[cabfpub] Does the CA/Browser Forum provide guidance on the Baseline Requirements?

Ryan Sleevi sleevi at google.com
Sat Mar 4 03:29:21 UTC 2017


Kirk,

Do you believe that the Forum should abide by those same policies for its
own interpretations, such as of the Bylaws? I'm still unclear whether the
issues of 180-182 will revisit us, and I'm not sure we ever reached a
common ground with that.

As to your opinion of the legal risks, I think we should be careful when
speculating on such matters, but I also want to point out the several
problems with the scenario you posed, as I'm sure Jeff, Don, Arno, Clemens,
and others can attest to:

For the sake of discussion, and the familiarity for both yourself and some
of the other CAs who I believe have expressed an opinion similar to yours,
I'll use WebTrust for the remainder of the discussion here:

An audit assessment is not assessed on the basis of the Baseline
Requirements. Instead, the auditor uses the WebTrust Principles and
Criteria for Certification Authorities - SSL Baseline with Network
Security. This is a specific term of art, and refers to a specific set of
Principles, validated using Criteria, for which the WebTrust Task Force and
CPA Canada have developed a set of illustrative controls. These Principles
and Criteria are derived from the work of the CA/Browser Forum, but it is
independent of the Forum's activities, for better or for worse.

Any opinion that the Forum offers - either as individual members or as a
Body as a whole (for which, to Gerv's point, our Bylaws specifically
provide guidance how to do, in Section 6.2 of our Bylaws) - is solely in
capacity and relationship to the Baseline Requirements. It is neither
advice to an auditor nor guidance to the auditor with respect to their
auditable criteria or to their customer relationship.

To perhaps make it easier to understand why this is both important and not,
as you pose, a risk, consider the act of an auditor who examines
Certificate Transparency logs in the process of doing what auditors do -
which is developing an opinion about the sufficiency of the controls
practiced by a given CA relative to the principles and criteria for which
the scope of the engagement is evaluating. Such an examination forms a
secondary datasource to the auditor to form their opinion. It does not
provide primary guidance, but helps highlight things for which the auditor
may wish to examine in the development of that opinion.

Similarly, any response to questions regarding the Baseline Requirements
represents guidance as to the interpretation of the Baseline Requirements -
not to the relevant audit criteria. It is acting as a secondary data source
that allows the auditor to independently assess the nature of industry best
practice in the formation of their opinion, but it does not tell them
whether what a CA is doing is "right" or "wrong".

On a recent call, it was highlighted the challenges about providing a
vision for the future while maintaining consistent with our antitrust
policy regarding "Customer, business, or marketing plans" - and it was
rightfully pointed out that the discussion is not one of future business
plans, but in the act of standards development and future directions for
said standards development.

Either the Forum is representing itself as a Standards Defining
Organization - for which, as has been pointed out, the act of providing
errata, guidance, and interpretation is a key aspect of this (whether you
look at W3C, WHATWG, IETF, OASIS, TCG, ETSI, or I'm sure countless other
organizations) - or it is positing itself as a trade group of some form.
This would be an interesting interpretation, but precisely why the nature
of this discussion is important and extremely relevant to the community,
and why I have suggested we spend time discussing this in the Face to Face.

As to your suggestion of CPA Canada sending the questions, you can ask Don
and Jeff (and members of the WebTrust TF), as this is precisely something I
have suggested in order to ensure the confidentiality of the client
relationship between the auditor during the process of an engagement, and
so I'm supportive of this as a principle, but not a rule. That is, I think
the notion that we should reject questions from auditors if NOT 'laundered'
through CPA Canada would be to be shirking our responsibilities and
undermining our goals.

I should hope it would be uncontroversial, for example, if the Forum was
approached with a question - whether an auditor, a CA, or some other
interested and curious participant - about whether the Baseline
Requirements requires CAs to encode their certificates using DER.

I pose this hypothetical because you will find no such mention of DER in
the Baseline Requirements. Instead, you will find the extent of this
requirement captured within Section 7.1.2.4 of the Baseline Requirements,
which simply incorporates RFC 5280. RFC 5280's extent of incorporating DER
simply states that "For signature calculation, the data that is to be
signed is encoded using the ASN.1 distinguished encoding rules (DER)
[X.690]."

Note, however, that it does not say the certificate itself shall be
encoded. This subtlety has actually tripped people up with RFC 5280 - as it
was the full intent and understanding of the PKIX WG that this was
sufficient to mean "Yes, you need to encode the darn certs using DER, you'd
be bonkers not to" - and you can find discussion, should you so desire,
precisely to this point within the IETF - but I do hope you can understand
at least how this question flows from it.

To suggest that the Forum does not have an active role in communicating,
both in our shared (industry) understanding and, in particular, the
expectations of the community (especially that of root stores), is to do a
disservice to the work we do here. If we truly believe that this is
something we cannot opine on, then it would be far more useful and
productive for Browsers to consider working directly with the relative
audit schemes, and to cease participating in the Forum, as the Forum no
longer provides any useful function.

On Fri, Mar 3, 2017 at 12:39 PM, Kirk Hall via Public <public at cabforum.org>
wrote:

> I agree, Gerv.
>
> One possibly more significant objection to unstructured opining on
> questions from auditors currently conducting an audit -- that puts Forum
> members right in the middle of the audit relationship between the auditor
> and his or her CA client.  A Forum member who opines on interpretation of a
> broad provision runs the risk of causing audit failure for that CA --
> something I think is not a good idea, and could arguably give rise to
> potential legal liability in extreme cases.
>
> In my view, auditors with a question of interpretation should first
> consult with other WebTrust auditors in their own company, and then should
> pose their questions to CPA Canada's WebTrust Board for formal response.
> If the CPA Canada WebTrust Board thinks it necessary, they (and only they)
> could then ask the Forum for advice -- which we should only give after a
> very formal discussion among ourselves and a formal agreed position.
>
> -----Original Message-----
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase
> Markham via Public
> Sent: Friday, March 3, 2017 9:30 AM
> To: CA/Browser Forum Public Discussion List <public at cabforum.org>
> Cc: Gervase Markham <gerv at mozilla.org>
> Subject: Re: [cabfpub] Does the CA/Browser Forum provide guidance on the
> Baseline Requirements?
>
> On 25/02/17 02:54, Ryan Sleevi via Public wrote:
> > I am deeply concerned and dismayed by such an answer, and expressed
> > this to these members. I believe that this is a core role of the
> > CA/Browser
> > Forum: To ensure the Requirements are clear and unambiguous whenever
> > possible, to provide guidance as to the intent and interpretation when
> > necessary, and to strive to resolve any ambiguity in the documents
> > themselves whenever possible.
>
> I think we should resolve ambiguities within the documents; whether we
> should provide guidance in the meantime is a separate question. The way the
> Forum expresses its view is via ballots which change documents; we don't
> really have a way of expressing a consensus opinion without doing that.
>
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170303/ecb0e416/attachment-0002.html>


More information about the Public mailing list