of en-vogue politics.

IMHO, by questioning these reason, you evidently become political. I 
understand the fact that it is merely impossible to avoid some political 
discussions, sooner or later, when it comes to building policy 
documents. In order to achieve the goal to "stay apolitical to the 
extent possible", IMO the forum should try to resolve policy conflicts 
with minimal or no impact to the ecosystem based on standards and 
specific processes like the one we are following now (allowed thanks to 
the last paragraph of 9.16.3). I fully understand the argument of 
building on top of International standards, agreements, treaties and 
such ("giants" as you elegantly described). My somewhat similar thought 
was that the European Union's decisions look like they are coming from a 
"giant" as well :)

>
> In this case, as has been mentioned, the appropriate discussion point 
> would minimally be within the realm of ISO, as Gerv has highlighted.

This makes perfect sense and I plan on contacting our ISO 
representatives to see if there is more than meets the eye.

Overall, I think this was (is) a useful conversation, at least to "test" 
the limits and boundaries of 9.16.3 so that members have a better 
understanding.


Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170321/8320e3f4/attachment-0001.html>

More information about the Public mailing list